- Vulnerability/
- USN-4706-1
USN-4706-1: Ceph vulnerabilities
First published: Thu Jan 28 2021(Updated: )
Olle Segerdahl found that ceph-mon and ceph-mgr daemons did not properly restrict access, resulting in gaining access to unauthorized resources. An authenticated user could use this vulnerability to modify the configuration and possibly conduct further attacks. (CVE-2020-10736) Adam Mohammed found that Ceph Object Gateway was vulnerable to HTTP header injection via a CORS ExposeHeader tag. An attacker could use this to gain access or cause a crash. (CVE-2020-10753) Ilya Dryomov found that Cephx authentication did not verify Ceph clients correctly and was then vulnerable to replay attacks in Nautilus. An attacker could use the Ceph cluster network to authenticate via a packet sniffer and perform actions. This issue is a reintroduction of CVE-2018-1128. (CVE-2020-25660)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/ceph | <15.2.7-0ubuntu0.20.10.3 | 15.2.7-0ubuntu0.20.10.3 |
| =20.10 | ||
| All of | ||
| ubuntu/ceph-base | <15.2.7-0ubuntu0.20.10.3 | 15.2.7-0ubuntu0.20.10.3 |
| =20.10 | ||
| All of | ||
| ubuntu/ceph-common | <15.2.7-0ubuntu0.20.10.3 | 15.2.7-0ubuntu0.20.10.3 |
| =20.10 | ||
| All of | ||
| ubuntu/ceph | <15.2.7-0ubuntu0.20.04.2 | 15.2.7-0ubuntu0.20.04.2 |
| =20.04 | ||
| All of | ||
| ubuntu/ceph-base | <15.2.7-0ubuntu0.20.04.2 | 15.2.7-0ubuntu0.20.04.2 |
| =20.04 | ||
| All of | ||
| ubuntu/ceph-common | <15.2.7-0ubuntu0.20.04.2 | 15.2.7-0ubuntu0.20.04.2 |
| =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2020-10753
- https://ubuntu.com/security/CVE-2020-10736
- https://ubuntu.com/security/CVE-2020-25660
- https://ubuntu.com/security/notices/USN-4528-1
- https://launchpad.net/ubuntu/+source/ceph/15.2.7-0ubuntu0.20.10.3
- https://launchpad.net/ubuntu/+source/ceph/15.2.7-0ubuntu0.20.04.2
- https://ubuntu.com/security/notices/USN-4706-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2020-10736?
The severity of CVE-2020-10736 is high.
How can an authenticated user exploit CVE-2020-10736?
An authenticated user can exploit CVE-2020-10736 to gain unauthorized access, modify configurations, and potentially conduct further attacks.
What is the recommended remedy for CVE-2020-10736?
The recommended remedy for CVE-2020-10736 is to update to version 15.2.7-0ubuntu0.20.10.3 of the ceph package.
Which Ubuntu versions are affected by CVE-2020-10736?
Ubuntu versions 20.10 and 20.04 are affected by CVE-2020-10736.
Where can I find more information about CVE-2020-10736?
You can find more information about CVE-2020-10736 on the Ubuntu Security website.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- anchor-related/USN-4528-1
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/20.10
- version/ubuntu ubuntu/20.04