Lucene search

RedhatCVE-2018-1128

HistoryJul 10, 2018 - 2:29 p.m.

CVE-2018-1128

2018-07-1014:29:00

CWE-294

CWE-287

redhat

web.nvd.nist.gov

329

ceph

cephx

authentication protocol

vulnerability

ceph

master

mimic

luminous

jewel

replay attack

network security

CVSS2

5.4

Attack Vector

ADJACENT_NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

60.1%

JSON

It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.

Affected configurations

Nvd

Node

redhatceph_storageMatch3

redhatceph_storage_monMatch2

redhatceph_storage_monMatch3

redhatceph_storage_osdMatch2

redhatceph_storage_osdMatch3

redhatenterprise_linuxMatch7.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_workstationMatch7.0

Node

redhatcephRange10.2.0–13.2.1

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

opensuseleapMatch15.0

VendorProductVersionCPE
redhatceph_storage3cpe:2.3:a:redhat:ceph_storage:3:*:*:*:*:*:*:*
redhatceph_storage_mon2cpe:2.3:a:redhat:ceph_storage_mon:2:*:*:*:*:*:*:*
redhatceph_storage_mon3cpe:2.3:a:redhat:ceph_storage_mon:3:*:*:*:*:*:*:*
redhatceph_storage_osd2cpe:2.3:a:redhat:ceph_storage_osd:2:*:*:*:*:*:*:*
redhatceph_storage_osd3cpe:2.3:a:redhat:ceph_storage_osd:3:*:*:*:*:*:*:*
redhatenterprise_linux7.0cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhatenterprise_linux_desktop7.0cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
redhatenterprise_linux_server7.0cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
redhatenterprise_linux_workstation7.0cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
redhatceph*cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	ceph_storage	3	cpe:2.3:a:redhat:ceph_storage:3:::::::*
redhat	ceph_storage_mon	2	cpe:2.3:a:redhat:ceph_storage_mon:2:::::::*
redhat	ceph_storage_mon	3	cpe:2.3:a:redhat:ceph_storage_mon:3:::::::*
redhat	ceph_storage_osd	2	cpe:2.3:a:redhat:ceph_storage_osd:2:::::::*
redhat	ceph_storage_osd	3	cpe:2.3:a:redhat:ceph_storage_osd:3:::::::*
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
redhat	enterprise_linux_desktop	7.0	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
redhat	ceph	*	cpe:2.3:a:redhat:ceph::::::::

Rows per page:

1-10 of 131

CNA Affected

[
  {
    "product": "ceph",
    "vendor": "Red Hat, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "All versions in branches master, mimic, luminous and jewel"
      }
    ]
  }
]