Project

General

Profile

Bug #43607

mgr/dashboard: fix improper URL checking

Added by Ernesto Puerta 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Immediate
Category:
dashboard/backend
Target version:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
nautilus
Regression:
No
Severity:
1 - critical
Reviewed:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

From https://github.com/rook/rook/issues/4635

Only release 14.2.5 and above show this behaviour (including master) introduced in https://github.com/ceph/ceph/pull/30694.

Assigned CVE-2020-1699

CWE-22


Related issues

Copied to mgr - Backport #43725: nautilus: mgr/dashboard: fix improper URL checking Resolved

History

#1 Updated by Ernesto Puerta 8 months ago

  • Priority changed from High to Immediate
  • Tags set to security
  • Severity changed from 2 - major to 1 - critical

#2 Updated by Ernesto Puerta 8 months ago

  • Status changed from New to In Progress
  • Pull request ID set to 32652

#3 Updated by Lenz Grimmer 8 months ago

Unfortunately the referenced rook issue does not provide any details about the problem. In regular deployments, the Mgr process does not run with root privileges, so the dashboard module should not be able to access any sensitive files. Is this different from how Ceph is deployed by Rook?

#4 Updated by Ernesto Puerta 8 months ago

  • Description updated (diff)
  • Affected Versions v14.2.5, v14.2.6, v15.0.0 added

#5 Updated by Ernesto Puerta 8 months ago

  • Private changed from Yes to No

#6 Updated by Ernesto Puerta 8 months ago

Lenz Grimmer wrote:

Unfortunately the referenced rook issue does not provide any details about the problem. In regular deployments, the Mgr process does not run with root privileges, so the dashboard module should not be able to access any sensitive files. Is this different from how Ceph is deployed by Rook?

As mentioned by e-mail, anything under ceph:ceph ownership could be exposed, and depending on the deployment setup that might mean a lot:
- Ceph keyrings
- Ceph logs (ceph-mgr exposes sensitive information as described in https://tracker.ceph.com/issues/37503, including ceph-dashboard admin password, RGW secrets, etc).
- Ceph daemon data (/var/lib/ceph)
- procfs info from Ceph processes

#7 Updated by Ernesto Puerta 8 months ago

  • Description updated (diff)

#8 Updated by Ernesto Puerta 8 months ago

  • Private changed from No to Yes

#9 Updated by Sage Weil 8 months ago

  • Status changed from In Progress to Pending Backport

#10 Updated by Nathan Cutler 8 months ago

  • Copied to Backport #43725: nautilus: mgr/dashboard: fix improper URL checking added

#11 Updated by Ernesto Puerta 8 months ago

  • Copied to deleted (Backport #43725: nautilus: mgr/dashboard: fix improper URL checking)

#12 Updated by Ernesto Puerta 8 months ago

  • Copied to Backport #43725: nautilus: mgr/dashboard: fix improper URL checking added

#13 Updated by Lenz Grimmer 8 months ago

  • Tags set to security
  • Status changed from Pending Backport to Resolved
  • Private changed from Yes to No
  • Tags deleted (security)

Also available in: Atom PDF