RedHat: RHSA-2019-2541:01 Moderate: Red Hat Ceph Storage 3.3 security,

    Date21 Aug 2019
    CategoryRed Hat
    2655
    Posted ByLinuxSecurity Advisories
    An update is now available for Red Hat Ceph Storage 3.3 on Ubuntu 16.04. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Ceph Storage 3.3 security, bug fix, and enhancement update
    Advisory ID:       RHSA-2019:2541-01
    Product:           Red Hat Ceph Storage
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:2541
    Issue date:        2019-08-21
    CVE Names:         CVE-2018-14662 CVE-2018-16846 CVE-2018-16889 
    =====================================================================
    
    1. Summary:
    
    An update is now available for Red Hat Ceph Storage 3.3 on Ubuntu 16.04.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Ceph Storage is a scalable, open, software-defined storage platform
    that combines the most stable version of the Ceph storage system with a
    Ceph management platform, deployment utilities, and support services.
    
    Security Fix(es):
    
    * ceph: ListBucket max-keys has no defined limit in the RGW codebase
    (CVE-2018-16846)
    
    * ceph: debug logging for v4 auth does not sanitize encryption keys
    (CVE-2018-16889)
    
    * ceph: authenticated user with read only permissions can steal dm-crypt /
    LUKS key (CVE-2018-14662)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Bug Fix(es) and Enhancement(s):
    
    For detailed information on changes in this release, see the Red Hat Ceph
    Storage 3.3 Release Notes available at:
    
    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html
    /release_notes/index
    
    3. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-s
    ingle/installation_guide_for_ubuntu/index#upgrading-the-storage-cluster
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1637327 - CVE-2018-14662 ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key
    1644461 - CVE-2018-16846 ceph: ListBucket max-keys has no defined limit in the RGW codebase
    1665334 - CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2018-14662
    https://access.redhat.com/security/cve/CVE-2018-16846
    https://access.redhat.com/security/cve/CVE-2018-16889
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html/release_notes/index
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXV1h3tzjgjWX9erEAQgEhQ/+I4B/npIu0Pa2DwU5l2UK+jXCKgKo+s0d
    4ZTTvrkS/KuwSAd9aMGWnSzyZl3Xd4b9ul6eMGH3aoV4XniTsi5sVsN89IIziIVS
    +R+4XPnIVP7ReL9eoc4Xm6BQSByYDjTOjRQtAft8HKURjIZcXHbIOZxpeF+4UGDf
    fvQRf9LqWna6Sk4WTQh6lslZSDHSaxR+xusndn3TCQ8vk6/u2GOVvie20VOeXfLq
    skXLx6Xt87fhWxKxurRzKM8ZrZ35uryKjh5csOXdmicBkJz2jCetxGEjPWvs0/u5
    zYwOMxxe8NZQMn9rzFD0mZpX9BmNKJXLBhzkrFssJBkKsVeXi/w9a5A8TCSFD3CG
    NhGTFMJ7OXy6YP9dD7PTNRZNGmdyYl7BQKqfRhAVWI/zB7DJaQevn579z7vWvkeS
    w7Dh7w0Cuo2h/ufpJM60fCM1v+HUrZo68H3eIN1ACvaGBM6y0bWmd7fFC9cXf36w
    7ae6OMhQg5EbPvzVPcm8NcV7aRqx9+TNhPMw2JycXpxSIjqPaKdxTFhtqjwq36Pc
    xm527iKi3lrNJphLbN3pkPPO1sjCTdjRJ02nuKVpxO1tSS6FIipha+kV/Q8JEAJd
    r9PjrU1/TrToO0/xQjlgW68GHv6aG7vPjnixwePdeWN6KHwPEhxhQ23BTjlGWN+r
    8bzE5N+AC90=
    =TsMF
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.