{
  "threat_severity" : "Moderate",
  "public_date" : "2019-01-10T00:00:00Z",
  "bugzilla" : {
    "description" : "ceph: debug logging for v4 auth does not sanitize encryption keys",
    "id" : "1665334",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1665334"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-538",
  "details" : [ "Ceph does not properly sanitize encryption keys in debug logging for v4 auth. This results in the leaking of encryption key information in log files via plaintext. Versions up to v13.2.4 are vulnerable.", "It was found that Ceph RGW did not properly sanitize encryption keys in debug logging for v4 auth. Encryption keys could be inadvertently disclosed when sharing debug logs." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-2:12.2.12-45.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-ansible-0:3.2.24-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "ceph-iscsi-config-0:2.6-19.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "cephmetrics-0:2.0.6-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "libntirpc-0:1.7.4-1.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "nfs-ganesha-0:2.7.4-10.el7cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 3.3",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2538",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::el7",
    "package" : "python-crypto-0:2.6.1-16.el7ost"
  }, {
    "product_name" : "Red Hat Ceph Storage 3 for Ubuntu",
    "release_date" : "2019-08-21T00:00:00Z",
    "advisory" : "RHSA-2019:2541",
    "cpe" : "cpe:/a:redhat:ceph_storage:3::ubuntu16.04",
    "package" : "ceph"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "ceph-common",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "redhat-virtualization-host",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-16889\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16889" ],
  "name" : "CVE-2018-16889",
  "csaw" : false
}