RHEL 7 : Red Hat Ceph Storage 3.3 (RHSA-2019:2538)

high Nessus Plugin ID 128106

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2538 advisory.

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

Security Fix(es):

* ceph: ListBucket max-keys has no defined limit in the RGW codebase (CVE-2018-16846)

* ceph: debug logging for v4 auth does not sanitize encryption keys (CVE-2018-16889)

* ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key (CVE-2018-14662)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) and Enhancement(s):

For detailed information on changes in this release, see the Red Hat Ceph Storage 3.3 Release Notes available at:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3.3/html/release_notes/index

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?44063626

http://www.nessus.org/u?6a171f27

https://access.redhat.com/errata/RHSA-2019:2538

https://bugzilla.redhat.com/show_bug.cgi?id=1670527

https://bugzilla.redhat.com/show_bug.cgi?id=1670785

https://bugzilla.redhat.com/show_bug.cgi?id=1677269

https://bugzilla.redhat.com/show_bug.cgi?id=1680144

https://bugzilla.redhat.com/show_bug.cgi?id=1680155

https://bugzilla.redhat.com/show_bug.cgi?id=1685253

https://bugzilla.redhat.com/show_bug.cgi?id=1685734

https://bugzilla.redhat.com/show_bug.cgi?id=1686306

https://bugzilla.redhat.com/show_bug.cgi?id=1695850

https://bugzilla.redhat.com/show_bug.cgi?id=1696227

https://bugzilla.redhat.com/show_bug.cgi?id=1696691

https://bugzilla.redhat.com/show_bug.cgi?id=1696880

https://bugzilla.redhat.com/show_bug.cgi?id=1700896

https://bugzilla.redhat.com/show_bug.cgi?id=1701029

https://bugzilla.redhat.com/show_bug.cgi?id=1702091

https://bugzilla.redhat.com/show_bug.cgi?id=1702092

https://bugzilla.redhat.com/show_bug.cgi?id=1702093

https://bugzilla.redhat.com/show_bug.cgi?id=1702097

https://bugzilla.redhat.com/show_bug.cgi?id=1702099

https://bugzilla.redhat.com/show_bug.cgi?id=1702100

https://bugzilla.redhat.com/show_bug.cgi?id=1702732

https://bugzilla.redhat.com/show_bug.cgi?id=1703557

https://bugzilla.redhat.com/show_bug.cgi?id=1704948

https://bugzilla.redhat.com/show_bug.cgi?id=1705258

https://bugzilla.redhat.com/show_bug.cgi?id=1705922

https://bugzilla.redhat.com/show_bug.cgi?id=1708346

https://bugzilla.redhat.com/show_bug.cgi?id=1722663

https://bugzilla.redhat.com/show_bug.cgi?id=1722664

https://bugzilla.redhat.com/show_bug.cgi?id=1725521

https://bugzilla.redhat.com/show_bug.cgi?id=1725536

https://bugzilla.redhat.com/show_bug.cgi?id=1732142

https://bugzilla.redhat.com/show_bug.cgi?id=1732706

https://bugzilla.redhat.com/show_bug.cgi?id=1734550

https://bugzilla.redhat.com/show_bug.cgi?id=1739209

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1337915

https://bugzilla.redhat.com/show_bug.cgi?id=1572933

https://bugzilla.redhat.com/show_bug.cgi?id=1599852

https://bugzilla.redhat.com/show_bug.cgi?id=1627567

https://bugzilla.redhat.com/show_bug.cgi?id=1628309

https://bugzilla.redhat.com/show_bug.cgi?id=1628311

https://bugzilla.redhat.com/show_bug.cgi?id=1631010

https://bugzilla.redhat.com/show_bug.cgi?id=1636136

https://bugzilla.redhat.com/show_bug.cgi?id=1637327

https://bugzilla.redhat.com/show_bug.cgi?id=1639712

https://bugzilla.redhat.com/show_bug.cgi?id=1644321

https://bugzilla.redhat.com/show_bug.cgi?id=1644461

https://bugzilla.redhat.com/show_bug.cgi?id=1644610

https://bugzilla.redhat.com/show_bug.cgi?id=1644847

