Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Red Hat Ceph Storage 6.1: RHSA-2023-3642-01 Important Security Advisory

red hat
Calendar Grey June 15, 2023
Dist Redhat Esm H88
Essential security enhancements for Red Hat Ceph Storage 6.1 containers encompass vital repairs addressing multiple vulnerabilities.
A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog

Solution

For details on how to apply this update, see Upgrade a Red Hat Ceph Storage cluster using cephadm in the Red Hat Storage Ceph Upgrade Guide.(https://docs.redhat.com/en/documentation/red_hat_ceph_storage/9)

Summary

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9.
Security Fix(es):
* crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements (CVE-2022-41912)
* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* grafana: stored XSS vulnerability (CVE-2022-31097)
* grafana: OAuth account takeover (CVE-2022-31107)
* ramda: prototype poisoning (CVE-2021-42581)
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* marked: regular expression block.def may lead Denial of Service (CVE-2022-21680)
* marked: regular expression inline.reflinkSearch may lead Denial of Service (CVE-2022-21681)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix (CVE-2022-26148)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* grafana: plugin signature bypass (CVE-2022-31123)
* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
* golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
* grafana: using email as a username can block other users from signing in (CVE-2022-39229)
* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
* grafana: User enumeration via forget password (CVE-2022-39307)
* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Space precludes documenting all of these changes in this advisory. Usersare directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:

All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes.

References

https://access.redhat.com/security/cve/CVE-2021-42581 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-21680 https://access.redhat.com/security/cve/CVE-2022-21681 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-26148 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31097 https://access.redhat.com/security/cve/CVE-2022-31107 https://access.redhat.com/security/cve/CVE-2022-31123 https://access.redhat.com/security/cve/CVE-2022-31130 Read the Full Advisory

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:3642-01
Product: Red Hat Ceph Storage
Issue date: 2023-06-15

Topic

A new container image for Red Hat Ceph Storage 6.1 is now available in theRed Hat Ecosystem Catalog.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2066563 - CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix

2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2082705 - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service

2082706 - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service

2083778 - CVE-2021-42581 ramda: prototype poisoning

2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group

2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2104365 - CVE-2022-31097 grafana: stored XSS vulnerability

2104367 - CVE-2022-31107 grafana: OAuth account takeover

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.