RHEL 7 / 8 : Red Hat Ceph Storage 4.2 Security and Bug Fix Update (Important) (RHSA-2021:2445)

high Nessus Plugin ID 150821

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2445 advisory.

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

The ceph-ansible package provides Ansible playbooks for installing, maintaining, and upgrading Red Hat Ceph Storage.

The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target's userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI requests in ways not possible or suitable to be handled by LIO's in-kernel backstores.

Security Fix(es):

* ceph: Unauthorized global_id reuse in cephx (CVE-2021-20288)

* ceph-dashboard: Don't use Browser's LocalStorage for storing JWT but Secure Cookies with proper HTTP Headers (CVE-2020-27839)

* ceph-dashboard: Cross-site scripting via token Cookie (CVE-2021-3509)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

These updated packages include numerous bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage 4.2 Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4.2/html/release_notes/index

All users of Red Hat Ceph Storage are advised to upgrade to these updated packages, which provide numerous bug fixes.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?cd856fc8

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/errata/RHSA-2021:2445

https://bugzilla.redhat.com/show_bug.cgi?id=1766702

https://bugzilla.redhat.com/show_bug.cgi?id=1775096

https://bugzilla.redhat.com/show_bug.cgi?id=1826224

https://bugzilla.redhat.com/show_bug.cgi?id=1859181

https://bugzilla.redhat.com/show_bug.cgi?id=1878771

https://bugzilla.redhat.com/show_bug.cgi?id=1882086

https://bugzilla.redhat.com/show_bug.cgi?id=1882087

https://bugzilla.redhat.com/show_bug.cgi?id=1882089

https://bugzilla.redhat.com/show_bug.cgi?id=1882091

https://bugzilla.redhat.com/show_bug.cgi?id=1884463

https://bugzilla.redhat.com/show_bug.cgi?id=1892406

https://bugzilla.redhat.com/show_bug.cgi?id=1892408

https://bugzilla.redhat.com/show_bug.cgi?id=1896040

https://bugzilla.redhat.com/show_bug.cgi?id=1896461

https://bugzilla.redhat.com/show_bug.cgi?id=1896464

https://bugzilla.redhat.com/show_bug.cgi?id=1896465

https://bugzilla.redhat.com/show_bug.cgi?id=1900111

https://bugzilla.redhat.com/show_bug.cgi?id=1901330

https://bugzilla.redhat.com/show_bug.cgi?id=1902752

https://bugzilla.redhat.com/show_bug.cgi?id=1902753

https://bugzilla.redhat.com/show_bug.cgi?id=1903504

https://bugzilla.redhat.com/show_bug.cgi?id=1905431

https://bugzilla.redhat.com/show_bug.cgi?id=1906262

https://bugzilla.redhat.com/show_bug.cgi?id=1906305

https://bugzilla.redhat.com/show_bug.cgi?id=1906447

https://bugzilla.redhat.com/show_bug.cgi?id=1906627

https://bugzilla.redhat.com/show_bug.cgi?id=1909011

https://bugzilla.redhat.com/show_bug.cgi?id=1909760

https://bugzilla.redhat.com/show_bug.cgi?id=1909762

https://bugzilla.redhat.com/show_bug.cgi?id=1910151

https://bugzilla.redhat.com/show_bug.cgi?id=1917680

https://bugzilla.redhat.com/show_bug.cgi?id=1918650

https://bugzilla.redhat.com/show_bug.cgi?id=1919084

https://bugzilla.redhat.com/show_bug.cgi?id=1919471

https://bugzilla.redhat.com/show_bug.cgi?id=1920900

https://bugzilla.redhat.com/show_bug.cgi?id=1921798

https://bugzilla.redhat.com/show_bug.cgi?id=1922926

https://bugzilla.redhat.com/show_bug.cgi?id=1925503

https://bugzilla.redhat.com/show_bug.cgi?id=1925506

https://bugzilla.redhat.com/show_bug.cgi?id=1925646

https://bugzilla.redhat.com/show_bug.cgi?id=1926170

https://bugzilla.redhat.com/show_bug.cgi?id=1927869

https://bugzilla.redhat.com/show_bug.cgi?id=1928000

https://bugzilla.redhat.com/show_bug.cgi?id=1928785

https://bugzilla.redhat.com/show_bug.cgi?id=1930180

https://bugzilla.redhat.com/show_bug.cgi?id=1930264

https://bugzilla.redhat.com/show_bug.cgi?id=1933721

https://bugzilla.redhat.com/show_bug.cgi?id=1934092

https://bugzilla.redhat.com/show_bug.cgi?id=1935406

https://bugzilla.redhat.com/show_bug.cgi?id=1967341

https://bugzilla.redhat.com/show_bug.cgi?id=1938031

https://bugzilla.redhat.com/show_bug.cgi?id=1941678

https://bugzilla.redhat.com/show_bug.cgi?id=1942444

