Red Hat Ceph Storage 4.2 RHSA-2021:2445-01 Important: Security Issues Fixed
red hat
June 15, 2021
An update for ceph, ceph-ansible, ceph-iscsi, python-waitress, and tcmu-runner is now available for Red Hat Ceph Storage 4.2
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.
The ceph-ansible package provides Ansible playbooks for installing,
maintaining, and upgrading Red Hat Ceph Storage.
The tcmu-runner packages provide a service that handles the complexity of
the LIO kernel target's userspace passthrough interface (TCMU). It presents
a C plugin API for extension modules that handle SCSI requests in ways not
possible or suitable to be handled by LIO's in-kernel backstores.
Security Fix(es):
* ceph: Unauthorized global_id reuse in cephx (CVE-2021-20288)
* ceph-dashboard: Don't use Browser's LocalStorage for storing JWT but
Secure Cookies with proper HTTP Headers (CVE-2020-27839)
* ceph-dashboard: Cross-site scripting via token Cookie (CVE-2021-3509)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
These updated packages include numerous bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Ceph Storage 4.2 Release Notes for information on the most
significant of these changes:
/release_notes/index
All users of Red Hat Ceph Storage are advised to upgrade to these updated
packages, which provide numerous bug fixes.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2020-27839 https://access.redhat.com/security/cve/CVE-2021-3509 https://access.redhat.com/security/cve/CVE-2021-20288 https://access.redhat.com/security/updates/classification#important
Package List
Red Hat Ceph Storage 4.2 MON:
Source:
ceph-14.2.11-181.el7cp.src.rpm
noarch:
ceph-grafana-dashboards-14.2.11-181.el7cp.noarch.rpm
ceph-mgr-dashboard-14.2.11-181.el7cp.noarch.rpm
ceph-mgr-diskprediction-local-14.2.11-181.el7cp.noarch.rpm
ceph-mgr-k8sevents-14.2.11-181.el7cp.noarch.rpm
ceph-mgr-rook-14.2.11-181.el7cp.noarch.rpm
ppc64le:
ceph-base-14.2.11-181.el7cp.ppc64le.rpm
ceph-common-14.2.11-181.el7cp.ppc64le.rpm
ceph-debuginfo-14.2.11-181.el7cp.ppc64le.rpm
ceph-mgr-14.2.11-181.el7cp.ppc64le.rpm
ceph-mon-14.2.11-181.el7cp.ppc64le.rpm
ceph-selinux-14.2.11-181.el7cp.ppc64le.rpm
ceph-test-14.2.11-181.el7cp.ppc64le.rpm
libcephfs-devel-14.2.11-181.el7cp.ppc64le.rpm
libcephfs2-14.2.11-181.el7cp.ppc64le.rpm
librados-devel-14.2.11-181.el7cp.ppc64le.rpm
librados2-14.2.11-181.el7cp.ppc64le.rpm
libradospp-devel-14.2.11-181.el7cp.ppc64le.rpm
libradosstriper1-14.2.11-181.el7cp.ppc64le.rpm
librbd-devel-14.2.11-181.el7cp.ppc64le.rpm
librbd1-14.2.11-181.el7cp.ppc64le.rpm
librgw-devel-14.2.11-181.el7cp.ppc64le.rpm
librgw2-14.2.11-181.el7cp.ppc64le.rpm
python-ceph-argparse-14.2.11-181.el7cp.ppc64le.rpm
python-cephfs-14.2.11-181.el7cp.ppc64le.rpm
python-rados-14.2.11-181.el7cp.ppc64le.rpm
python-rbd-14.2.11-181.el7cp.ppc64le.rpm
python-rgw-14.2.11-181.el7cp.ppc64le.rpm
x86_64:
Read the Full Advisory
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2021:2445-01
Product: Red Hat Ceph Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2445
Issue date: 2021-06-15
Topic
An update for ceph, ceph-ansible, ceph-iscsi, python-waitress, andtcmu-runner is now available for Red Hat Ceph Storage 4.2.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Red Hat Ceph Storage 4.2 MON - noarch, ppc64le, s390x, x86_64
Red Hat Ceph Storage 4.2 OSD - ppc64le, s390x, x86_64
Red Hat Ceph Storage 4.2 Tools - noarch, ppc64le, s390x, x86_64
Bugs Fixed
1766702 - reweight-subtree does not trigger peering
1775096 - Ceph 4 building obsolete version of package python-waitress
1826224 - progress section in ceph status stuck for indefinite time
1859181 - mds: send scrub status to ceph-mgr only when scrub is running (or paused, etc..)
1878771 - [cee/sd][MDS] after kernel upgrade from RHEL7.8 to RHEL8.2 the MDS memory consumption is growing until OOM
1882086 - MDS assert in directory commit
1882087 - ceph-fuse assert in directory cache
1882089 - client passes wrong cap mask to path_walk
1882091 - [CodeChange] MDS crash when stopping
1884463 - [GSS] ceph fs status command failing with AttributeError exception
1892406 - libcephfs leaks inode reference
1892408 - MDS hits assert when shrinking max_mds
1896040 - [GSS][Tracker for bug 1895819] Ceph MON daemon Segmentation fault in PerfCounters::inc() during shutdown
1896461 - [CodeChange] concurrent client mkdir may fail
1896464 - [CodeChange] libcephfs Client::_read may fail to advance file pos at EOF checking
1896465 - mds may crash during recovery when replaying delayed requests
1900111 - mds: throttle workloads which acquire caps faster than the client can release
1901330 - CVE-2020-27839 ceph-dashboard: Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers1902752 - MDS directory bookkeeping does not dirty fragments in some cases
1902753 - libcephfs allows calling ftruncate on a file open read-only
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!