Headline
RHSA-2021:1518: Red Hat Security Advisory: Red Hat Ceph Storage 3.3 Security and Bug Fix Update
An update is now available for Red Hat Ceph Storage 3.3 - Extended Life Support on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. The ceph-ansible package provides Ansible playbooks for installing, maintaining, and upgrading Red Hat Ceph Storage. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target’s userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI requests in ways not possible or suitable to be handled by LIO’s in-kernel backstores. Security Fix(es):
- grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)
- ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila (CVE-2020-27781)
- tcmu-runner: SCSI target (LIO) write to any block on ILO backstore (CVE-2021-3139)
- ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW (CVE-2020-12059) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): This advisory fixes the following bug:
- When rebooting OSDs, the
_OSD down_
tab in the_CEPH Backend storage_
dashboard shows the correct number of OSDs that isdown
. However, when all OSDs areup
again after the reboot, the tab continues showing the number ofdown
OSDs. With this update, both CLI and Grafana values are matching during osd up/down operation and working as expected. (BZ#1652233) All users of Red Hat Ceph Storage are advised to upgrade to these updated packages. Related CVEs: - CVE-2020-12059: ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW
- CVE-2020-13379: grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL
- CVE-2020-27781: ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila
- CVE-2021-3139: tcmu-runner: SCSI target (LIO) write to any block on ILO backstore