Adding upstream version 16.2.11+ds.upstream/16.2.11+dsupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 43 insertions, 0 deletions

diff --git a/doc/security/CVE-2022-0670.rst b/doc/security/CVE-2022-0670.rst
new file mode 100644
index 000000000..e7863d1d9
--- /dev/null
+++ b/doc/security/CVE-2022-0670.rst
@@ -0,0 +1,43 @@
+.. _CVE-2022-0670:
+
+CVE-2022-0670: Native-CephFS Manila Path-restriction bypass
+===========================================================
+
+Summary
+-------
+
+Users who were running OpenStack Manila to export native CephFS and who
+upgraded their Ceph cluster from Nautilus (or earlier) to a later
+major version were vulnerable to an attack by malicious users. The
+vulnerability allowed users to obtain access to arbitrary portions of
+the CephFS filesystem hierarchy instead of being properly restricted
+to their own subvolumes. The vulnerability is due to a bug in the
+"volumes" plugin in Ceph Manager. This plugin is responsible for
+managing Ceph File System subvolumes, which are used by OpenStack
+Manila services as a way to provide shares to Manila users.
+
+Again, this vulnerability impacts only OpenStack Manila clusters that 
+provided native CephFS access to their users.
+
+Affected versions
+-----------------
+
+Any version of Ceph running OpenStack Manila that was upgraded from Nautilus
+or earlier.
+
+Fixed versions
+--------------
+
+* Quincy v17.2.2 (and later)
+* Pacific v16.2.10 (and later)
+* Octopus fix is forthcoming
+
+Recommendations
+---------------
+
+#. Users should upgrade to a patched version of Ceph at their earliest
+   convenience.
+
+#. Administrators who are
+   concerned they may have been impacted should audit the CephX keys in
+   their cluster for proper path restrictions.