https://bugzilla.redhat.com/show_bug.cgi?id=1651054

https://bugzilla.redhat.com/show_bug.cgi?id=1656908

https://bugzilla.redhat.com/show_bug.cgi?id=1659611

https://bugzilla.redhat.com/show_bug.cgi?id=1661504

https://bugzilla.redhat.com/show_bug.cgi?id=1665334

https://bugzilla.redhat.com/show_bug.cgi?id=1666822

https://bugzilla.redhat.com/show_bug.cgi?id=1668478

https://bugzilla.redhat.com/show_bug.cgi?id=1668896

https://bugzilla.redhat.com/show_bug.cgi?id=1668897

https://bugzilla.redhat.com/show_bug.cgi?id=1669838

https://bugzilla.redhat.com/show_bug.cgi?id=1708650

https://bugzilla.redhat.com/show_bug.cgi?id=1708798

https://bugzilla.redhat.com/show_bug.cgi?id=1709765

https://bugzilla.redhat.com/show_bug.cgi?id=1710855

https://bugzilla.redhat.com/show_bug.cgi?id=1713779

https://bugzilla.redhat.com/show_bug.cgi?id=1714810

https://bugzilla.redhat.com/show_bug.cgi?id=1714814

https://bugzilla.redhat.com/show_bug.cgi?id=1715577

https://bugzilla.redhat.com/show_bug.cgi?id=1715946

https://bugzilla.redhat.com/show_bug.cgi?id=1717135

https://bugzilla.redhat.com/show_bug.cgi?id=1718135

https://bugzilla.redhat.com/show_bug.cgi?id=1718328

https://bugzilla.redhat.com/show_bug.cgi?id=1719023

https://bugzilla.redhat.com/show_bug.cgi?id=1720205

https://bugzilla.redhat.com/show_bug.cgi?id=1720741

https://bugzilla.redhat.com/show_bug.cgi?id=1721165

Plugin Details

Severity: High

ID: 128106

File Name: redhat-RHSA-2019-2538.nasl

Version: 1.9

Type: local

Agent: unix

Published: 8/23/2019

Updated: 11/6/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-16889

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python-crypto, p-cpe:/a:redhat:enterprise_linux:librgw2, p-cpe:/a:redhat:enterprise_linux:nfs-ganesha-ceph, p-cpe:/a:redhat:enterprise_linux:libradosstriper1, p-cpe:/a:redhat:enterprise_linux:ceph-osd, p-cpe:/a:redhat:enterprise_linux:ceph-iscsi-config, p-cpe:/a:redhat:enterprise_linux:ceph-mgr, p-cpe:/a:redhat:enterprise_linux:librgw-devel, p-cpe:/a:redhat:enterprise_linux:nfs-ganesha-rgw, p-cpe:/a:redhat:enterprise_linux:librados-devel, p-cpe:/a:redhat:enterprise_linux:libntirpc, p-cpe:/a:redhat:enterprise_linux:ceph-test, p-cpe:/a:redhat:enterprise_linux:librbd-devel, p-cpe:/a:redhat:enterprise_linux:python-rgw, p-cpe:/a:redhat:enterprise_linux:python-rbd, p-cpe:/a:redhat:enterprise_linux:ceph-common, p-cpe:/a:redhat:enterprise_linux:ceph-mds, p-cpe:/a:redhat:enterprise_linux:ceph-ansible, p-cpe:/a:redhat:enterprise_linux:ceph-radosgw, p-cpe:/a:redhat:enterprise_linux:cephmetrics, p-cpe:/a:redhat:enterprise_linux:librados2, p-cpe:/a:redhat:enterprise_linux:libcephfs2, p-cpe:/a:redhat:enterprise_linux:ceph, p-cpe:/a:redhat:enterprise_linux:python-cephfs, p-cpe:/a:redhat:enterprise_linux:librbd1, p-cpe:/a:redhat:enterprise_linux:ceph-base, p-cpe:/a:redhat:enterprise_linux:ceph-fuse, p-cpe:/a:redhat:enterprise_linux:rbd-mirror, p-cpe:/a:redhat:enterprise_linux:nfs-ganesha, p-cpe:/a:redhat:enterprise_linux:python-rados, p-cpe:/a:redhat:enterprise_linux:python2-crypto, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:ceph-selinux, p-cpe:/a:redhat:enterprise_linux:ceph-mon, p-cpe:/a:redhat:enterprise_linux:libcephfs-devel, p-cpe:/a:redhat:enterprise_linux:cephmetrics-ansible

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/21/2019

Vulnerability Publication Date: 1/15/2019

Reference Information

CVE: CVE-2018-14662, CVE-2018-16846, CVE-2018-16889

CWE: 200, 285, 770

RHSA: 2019:2538