Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: Red Hat Ceph Storage 4.1 security and bug fix update

Related Vulnerabilities: CVE-2020-1760   CVE-2020-10753   CVE-2020-1760   CVE-2020-10753   CVE-2020-1760   CVE-2020-10753  

Source

Synopsis

Moderate: Red Hat Ceph Storage 4.1 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat Ceph Storage 4.1.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

Security Fix(es):

  • ceph: header-splitting in RGW GetObject has a possible XSS (CVE-2020-1760)
  • ceph: radosgw: HTTP header injection via CORS ExposeHeader tag (CVE-2020-10753)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

For detailed information on changes in this release, see the Red Hat Ceph
Storage 4.1 Release Notes available at:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4.1/html/release_notes/

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Ceph Storage 4 for RHEL 8 x86_64
  • Red Hat Ceph Storage 4 for RHEL 7 x86_64
  • Red Hat Ceph Storage MON 4 for RHEL 8 x86_64
  • Red Hat Ceph Storage MON 4 for RHEL 7 x86_64
  • Red Hat Ceph Storage OSD 4 for RHEL 8 x86_64
  • Red Hat Ceph Storage OSD 4 for RHEL 7 x86_64
  • Red Hat Ceph Storage for Power 4 for RHEL 8 ppc64le
  • Red Hat Ceph Storage for Power 4 for RHEL 7 ppc64le
  • Red Hat Ceph Storage MON for Power 4 for RHEL 8 ppc64le
  • Red Hat Ceph Storage MON for Power 4 for RHEL 7 ppc64le
  • Red Hat Ceph Storage OSD for Power 4 for RHEL 8 ppc64le
  • Red Hat Ceph Storage OSD for Power 4 for RHEL 7 ppc64le
  • Red Hat Ceph Storage for IBM z Systems 4 s390x
  • Red Hat Ceph Storage MON for IBM z Systems 4 s390x
  • Red Hat Ceph Storage OSD for IBM z Systems 4 s390x

Fixes

  • BZ - 1756077 - Fix compile of ceph on s390x
  • BZ - 1785445 - mgr/k8sevents does not account for incomplete events passed in from kubernetes
  • BZ - 1791143 - [RFE] [cockpit-ceph-installer] if using customer created user with passwordless sudo check if they also created ssh-keys and use them instead of ansible-runner-service keys
  • BZ - 1797774 - update default crush_rule conditional check
  • BZ - 1800644 - RFE add ability to set dashboard password in Cockpit installer
  • BZ - 1800664 - FileStore messaging should say it is deprecated
  • BZ - 1809003 - [GSS] Starting of service 'ansible-runner-service' fails with error during deployment of Ceph cluster,
  • BZ - 1809870 - [GSS] cockpit-installer doesn't allows to change the configuration if the Installation fails.
  • BZ - 1810949 - PG premerge stall
  • BZ - 1812962 - CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS
  • BZ - 1814177 - [GSS] Ansible inventory file is not getting populated after the Ceph cluster deployment using Cockpit
  • BZ - 1816478 - The installer's probe mechanism fails on more complex network configurations.
  • BZ - 1819667 - some "ceph mds" sub commands returns error message "no valid command found"
  • BZ - 1826002 - Refresh ceph dashboard user role
  • BZ - 1827607 - tasks/create_mds_filesystems: don't enable application 'cephfs' on the filesystem's pools
  • BZ - 1828232 - SELinux denials observed against ceph-mgr
  • BZ - 1829389 - [ceph-ansible] - docker-to-podman - playbook doesn't migrate dashboard containers
  • BZ - 1829646 - [RADOS] osdmaps not being cleaned up automatically on healthy cluster
  • BZ - 1829758 - [ceph-mon]: SELinux denial observed on ceph-mon on RHEL 7.8
  • BZ - 1829985 - [OSP13->OSP16.1] ceph's systemd step not idempotent
  • BZ - 1830330 - rgw_bucket_parse_bucket_key function is holding old tenant value, when this function is executed in a loop
  • BZ - 1833309 - S3 HEAD/GET operations on objects that do not match the lifecycle rule return x-amz-expiration header
  • BZ - 1833685 - RGW notification: Deleted object's 'object_size' always returns 0, instead of the expected size.
  • BZ - 1834697 - [rgw] RGW daemon crash when setting up multisite
  • BZ - 1834974 - Podman old containers are eating up space in overlay directory
  • BZ - 1835216 - mgr/volumes: add command to return metadata regarding a subvolume
  • BZ - 1835777 - [RHCS 4] reshard list contains entries of buckets that are not present
  • BZ - 1837645 - ceph device get-health-metrics does not work when smartctl command throws non-zero error code
  • BZ - 1838931 - mgr/volumes: add command to return metadata of a subvolume snapshot
  • BZ - 1838959 - mgr/volumes: Not able to resize cephfs subvolume with ceph fs subvolume create command
  • BZ - 1838996 - mgr/volumes: create fs subvolumes with isolated RADOS namespaces
  • BZ - 1839134 - [cockpit-ceph-installer] UI alignments in multiple pages is distorted
  • BZ - 1839149 - [cockpit-ceph-installer] Cluster configuration is failing as dashboard and grafana admin password are not set
  • BZ - 1839216 - osd: do not trim pg log past last_update_ondisk
  • BZ - 1839228 - [ceph-ansible ] It is not possible to define more than one endpoint IP for zonegroup
  • BZ - 1840730 - notification: amqp with vhost and user/password is failing
  • BZ - 1840744 - CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS ExposeHeader tag
  • BZ - 1840858 - [RGW MS] : rgw daemon crashed with " *** Caught signal (Aborted) ** in thread 7f4ec7d32700 thread_name:rados_async"
  • BZ - 1843500 - [ceph-ansible] : switch from rpm to containerized - OSDs collocated with mon+mgr are not swtiched to containerized daemon
  • BZ - 1843569 - [ceph-ansible] : switch from rpm to containerized - playbook failed when initiated second time as noup was not unset
  • BZ - 1844496 - [Containerized UPGRADES] Upgrade from 4.0 to 4.1 on RHEL 8 fails due to error on set_fact ceph_osd_image_repodigest_before_pulling
  • BZ - 1845668 - Purge fails when a device is clean ( Unable to proceed with non-existing device )
  • BZ - 1846995 - [CEE] [ceph-dashboard] RHCS 4 SSL based dashboard and grafana installation fails
  • BZ - 1849559 - [13->16.1 ffwd2] Overcloud Operating System upgrade failed in controller-0 when docker2podman playbook is executed
  • BZ - 1849803 - [Ceph-Installer]: Probe hosts in Cockpit UI fails
  • BZ - 1850814 - [Ceph-Installer]: Fail to choose "Installation type" as "RPM" on rhel 8
  • BZ - 1850938 - [cockpit-ceph-installer] UI components misalignment in hosts page
  • BZ - 1854083 - [RGW]: avc denial observed for pid=13757 comm="radosgw" on starting RabbitMQ at port 5672

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started