RedHat: RHSA-2019-2538:01 Moderate: Red Hat Ceph Storage 3.3 security,

    Date21 Aug 2019
    CategoryRed Hat
    2175
    Posted ByLinuxSecurity Advisories
    An update is now available for Red Hat Ceph Storage 3.3 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Ceph Storage 3.3 security, bug fix, and enhancement update
    Advisory ID:       RHSA-2019:2538-01
    Product:           Red Hat Ceph Storage
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:2538
    Issue date:        2019-08-21
    CVE Names:         CVE-2018-14662 CVE-2018-16846 CVE-2018-16889 
    =====================================================================
    
    1. Summary:
    
    An update is now available for Red Hat Ceph Storage 3.3 on Red Hat
    Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Ceph Storage 3.3 MON - ppc64le, x86_64
    Red Hat Ceph Storage 3.3 OSD - ppc64le, x86_64
    Red Hat Ceph Storage 3.3 Tools - noarch, ppc64le, x86_64
    
    3. Description:
    
    Red Hat Ceph Storage is a scalable, open, software-defined storage platform
    that combines the most stable version of the Ceph storage system with a
    Ceph management platform, deployment utilities, and support services.
    
    Security Fix(es):
    
    * ceph: ListBucket max-keys has no defined limit in the RGW codebase
    (CVE-2018-16846)
    
    * ceph: debug logging for v4 auth does not sanitize encryption keys
    (CVE-2018-16889)
    
    * ceph: authenticated user with read only permissions can steal dm-crypt /
    LUKS key (CVE-2018-14662)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es) and Enhancement(s):
    
    For detailed information on changes in this release, see the Red Hat Ceph
    Storage 3.3 Release Notes available at:
    
