]>
Commit | Line | Data |
---|---|---|
39ae355f TL |
1 | .. _CVE-2022-0670: |
2 | ||
3 | CVE-2022-0670: Native-CephFS Manila Path-restriction bypass | |
4 | =========================================================== | |
5 | ||
6 | Summary | |
7 | ------- | |
8 | ||
9 | Users who were running OpenStack Manila to export native CephFS and who | |
10 | upgraded their Ceph cluster from Nautilus (or earlier) to a later | |
11 | major version were vulnerable to an attack by malicious users. The | |
12 | vulnerability allowed users to obtain access to arbitrary portions of | |
13 | the CephFS filesystem hierarchy instead of being properly restricted | |
14 | to their own subvolumes. The vulnerability is due to a bug in the | |
15 | "volumes" plugin in Ceph Manager. This plugin is responsible for | |
16 | managing Ceph File System subvolumes, which are used by OpenStack | |
17 | Manila services as a way to provide shares to Manila users. | |
18 | ||
19 | Again, this vulnerability impacts only OpenStack Manila clusters that | |
20 | provided native CephFS access to their users. | |
21 | ||
22 | Affected versions | |
23 | ----------------- | |
24 | ||
25 | Any version of Ceph running OpenStack Manila that was upgraded from Nautilus | |
26 | or earlier. | |
27 | ||
28 | Fixed versions | |
29 | -------------- | |
30 | ||
31 | * Quincy v17.2.2 (and later) | |
32 | * Pacific v16.2.10 (and later) | |
33 | * Octopus v15.2.17 | |
34 | ||
35 | Recommendations | |
36 | --------------- | |
37 | ||
38 | #. Users should upgrade to a patched version of Ceph at their earliest | |
39 | convenience. | |
40 | ||
41 | #. Administrators who are | |
42 | concerned they may have been impacted should audit the CephX keys in | |
43 | their cluster for proper path restrictions. |