Re: CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jan 11, 2022 at 4:18 PM Ana McTaggart <amctagga () redhat com> wrote:
> The key length for encrypted devices created using ceph-volume is
> incorrect. This is due to a bug in ceph_volume/util/encryption.py, where
> upon writing a key using osd_dmcrypt_key_size it does not pass the key size
> to the format and open operations following. The default key is then
> applied in cryptsetup. All versions since Luminous are assumed affected. At
> Red Hat. we have assigned it  CVE-2021-3979 and proposed a CVSS score of
> 6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

The score does not make a lot of sense (to me). It seems too high. A
256-bit XTS key means 128-bits are used for AES block cipher, and
128-bits are used for the AES-based tweak. I don't think many people
will feel AES-128 is a problem. If AES-128 is a problem nowadays, then
there's a boat load of software that's going to be hit with CVEs.

In practice the biggest problem will be ensuring data is not lost once
the bug is fixed.

I hope I'm not missing something obvious.

Jeff