    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html
    /release_notes/index
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1337915 - purge-cluster.yml confused by presence of ceph installer, ceph kernel threads
    1572933 - infrastructure-playbooks/shrink-osd.yml leaves behind NVMe partition; scenario non-collocated
    1599852 - radosgw-admin bucket rm --bucket=${bucket} --bypass-gc --purge-objects not cleaning up objects in secondary site
    1627567 - MDS fails heartbeat map due to export size
    1628309 - MDS should handle large exports in parts
    1628311 - MDS balancer may stop prematurely
    1631010 - batch: allow journal+block.db sizing on the CLI
    1636136 - [cee/sd] add ceph_docker_registry to group_vars/all.yml.sample same way as ceph-ansible does allowing custom registry for systems without direct internet access
    1637327 - CVE-2018-14662 ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key
    1639712 - dynamic bucket resharding unexpected behavior
    1644321 - lvm scenario - stderr: Device /dev/sdb excluded by a filter
    1644461 - CVE-2018-16846 ceph: ListBucket max-keys has no defined limit in the RGW codebase
    1644610 - [RFE] allow --no-systemd flag for 'simple' sub-command
    1644847 - [RFE] ceph-volume zap enhancements based on the OSD ID instead of a device
    1651054 - [iSCSI-container] - After cluster purge and recreation, iSCSI target creation failed.
    1656908 - [ceph-ansible] Ceph nfs installation fails at  task start nfs gateway service in ubuntu ipv6 deployment
    1659611 - ceph ansible rolling upgrade does not restart tcmu-runner and rbd-target-api
    1661504 - [RFE] append x-amz-version-id in PUT response
    1665334 - CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys
    1666822 - ceph-volume does not always populate dictionary key rotational
    1668478 - Failed to Purge Cluster
    1668896 - Ability to search by access-key using the radosgw-admin tool [Consulting]
    1668897 - Ability to register/associate one email to multiple user accounts [Consulting]
    1669838 - [RFE] Including some rgw bits in mgr-restful plugin
    1670527 - if LVM is not installed containers don't come up after a system reboot
    1670785 - rbd-target-api.service doesn't get started after starting rbd-target-gw.service.
    1677269 - Need to add port 9283/tcp to /usr/share/cephmetrics-ansible/roles/ceph-node-exporter/tasks/configure_firewall.yml
    1680144 - [RFE] RGW  metadata search support for elastic search 6.0 API changes
    1680155 - ceph-ansible is configuring VIP address for MON and RGW
    1685253 - ceph-ansible non-collocated OSD scenario should not create block.wal by default
    1685734 - MDS `cache drop` command does not timeout as expected
    1686306 - [ceph-ansible] shrink-osd.yml fails at stopping osd service task
    1695850 - ceph-ansible containerized Ceph MDS  is limited to 1 CPU core by default - not enough
    1696227 - [RFE] print client IP in default debug_ms log level when "bad crc in {front|middle|data}" occurs
    1696691 - [CEE/SD] 'ceph osd in any' marks all osds 'in' even if the osds are removed completely from the Ceph cluster.
    1696880 - ceph ansible 3.x still sets memory option if
    1700896 - Update nfs-ganesha to 2.7.4
    1701029 - [RFE] GA support for ASIO/Beast HTTP Frontend
    1702091 - nofail option is unsupported in the kernel driver
    1702092 - MDS may report spurious warning during subtree migration
    1702093 - MDS may hit an assertion during shutdown
    1702097 - MDS does not initialize based on config mds_cap_revoke_eviction_timeout
    1702099 - MDS may return ENOSPC for a series of renames to a target directory
    1702100 - MDS may crash during reconnect when processing reconnect message
    1702285 - It takes significantly longer to deploy bluestore than filestore on the same hardware
    1702732 - [ceph-ansible] - group_vars files says that default values are based in RHCS 2.x hardware guide
    1703557 - rgw: object expirer: handle resharded buckets
    1704948 - [Rebase] rebase ceph to 12.2.12
    1705258 - RGW: expiration_date returned from lifecycle is in wrong format. [Consulting]
    1705922 - Getting versioning state of non-existing bucket returns HTTP Response 200
    1708346 - Memory growth when enabling rgw_enable_ops_log = True with no consumption of queue
    1708650 - PUT Bucket Lifecycle doesn't clear existing lifecycle policy
    1708798 - rgw:  luminous: keystone: backport keystone S3 credential caching
    1709765 - [RGW]: Radosgw unable to start post upgrade to latest Luminous build
    1710855 - nfs ganesha crashed due to invalid rgw_fh pointer  passed by FSAL_RGW ?
    1713779 - rgw-multisite: 'radosgw-admin bilog trim' stops after 1000 entries
    1714810 - MDS may hang during up:rejoin while iterating inodes
    1714814 - MDS may try trimming all of its journal at once after recovery
    1715577 - [Consulting] Ceph Balancer not working with EC/upmap configuration
    1715946 - [RGW-NFS]: objects stored on nfs mount may have inconsistent tail tag and fail to gc
    1717135 - S3 client timed out in RGW - listing the large buckets having ~14 million objects with 256 bucket index shards
    1718135 - Multiple MDS crashing with assert(mds->sessionmap.get_version() == cmapv) in ESessions::replay while replaying journal
    1718328 - S3 client timed out in RGW while listing buckets having 2 million to 5 million objects.
    1719023 - ceph-validate : devices are not validated in non-collocated and lvm_batch scenario
    1720205 - [GSS] MONs continuously calling for election on lease expiry
    1720741 - [RGW]  bucket_list on large bucket causing application to not startup, and performance impact on all other clients using RGW
    1721165 - MDS session reference count may leak due to regression in 12.2.11
    1722663 - ceph-ansible: purge-cluster.yml fails when initiated second time
    1722664 - radosgw-admin bucket rm fails to remove a bucket with error "aborted 152 incomplete multipart uploads"
    1725521 - Config parser error when import rados config which larger than 1024 bytes
    1725536 - few OSDs are not coming up and log error "In function 'void KernelDevice::_aio_thread()' thread 7f3e4ead9700 ... bluestore/KernelDevice.cc: 397: FAILED assert(0 == "unexpected aio error"
    1732142 - [RFE] Changing BlueStore OSD rocksdb_cache_size default value to 512MB for helping in compaction
    1732706 - [RGW-NFS]: nfs-ganesha aborts due to "Cannot acquire credentials for principal nfs"
    1734550 - GetBucketLocation  on non-existing bucket doesn't throw NoSuchBucket and gives 200
    1739209 - [ceph-ansible] - rolling-update of containerized cluster from 2.x to 3.x failed trying to run systemd-device-to-id.sh saying no such file
    
    6. Package List:
    
    Red Hat Ceph Storage 3.3 MON:
    
