Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1506625 - CVE-2017-12155 allow ceph-ansible to set permissions and then ACL of ceph keyrings
Summary: CVE-2017-12155 allow ceph-ansible to set permissions and then ACL of ceph key...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Ceph-Ansible
Version: 3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 3.0
Assignee: leseb
QA Contact: John Fulton
URL:
Whiteboard:
Depends On:
Blocks: 1491470 1514264 1514265
TreeView+ depends on / blocked
 
Reported: 2017-10-26 13:12 UTC by John Fulton
Modified: 2018-06-26 23:46 UTC (History)
15 users (show)

Fixed In Version: RHEL: ceph-ansible-3.0.13-1.el7cp Ubuntu: ceph-ansible_3.0.13-2redhat1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1514264 1514265 (view as bug list)
Environment:
Last Closed: 2017-12-05 23:49:35 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3387 normal SHIPPED_LIVE Red Hat Ceph Storage 3.0 bug fix and enhancement update 2017-12-06 03:03:45 UTC
Github ceph ceph-ansible pull 2110 None None None 2017-10-26 13:12:37 UTC
Github ceph ceph-ansible pull 2174 None None None 2017-11-14 21:48:03 UTC
Github ceph ceph-ansible pull 2189 None None None 2017-11-16 16:36:54 UTC

Description John Fulton 2017-10-26 13:12:37 UTC
ceph-ansible needs the ability to set the permissions and then the ACLs of a Ceph keyring file in order for OSP12 to be able to solve the following security CVE: 

 https://access.redhat.com/security/cve/CVE-2017-12155

This issue is tracked in upstream ceph-ansible by: 

 https://github.com/ceph/ceph-ansible/issues/2092

and solved by the following PR in upstream ceph-ansible: 

 https://github.com/ceph/ceph-ansible/pull/2110

When the above PR is used in combination with the following tripleo heat templates: 

 https://review.openstack.org/#/c/508975 

this issue will be solved. 

This will be a blocker for OSP12 and will need to be backported to whatever version of ceph-ansible is shipped with OSP12.

Comment 3 John Fulton 2017-10-26 13:15:12 UTC
Setting target release to 3.0 as this security issue will block OSP12 (assuming ceph-ansible 3.0 will ship with OSP12).

Comment 9 leseb 2017-10-27 07:57:46 UTC
Upstream has merged, fix will be in 3.0.7, https://github.com/ceph/ceph-ansible/releases/tag/v3.0.7

Ken, please build a package :).

Comment 18 John Fulton 2017-11-03 22:10:43 UTC
When the fixed-in version (ceph-ansible-3.0.7) is tested with OpenStack as trigged by OSPd (puddle for verson 12 10.31.1), the permissions and ACLs are set correctly.

Comment 21 John Fulton 2017-11-15 16:23:41 UTC
Upstream merged:
https://github.com/ceph/ceph-ansible/pull/2174#pullrequestreview-76695289

Comment 28 John Fulton 2017-11-16 19:58:06 UTC
The following merged, moving to POST.

 https://github.com/ceph/ceph-ansible/pull/2189

Comment 33 Omri Hochman 2017-11-16 23:10:39 UTC
cloned to osp12 , to be verify there, as it blocks deployment with ceph . https://bugzilla.redhat.com/show_bug.cgi?id=1514265

Comment 37 errata-xmlrpc 2017-12-05 23:49:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3387


Note You need to log in before you can comment on or make changes to this bug.