USN-6613-1: Ceph vulnerability
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 16.04
Lucas Henry discovered that Ceph incorrectly handled specially crafted POST requests. An uprivileged user could use this to bypass Ceph's authorization checks and upload a file to any bucket. Update Instructions: Run `sudo pro fix USN-6613-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ceph-fs-common - 10.2.11-0ubuntu0.16.04.3+esm1 python-rbd - 10.2.11-0ubuntu0.16.04.3+esm1 python-rados - 10.2.11-0ubuntu0.16.04.3+esm1 ceph - 10.2.11-0ubuntu0.16.04.3+esm1 ceph-test - 10.2.11-0ubuntu0.16.04.3+esm1 rbd-mirror - 10.2.11-0ubuntu0.16.04.3+esm1 rbd-nbd - 10.2.11-0ubuntu0.16.04.3+esm1 librbd-dev - 10.2.11-0ubuntu0.16.04.3+esm1 libradosstriper1 - 10.2.11-0ubuntu0.16.04.3+esm1 rbd-fuse - 10.2.11-0ubuntu0.16.04.3+esm1 librados-dev - 10.2.11-0ubuntu0.16.04.3+esm1 libcephfs-jni - 10.2.11-0ubuntu0.16.04.3+esm1 libradosstriper-dev - 10.2.11-0ubuntu0.16.04.3+esm1 librados2 - 10.2.11-0ubuntu0.16.04.3+esm1 libcephfs1 - 10.2.11-0ubuntu0.16.04.3+esm1 librgw2 - 10.2.11-0ubuntu0.16.04.3+esm1 ceph-mds - 10.2.11-0ubuntu0.16.04.3+esm1 radosgw - 10.2.11-0ubuntu0.16.04.3+esm1 librbd1 - 10.2.11-0ubuntu0.16.04.3+esm1 python-ceph - 10.2.11-0ubuntu0.16.04.3+esm1 libcephfs-dev - 10.2.11-0ubuntu0.16.04.3+esm1 librgw-dev - 10.2.11-0ubuntu0.16.04.3+esm1 python-cephfs - 10.2.11-0ubuntu0.16.04.3+esm1 ceph-fuse - 10.2.11-0ubuntu0.16.04.3+esm1 ceph-common - 10.2.11-0ubuntu0.16.04.3+esm1 libcephfs-java - 10.2.11-0ubuntu0.16.04.3+esm1 ceph-resource-agents - 10.2.11-0ubuntu0.16.04.3+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.
Fixed VMware Products and Versions
- Operations Manager
- 2.9.43 or greater
- 2.10.47 or greater
References
https://ubuntu.com/security/notices/USN-6613-1
https://www.cloudfoundry.org/blog/usn-6613-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6613-1
History
2024-01-29: Initial vulnerability report published.