    Source:
    ceph-12.2.12-45.el7cp.src.rpm
    
    ppc64le:
    ceph-base-12.2.12-45.el7cp.ppc64le.rpm
    ceph-common-12.2.12-45.el7cp.ppc64le.rpm
    ceph-debuginfo-12.2.12-45.el7cp.ppc64le.rpm
    ceph-mgr-12.2.12-45.el7cp.ppc64le.rpm
    ceph-mon-12.2.12-45.el7cp.ppc64le.rpm
    ceph-selinux-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs-devel-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs2-12.2.12-45.el7cp.ppc64le.rpm
    librados-devel-12.2.12-45.el7cp.ppc64le.rpm
    librados2-12.2.12-45.el7cp.ppc64le.rpm
    libradosstriper1-12.2.12-45.el7cp.ppc64le.rpm
    librbd-devel-12.2.12-45.el7cp.ppc64le.rpm
    librbd1-12.2.12-45.el7cp.ppc64le.rpm
    librgw-devel-12.2.12-45.el7cp.ppc64le.rpm
    librgw2-12.2.12-45.el7cp.ppc64le.rpm
    python-cephfs-12.2.12-45.el7cp.ppc64le.rpm
    python-rados-12.2.12-45.el7cp.ppc64le.rpm
    python-rbd-12.2.12-45.el7cp.ppc64le.rpm
    python-rgw-12.2.12-45.el7cp.ppc64le.rpm
    
    x86_64:
    ceph-base-12.2.12-45.el7cp.x86_64.rpm
    ceph-common-12.2.12-45.el7cp.x86_64.rpm
    ceph-debuginfo-12.2.12-45.el7cp.x86_64.rpm
    ceph-mgr-12.2.12-45.el7cp.x86_64.rpm
    ceph-mon-12.2.12-45.el7cp.x86_64.rpm
    ceph-selinux-12.2.12-45.el7cp.x86_64.rpm
    ceph-test-12.2.12-45.el7cp.x86_64.rpm
    libcephfs-devel-12.2.12-45.el7cp.x86_64.rpm
    libcephfs2-12.2.12-45.el7cp.x86_64.rpm
    librados-devel-12.2.12-45.el7cp.x86_64.rpm
    librados2-12.2.12-45.el7cp.x86_64.rpm
    libradosstriper1-12.2.12-45.el7cp.x86_64.rpm
    librbd-devel-12.2.12-45.el7cp.x86_64.rpm
    librbd1-12.2.12-45.el7cp.x86_64.rpm
    librgw-devel-12.2.12-45.el7cp.x86_64.rpm
    librgw2-12.2.12-45.el7cp.x86_64.rpm
    python-cephfs-12.2.12-45.el7cp.x86_64.rpm
    python-rados-12.2.12-45.el7cp.x86_64.rpm
    python-rbd-12.2.12-45.el7cp.x86_64.rpm
    python-rgw-12.2.12-45.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 3.3 OSD:
    
    Source:
    ceph-12.2.12-45.el7cp.src.rpm
    
    ppc64le:
    ceph-base-12.2.12-45.el7cp.ppc64le.rpm
    ceph-common-12.2.12-45.el7cp.ppc64le.rpm
    ceph-debuginfo-12.2.12-45.el7cp.ppc64le.rpm
    ceph-osd-12.2.12-45.el7cp.ppc64le.rpm
    ceph-selinux-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs-devel-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs2-12.2.12-45.el7cp.ppc64le.rpm
    librados-devel-12.2.12-45.el7cp.ppc64le.rpm
    librados2-12.2.12-45.el7cp.ppc64le.rpm
    libradosstriper1-12.2.12-45.el7cp.ppc64le.rpm
    librbd-devel-12.2.12-45.el7cp.ppc64le.rpm
    librbd1-12.2.12-45.el7cp.ppc64le.rpm
    librgw-devel-12.2.12-45.el7cp.ppc64le.rpm
    librgw2-12.2.12-45.el7cp.ppc64le.rpm
    python-cephfs-12.2.12-45.el7cp.ppc64le.rpm
    python-rados-12.2.12-45.el7cp.ppc64le.rpm
    python-rbd-12.2.12-45.el7cp.ppc64le.rpm
    python-rgw-12.2.12-45.el7cp.ppc64le.rpm
    
