CVE-2018-1128
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to the ceph cluster network who is also able to sniff packets on the network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service.
Find out more about CVE-2018-1128 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L |
| Attack Vector | Adjacent Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | Low |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Ceph Storage 3 for Ubuntu | RHSA-2018:2179 | 2018-07-11 |
| Red Hat Enterprise Linux 7 | RHSA-2018:2261 | 2018-07-26 |
| Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7 | RHSA-2018:2177 | 2018-07-11 |
| Red Hat Ceph Storage 2 for Ubuntu | RHSA-2018:2274 | 2018-07-26 |
| Red Hat Ceph Storage Tools 2 | RHSA-2018:2261 | 2018-07-26 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | ceph-common | Not affected |
| Red Hat Ceph Storage 1.3 | ceph | Will not fix |
