projects / ceph.git / blame
| Commit | Line | Data |
|---|---|---|
| 39ae355f TL |
1 | .. _CVE-2022-0670: |
| 2 | ||
| 3 | CVE-2022-0670: Native-CephFS Manila Path-restriction bypass | |
| 4 | =========================================================== | |
| 5 | ||
| 6 | Summary | |
| 7 | ------- | |
| 8 | ||
| 9 | Users who were running OpenStack Manila to export native CephFS and who | |
| 10 | upgraded their Ceph cluster from Nautilus (or earlier) to a later | |
| 11 | major version were vulnerable to an attack by malicious users. The | |
| 12 | vulnerability allowed users to obtain access to arbitrary portions of | |
| 13 | the CephFS filesystem hierarchy instead of being properly restricted | |
| 14 | to their own subvolumes. The vulnerability is due to a bug in the | |
| 15 | "volumes" plugin in Ceph Manager. This plugin is responsible for | |
| 16 | managing Ceph File System subvolumes, which are used by OpenStack | |
| 17 | Manila services as a way to provide shares to Manila users. | |
| 18 | ||
| 19 | Again, this vulnerability impacts only OpenStack Manila clusters that | |
| 20 | provided native CephFS access to their users. | |
| 21 | ||
| 22 | Affected versions | |
| 23 | ----------------- | |
| 24 | ||
| 25 | Any version of Ceph running OpenStack Manila that was upgraded from Nautilus | |
| 26 | or earlier. | |
| 27 | ||
| 28 | Fixed versions | |
| 29 | -------------- | |
| 30 | ||
| 31 | * Quincy v17.2.2 (and later) | |
| 32 | * Pacific v16.2.10 (and later) | |
| 33 | * Octopus v15.2.17 | |
| 34 | ||
| 35 | Recommendations | |
| 36 | --------------- | |
| 37 | ||
| 38 | #. Users should upgrade to a patched version of Ceph at their earliest | |
| 39 | convenience. | |
| 40 | ||
| 41 | #. Administrators who are | |
| 42 | concerned they may have been impacted should audit the CephX keys in | |
| 43 | their cluster for proper path restrictions. |