    x86_64:
    ceph-base-12.2.12-45.el7cp.x86_64.rpm
    ceph-common-12.2.12-45.el7cp.x86_64.rpm
    ceph-debuginfo-12.2.12-45.el7cp.x86_64.rpm
    ceph-osd-12.2.12-45.el7cp.x86_64.rpm
    ceph-selinux-12.2.12-45.el7cp.x86_64.rpm
    ceph-test-12.2.12-45.el7cp.x86_64.rpm
    libcephfs-devel-12.2.12-45.el7cp.x86_64.rpm
    libcephfs2-12.2.12-45.el7cp.x86_64.rpm
    librados-devel-12.2.12-45.el7cp.x86_64.rpm
    librados2-12.2.12-45.el7cp.x86_64.rpm
    libradosstriper1-12.2.12-45.el7cp.x86_64.rpm
    librbd-devel-12.2.12-45.el7cp.x86_64.rpm
    librbd1-12.2.12-45.el7cp.x86_64.rpm
    librgw-devel-12.2.12-45.el7cp.x86_64.rpm
    librgw2-12.2.12-45.el7cp.x86_64.rpm
    python-cephfs-12.2.12-45.el7cp.x86_64.rpm
    python-rados-12.2.12-45.el7cp.x86_64.rpm
    python-rbd-12.2.12-45.el7cp.x86_64.rpm
    python-rgw-12.2.12-45.el7cp.x86_64.rpm
    
    Red Hat Ceph Storage 3.3 Tools:
    
    Source:
    ceph-12.2.12-45.el7cp.src.rpm
    ceph-ansible-3.2.24-1.el7cp.src.rpm
    ceph-iscsi-config-2.6-19.el7cp.src.rpm
    cephmetrics-2.0.6-1.el7cp.src.rpm
    libntirpc-1.7.4-1.el7cp.src.rpm
    nfs-ganesha-2.7.4-10.el7cp.src.rpm
    python-crypto-2.6.1-16.el7ost.src.rpm
    
    noarch:
    ceph-ansible-3.2.24-1.el7cp.noarch.rpm
    ceph-iscsi-config-2.6-19.el7cp.noarch.rpm
    
    ppc64le:
    ceph-base-12.2.12-45.el7cp.ppc64le.rpm
    ceph-common-12.2.12-45.el7cp.ppc64le.rpm
    ceph-debuginfo-12.2.12-45.el7cp.ppc64le.rpm
    ceph-fuse-12.2.12-45.el7cp.ppc64le.rpm
    ceph-mds-12.2.12-45.el7cp.ppc64le.rpm
    ceph-radosgw-12.2.12-45.el7cp.ppc64le.rpm
    ceph-selinux-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs-devel-12.2.12-45.el7cp.ppc64le.rpm
    libcephfs2-12.2.12-45.el7cp.ppc64le.rpm
    libntirpc-1.7.4-1.el7cp.ppc64le.rpm
    libntirpc-debuginfo-1.7.4-1.el7cp.ppc64le.rpm
    librados-devel-12.2.12-45.el7cp.ppc64le.rpm
    librados2-12.2.12-45.el7cp.ppc64le.rpm
    libradosstriper1-12.2.12-45.el7cp.ppc64le.rpm
    librbd-devel-12.2.12-45.el7cp.ppc64le.rpm
    librbd1-12.2.12-45.el7cp.ppc64le.rpm
    librgw-devel-12.2.12-45.el7cp.ppc64le.rpm
    librgw2-12.2.12-45.el7cp.ppc64le.rpm
    nfs-ganesha-2.7.4-10.el7cp.ppc64le.rpm
    nfs-ganesha-ceph-2.7.4-10.el7cp.ppc64le.rpm
    nfs-ganesha-debuginfo-2.7.4-10.el7cp.ppc64le.rpm
    nfs-ganesha-rgw-2.7.4-10.el7cp.ppc64le.rpm
    python-cephfs-12.2.12-45.el7cp.ppc64le.rpm
    python-crypto-debuginfo-2.6.1-16.el7ost.ppc64le.rpm
    python-rados-12.2.12-45.el7cp.ppc64le.rpm
    python-rbd-12.2.12-45.el7cp.ppc64le.rpm
    python-rgw-12.2.12-45.el7cp.ppc64le.rpm
    python2-crypto-2.6.1-16.el7ost.ppc64le.rpm
    rbd-mirror-12.2.12-45.el7cp.ppc64le.rpm
    
