Notice
This document is for a development version of Ceph.
CVE-2022-0670: Native-CephFS Manila Path-restriction bypass
Summary
Users who were running OpenStack Manila to export native CephFS and who upgraded their Ceph cluster from Nautilus (or earlier) to a later major version were vulnerable to an attack by malicious users. The vulnerability allowed users to obtain access to arbitrary portions of the CephFS filesystem hierarchy instead of being properly restricted to their own subvolumes. The vulnerability is due to a bug in the “volumes” plugin in Ceph Manager. This plugin is responsible for managing Ceph File System subvolumes, which are used by OpenStack Manila services as a way to provide shares to Manila users.
Again, this vulnerability impacts only OpenStack Manila clusters that provided native CephFS access to their users.
Affected versions
Any version of Ceph running OpenStack Manila that was upgraded from Nautilus or earlier.
Fixed versions
Quincy v17.2.2 (and later)
Pacific v16.2.10 (and later)
Octopus v15.2.17
Recommendations
Users should upgrade to a patched version of Ceph at their earliest convenience.
Administrators who are concerned they may have been impacted should audit the CephX keys in their cluster for proper path restrictions.
Brought to you by the Ceph Foundation
The Ceph Documentation is a community resource funded and hosted by the non-profit Ceph Foundation. If you would like to support this and our other efforts, please consider joining now.