Executive Summary
| Summary | |
|---|---|
| Title | Red Hat Ceph Storage 3.3 security, bug fix, and enhancement update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2019:2541 | First vendor Publication | 2019-08-21 |
| Vendor | RedHat | Last vendor Modification | 2019-08-21 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An update is now available for Red Hat Ceph Storage 3.3 on Ubuntu 16.04. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. Security Fix(es): * ceph: ListBucket max-keys has no defined limit in the RGW codebase (CVE-2018-16846) * ceph: debug logging for v4 auth does not sanitize encryption keys (CVE-2018-16889) * ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key (CVE-2018-14662) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) and Enhancement(s): For detailed information on changes in this release, see the Red Hat Ceph Storage 3.3 Release Notes available at: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html /release_notes/index 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-s ingle/installation_guide_for_ubuntu/index#upgrading-the-storage-cluster 4. Bugs fixed (https://bugzilla.redhat.com/): 1637327 - CVE-2018-14662 ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key 1644461 - CVE-2018-16846 ceph: ListBucket max-keys has no defined limit in the RGW codebase 1665334 - CVE-2018-16889 ceph: debug logging for v4 auth does not sanitize encryption keys 5. References: https://access.redhat.com/security/cve/CVE-2018-14662 https://access.redhat.com/security/cve/CVE-2018-16846 https://access.redhat.com/security/cve/CVE-2018-16889 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html/release_notes/index |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2019-2541.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 33 % | CWE-770 | Allocation of Resources Without Limits or Throttling |
| 33 % | CWE-532 | Information Leak Through Log Files |
| 33 % | CWE-285 | Improper Access Control (Authorization) |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 | |
| Application | 2 | |
| Os | 4 | |
| Os | 2 | |
| Os | 1 | |
| Os | 1 |
Alert History
| Date | Informations |
|---|---|
| 2020-03-19 13:19:01 |
|