    x86_64:
    ceph-base-12.2.12-45.el7cp.x86_64.rpm
    ceph-common-12.2.12-45.el7cp.x86_64.rpm
    ceph-debuginfo-12.2.12-45.el7cp.x86_64.rpm
    ceph-fuse-12.2.12-45.el7cp.x86_64.rpm
    ceph-mds-12.2.12-45.el7cp.x86_64.rpm
    ceph-radosgw-12.2.12-45.el7cp.x86_64.rpm
    ceph-selinux-12.2.12-45.el7cp.x86_64.rpm
    cephmetrics-ansible-2.0.6-1.el7cp.x86_64.rpm
    libcephfs-devel-12.2.12-45.el7cp.x86_64.rpm
    libcephfs2-12.2.12-45.el7cp.x86_64.rpm
    libntirpc-1.7.4-1.el7cp.x86_64.rpm
    libntirpc-debuginfo-1.7.4-1.el7cp.x86_64.rpm
    librados-devel-12.2.12-45.el7cp.x86_64.rpm
    librados2-12.2.12-45.el7cp.x86_64.rpm
    libradosstriper1-12.2.12-45.el7cp.x86_64.rpm
    librbd-devel-12.2.12-45.el7cp.x86_64.rpm
    librbd1-12.2.12-45.el7cp.x86_64.rpm
    librgw-devel-12.2.12-45.el7cp.x86_64.rpm
    librgw2-12.2.12-45.el7cp.x86_64.rpm
    nfs-ganesha-2.7.4-10.el7cp.x86_64.rpm
    nfs-ganesha-ceph-2.7.4-10.el7cp.x86_64.rpm
    nfs-ganesha-debuginfo-2.7.4-10.el7cp.x86_64.rpm
    nfs-ganesha-rgw-2.7.4-10.el7cp.x86_64.rpm
    python-cephfs-12.2.12-45.el7cp.x86_64.rpm
    python-crypto-debuginfo-2.6.1-16.el7ost.x86_64.rpm
    python-rados-12.2.12-45.el7cp.x86_64.rpm
    python-rbd-12.2.12-45.el7cp.x86_64.rpm
    python-rgw-12.2.12-45.el7cp.x86_64.rpm
    python2-crypto-2.6.1-16.el7ost.x86_64.rpm
    rbd-mirror-12.2.12-45.el7cp.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2018-14662
    https://access.redhat.com/security/cve/CVE-2018-16846
    https://access.redhat.com/security/cve/CVE-2018-16889
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html/release_notes/index
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXV1fC9zjgjWX9erEAQgsRQ/8DS0RtbgoAs8r4ub9XL6vfwO4sH4wAuZm
    2DJFhMVng9ae9aU0Q8DMBnDdUzqWNRS/doE043Z5sFp8+kRffzCtfT5p/sNhZqCy
    kR96INS2Rab3nXSKomkLazOCoz5NAwfvidlM2hNBCFl4/mKr73nP93k5/upT3ftg
    Mu/i19opyKMkWYl0UdKUg8c9KFuNFB7r7s5ZKKHxDBGDgcmEMiLrcGWzVvfujBM+
    oyfC199sfkMQttaq4kWiM90NC2J74l8hZtxLVTbbSYYTOq4yRbzBE+leRcaQKwlf
    rCqteNhqWiG7vB2kAiMFO3zawb6eaEyFADQykACD7OhCbltPJsumRleOBteF9WPi
    ElR1/ksSoZykv5DOppW+Zd+IseTvYLAmq4ACdBmqARANQqm0UC5me9XbIneRlH8z
    mNlqHWDAOLCaRwabeGLHCJ0HW8Y1/ux4+1iSS1CztEI5gajySpI24nZIwUkCVnPu
    TJPlx96IGvfW4XsyxNIwxdrEaIb7KdPio0R81fROFfGz01uDkF6eZCi1CfDiwVJl
    X0012Y19ep4MUYu4J/ToHFmrNFGajMLvLOvlMX4v1FC61MBq8tiiHWpWcmjwfFU/
    fOHfG/IBdCGvnatK/TN0kuvaelzz70TZog+Q5ElkREzxuRVNRtnnpafmpOl8eWdo
    a81O5uZIbAI=
    =tzUW
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.