RHSA-2021:1518: Important: Red Hat Ceph Storage 3.3 Security and Bug Fix Update
First published: Thu May 06 2021(Updated: )
Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.<br>The ceph-ansible package provides Ansible playbooks for installing, maintaining, and upgrading Red Hat Ceph Storage.<br>Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. <br>The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target's userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI requests in ways not possible or suitable to be handled by LIO's in-kernel backstores.<br>Security Fix(es):<br><li> grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)</li> <li> ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila (CVE-2020-27781)</li> <li> tcmu-runner: SCSI target (LIO) write to any block on ILO backstore (CVE-2021-3139)</li> <li> ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW (CVE-2020-12059)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br>This advisory fixes the following bug:<br><li> When rebooting OSDs, the `_OSD down_` tab in the `_CEPH Backend storage_` dashboard shows the correct number of OSDs that is `down`. However, when all OSDs are `up` again after the reboot, the tab continues showing the number of `down` OSDs. With this update, both CLI and Grafana values are matching during osd up/down operation and working as expected. (BZ#1652233)</li> All users of Red Hat Ceph Storage are advised to upgrade to these updated packages.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ceph | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-ansible | <3.2.56-1.el7c | 3.2.56-1.el7c |
| redhat/cephmetrics | <2.0.10-1.el7c | 2.0.10-1.el7c |
| redhat/grafana | <5.2.4-3.el7c | 5.2.4-3.el7c |
| redhat/tcmu-runner | <1.4.0-3.el7c | 1.4.0-3.el7c |
| redhat/ceph-base | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-common | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-debuginfo | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-fuse | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-mds | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-radosgw | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-selinux | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/cephmetrics-ansible | <2.0.10-1.el7c | 2.0.10-1.el7c |
| redhat/libcephfs-devel | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/libcephfs2 | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librados-devel | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librados2 | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/libradosstriper1 | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librbd-devel | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librbd1 | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librgw-devel | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/librgw2 | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/python-cephfs | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/python-rados | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/python-rbd | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/python-rgw | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/rbd-mirror | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/tcmu-runner-debuginfo | <1.4.0-3.el7c | 1.4.0-3.el7c |
| redhat/ceph-mgr | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-mon | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-test | <12.2.12-139.el7c | 12.2.12-139.el7c |
| redhat/ceph-osd | <12.2.12-139.el7c | 12.2.12-139.el7c |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1650209
- https://bugzilla.redhat.com/show_bug.cgi?id=1652233
- https://bugzilla.redhat.com/show_bug.cgi?id=1827262
- https://bugzilla.redhat.com/show_bug.cgi?id=1829821
- https://bugzilla.redhat.com/show_bug.cgi?id=1830329
- https://bugzilla.redhat.com/show_bug.cgi?id=1832372
- https://bugzilla.redhat.com/show_bug.cgi?id=1842390
- https://bugzilla.redhat.com/show_bug.cgi?id=1843640
- https://bugzilla.redhat.com/show_bug.cgi?id=1871035
- https://bugzilla.redhat.com/show_bug.cgi?id=1876551
- https://bugzilla.redhat.com/show_bug.cgi?id=1882724
- https://bugzilla.redhat.com/show_bug.cgi?id=1887661
- https://bugzilla.redhat.com/show_bug.cgi?id=1894426
- https://bugzilla.redhat.com/show_bug.cgi?id=1896392
- https://bugzilla.redhat.com/show_bug.cgi?id=1896448
- https://bugzilla.redhat.com/show_bug.cgi?id=1900109
- https://bugzilla.redhat.com/show_bug.cgi?id=1901897
- https://bugzilla.redhat.com/show_bug.cgi?id=1906293
- https://bugzilla.redhat.com/show_bug.cgi?id=1915070
- https://bugzilla.redhat.com/show_bug.cgi?id=1915078
- https://bugzilla.redhat.com/show_bug.cgi?id=1916045
- https://bugzilla.redhat.com/show_bug.cgi?id=1947072
- https://bugzilla.redhat.com/show_bug.cgi?id=1948050
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2021:1518 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2021:1518
- agent/software-canonical-lookup
- package-manager/redhat