https://bugzilla.redhat.com/show_bug.cgi?id=1943391

https://bugzilla.redhat.com/show_bug.cgi?id=1944996

https://bugzilla.redhat.com/show_bug.cgi?id=1944999

https://bugzilla.redhat.com/show_bug.cgi?id=1945920

https://bugzilla.redhat.com/show_bug.cgi?id=1946263

https://bugzilla.redhat.com/show_bug.cgi?id=1946536

https://bugzilla.redhat.com/show_bug.cgi?id=1946987

https://bugzilla.redhat.com/show_bug.cgi?id=1947215

https://bugzilla.redhat.com/show_bug.cgi?id=1947673

https://bugzilla.redhat.com/show_bug.cgi?id=1947695

https://bugzilla.redhat.com/show_bug.cgi?id=1949391

https://bugzilla.redhat.com/show_bug.cgi?id=1949489

https://bugzilla.redhat.com/show_bug.cgi?id=1949490

https://bugzilla.redhat.com/show_bug.cgi?id=1950116

https://bugzilla.redhat.com/show_bug.cgi?id=1951386

https://bugzilla.redhat.com/show_bug.cgi?id=1952011

https://bugzilla.redhat.com/show_bug.cgi?id=1952466

https://bugzilla.redhat.com/show_bug.cgi?id=1952570

https://bugzilla.redhat.com/show_bug.cgi?id=1954748

https://bugzilla.redhat.com/show_bug.cgi?id=1954789

https://bugzilla.redhat.com/show_bug.cgi?id=1954819

https://bugzilla.redhat.com/show_bug.cgi?id=1955218

https://bugzilla.redhat.com/show_bug.cgi?id=1955782

https://bugzilla.redhat.com/show_bug.cgi?id=1958362

https://bugzilla.redhat.com/show_bug.cgi?id=1959254

https://bugzilla.redhat.com/show_bug.cgi?id=1959452

https://bugzilla.redhat.com/show_bug.cgi?id=1962077

https://bugzilla.redhat.com/show_bug.cgi?id=1963066

https://bugzilla.redhat.com/show_bug.cgi?id=1963914

https://bugzilla.redhat.com/show_bug.cgi?id=1963962

https://bugzilla.redhat.com/show_bug.cgi?id=1964144

https://bugzilla.redhat.com/show_bug.cgi?id=1964481

https://bugzilla.redhat.com/show_bug.cgi?id=1964835

https://bugzilla.redhat.com/show_bug.cgi?id=1964907

https://bugzilla.redhat.com/show_bug.cgi?id=1964995

https://bugzilla.redhat.com/show_bug.cgi?id=1966880

Plugin Details

Severity: High

ID: 150821

File Name: redhat-RHSA-2021-2445.nasl

Version: 1.11

Type: local

Agent: unix

Published: 6/16/2021

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-20288

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3-ceph-argparse, p-cpe:/a:redhat:enterprise_linux:librgw2, p-cpe:/a:redhat:enterprise_linux:ceph-mgr-diskprediction-local, p-cpe:/a:redhat:enterprise_linux:libradospp-devel, p-cpe:/a:redhat:enterprise_linux:libradosstriper1, p-cpe:/a:redhat:enterprise_linux:ceph-osd, p-cpe:/a:redhat:enterprise_linux:ceph-mgr, p-cpe:/a:redhat:enterprise_linux:ceph-grafana-dashboards, p-cpe:/a:redhat:enterprise_linux:librgw-devel, p-cpe:/a:redhat:enterprise_linux:ceph-mgr-k8sevents, p-cpe:/a:redhat:enterprise_linux:librados-devel, p-cpe:/a:redhat:enterprise_linux:librbd-devel, p-cpe:/a:redhat:enterprise_linux:ceph-test, p-cpe:/a:redhat:enterprise_linux:python3-cephfs, p-cpe:/a:redhat:enterprise_linux:python-rgw, p-cpe:/a:redhat:enterprise_linux:python-rbd, p-cpe:/a:redhat:enterprise_linux:ceph-common, p-cpe:/a:redhat:enterprise_linux:ceph-mds, p-cpe:/a:redhat:enterprise_linux:ceph-mgr-dashboard, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:ceph-radosgw, p-cpe:/a:redhat:enterprise_linux:ceph-mgr-rook, p-cpe:/a:redhat:enterprise_linux:librados2, p-cpe:/a:redhat:enterprise_linux:libcephfs2, p-cpe:/a:redhat:enterprise_linux:ceph, p-cpe:/a:redhat:enterprise_linux:python3-rados, p-cpe:/a:redhat:enterprise_linux:rbd-nbd, p-cpe:/a:redhat:enterprise_linux:librbd1, p-cpe:/a:redhat:enterprise_linux:ceph-base, p-cpe:/a:redhat:enterprise_linux:ceph-fuse, p-cpe:/a:redhat:enterprise_linux:rbd-mirror, p-cpe:/a:redhat:enterprise_linux:python-rados, p-cpe:/a:redhat:enterprise_linux:python3-rbd, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:ceph-selinux, p-cpe:/a:redhat:enterprise_linux:ceph-mon, p-cpe:/a:redhat:enterprise_linux:python3-rgw, p-cpe:/a:redhat:enterprise_linux:libcephfs-devel, p-cpe:/a:redhat:enterprise_linux:python-cephfs, p-cpe:/a:redhat:enterprise_linux:python-ceph-argparse

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/15/2021

Vulnerability Publication Date: 2/25/2021

Reference Information

CVE: CVE-2020-27839, CVE-2021-20288, CVE-2021-3509

CWE: 287, 522, 79

RHSA: 2021:2445