Back to search
CVE-2018-1128
Published: Jul 10, 2018
Modified: Sep 16, 2024
PUBLISHED
Description
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.
| Vendor | Product | Versions |
|---|---|---|
Red Hat, Inc. | ceph | affected All versions in branches master, mimic, luminous and jewel |
Weaknesses (CWE)
References
RHSA-2018:2261
vendor-advisory
x_refsource_REDHAT
RHSA-2018:2177
vendor-advisory
x_refsource_REDHAT
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468
x_refsource_CONFIRM
RHSA-2018:2179
vendor-advisory
x_refsource_REDHAT
RHSA-2018:2274
vendor-advisory
x_refsource_REDHAT
DSA-4339
vendor-advisory
x_refsource_DEBIAN
[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update
mailing-list
x_refsource_MLIST
http://tracker.ceph.com/issues/24836
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=1575866
x_refsource_CONFIRM
openSUSE-SU-2019:1284
vendor-advisory
x_refsource_SUSE
[oss-security] 20201117 CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost
mailing-list
x_refsource_MLIST
[oss-security] 20201117 Re: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now