6.5

CVE-2018-1129

EPSS 0.39%
Published 10.07.2018 14:29:00
Last modified 21.11.2024 03:59:15
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.

Affected products Warnungen 0 Metrics 3 CWE 2 References 14

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Ceph Storage Version1.3

Redhat ≫ Ceph Storage Version3

Redhat ≫ Ceph Storage Mon Version2

Redhat ≫ Ceph Storage Mon Version3

Redhat ≫ Ceph Storage Osd Version2

Redhat ≫ Ceph Storage Osd Version3

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Ceph ≫ Ceph Version10.2.0

Ceph ≫ Ceph Version10.2.1

Ceph ≫ Ceph Version10.2.2

Ceph ≫ Ceph Version10.2.3

Ceph ≫ Ceph Version10.2.4

Ceph ≫ Ceph Version10.2.5

Ceph ≫ Ceph Version10.2.6

Ceph ≫ Ceph Version10.2.7

Ceph ≫ Ceph Version10.2.8

Ceph ≫ Ceph Version10.2.9

Ceph ≫ Ceph Version10.2.10

Ceph ≫ Ceph Version10.2.11

Ceph ≫ Ceph Version12.2.0

Ceph ≫ Ceph Version12.2.1

Ceph ≫ Ceph Version12.2.2

Ceph ≫ Ceph Version12.2.3

Ceph ≫ Ceph Version12.2.4

Ceph ≫ Ceph Version12.2.5

Ceph ≫ Ceph Version12.2.6

Ceph ≫ Ceph Version12.2.7

Ceph ≫ Ceph Version13.2.0

Ceph ≫ Ceph Version13.2.1

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Opensuse ≫ Leap Version15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.39%	0.595

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	3.3	6.5	2.9	AV:A/AC:L/Au:N/C:N/I:P/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2177

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2179

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2261

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2274

Third Party Advisory

https://www.debian.org/security/2018/dsa-4339

Third Party Advisory

http://packetstormsecurity.com/files/154245/Kernel-Live-Patch-Security-Notice-LSN-0054-1.html

http://tracker.ceph.com/issues/24837

Vendor Advisory

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1576057

Patch

Third Party Advisory

Issue Tracking

https://github.com/ceph/ceph/commit/8f396cf35a3826044b089141667a196454c0a587

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-1129

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1129

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1129

EUVD