Bug 1063014 - (CVE-2017-16818) VUL-0: CVE-2017-16818: ceph: User reachable asserts allow for DoS
(CVE-2017-16818)
VUL-0: CVE-2017-16818: ceph: User reachable asserts allow for DoS
Status: RESOLVED FIXED
: 1069253 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Nathan Cutler
Security Team bot
CVSSv3:RedHat:CVE-2017-16818:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-12 12:27 UTC by Johannes Segitz
Modified: 2021-07-19 10:39 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2017-10-12 12:29:22 UTC
Fixes are already public, but we got it over a private channel, keeping the bug closed for now
https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a

We have the asserts in SLE 12 SP3 and probably also in older products
Comment 2 Johannes Segitz 2017-10-12 14:59:30 UTC
(In reply to Johannes Segitz from comment #1)
Looks like this only affects SLE 12 SP3
Comment 3 Nathan Cutler 2017-10-13 08:22:34 UTC
The fix:

* upstream master (Mimic)      https://github.com/ceph/ceph/pull/18225
* upstream backport (Luminous) https://github.com/ceph/ceph/pull/18287
* downstream backport (SES5)   https://github.com/SUSE/ceph/pull/156
Comment 4 Nathan Cutler 2017-10-13 14:23:30 UTC
(In reply to Johannes Segitz from comment #2)
> Looks like this only affects SLE 12 SP3

Actually, it only affects SES5, because the code in question is part of the RADOS REST Gateway (ceph-radosgw subpackage) and that subpackage does not ship on SLE-12-SP3.
Comment 9 Johannes Segitz 2017-11-22 09:17:25 UTC
*** Bug 1069253 has been marked as a duplicate of this bug. ***
Comment 10 Alexander Bergmann 2017-11-23 13:14:13 UTC
This bug was mentioned inside the ceph submission (comment 7). Therefore this bug is now the main reference to CVE-2017-16818.
Comment 12 Swamp Workflow Management 2018-01-12 20:13:24 UTC
SUSE-SU-2018:0083-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1060904,1063014,1066182,1067119,1067705
CVE References: CVE-2017-16818
Sources used:
SUSE Enterprise Storage 5 (src):    ceph-12.2.2+git.1513357992.5030136da9-2.10.1
Comment 13 Swamp Workflow Management 2018-05-24 10:13:18 UTC
SUSE-SU-2018:1417-1: An update that solves two vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1051598,1054061,1056125,1056967,1059458,1060904,1061461,1063014,1066182,1066502,1067088,1067119,1067705,1070357,1071386,1074301,1079076,1080788,1081379,1081600,1086340,1087269,1087493
CVE References: CVE-2017-16818,CVE-2018-7262
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-2.6.3
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-2.6.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-2.6.3
SUSE CaaS Platform ALL (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-2.6.3
Comment 14 Swamp Workflow Management 2018-05-30 13:09:13 UTC
openSUSE-SU-2018:1470-1: An update that solves two vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1051598,1054061,1056125,1056967,1059458,1060904,1061461,1063014,1066182,1066502,1067088,1067119,1067705,1070357,1071386,1074301,1079076,1080788,1081379,1081600,1086340,1087269,1087493
CVE References: CVE-2017-16818,CVE-2018-7262
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-9.1, ceph-test-12.2.5+git.1524775272.5e7ea8cf03-9.1
Comment 15 Swamp Workflow Management 2018-08-22 13:42:23 UTC
openSUSE-SU-2018:2479-1: An update that solves two vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1051598,1054061,1056125,1056967,1059458,1060904,1061461,1063014,1066182,1066502,1067088,1067119,1067705,1070357,1071386,1074301,1079076,1080788,1081379,1081600,1086340,1087269,1087493
CVE References: CVE-2017-16818,CVE-2018-7262
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.5+git.1524775272.5e7ea8cf03-9.1, ceph-test-12.2.5+git.1524775272.5e7ea8cf03-9.1