Bug 1099162 - (CVE-2018-10861) VUL-0: CVE-2018-10861: ceph: ceph-mon does not perform authorization on OSD pool ops
(CVE-2018-10861)
VUL-0: CVE-2018-10861: ceph: ceph-mon does not perform authorization on OSD p...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Nathan Cutler
Security Team bot
CVSSv3:SUSE:CVE-2018-10861:7.3:(AV:A/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-26 12:40 UTC by Abhishek Lekshmanan
Modified: 2021-07-19 10:41 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Marcus Meissner 2018-07-10 06:28:32 UTC
is public

http://tracker.ceph.com/issues/24838

The mon was not enforcing caps for pool ops correctly (which are used for managing unmanaged snapshots or even pool deletion).

Fixes are in place:
master: 975528f632f73fbffa3f1fee304e3bbe3296cffc
mimic: 4e1bc0cd6a0aaa76eb1936d1717a4ab07e179da6
luminous: ce0834dd17589ea243960a99b900c1e85cc64015
jewel: c41a2e696e26a7f747afeeeb44f96c322bd739af
Comment 5 Swamp Workflow Management 2018-07-10 13:08:39 UTC
SUSE-SU-2018:1920-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1096748,1099162
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129
Sources used:
SUSE Enterprise Storage 5 (src):    ceph-12.2.5+git.1530082629.8cbf63d997-2.16.1
Comment 6 Swamp Workflow Management 2018-07-11 11:40:18 UTC
This is an autogenerated message for OBS integration:
This bug (1099162) was mentioned in
https://build.opensuse.org/request/show/622065 Factory / ceph
Comment 10 Swamp Workflow Management 2018-08-03 22:09:03 UTC
SUSE-SU-2018:2193-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1092874,1094932,1096748,1099162
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE CaaS Platform ALL (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE CaaS Platform 3.0 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
Comment 11 Swamp Workflow Management 2018-08-10 01:08:18 UTC
openSUSE-SU-2018:2283-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1092874,1094932,1096748,1099162
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129
Sources used:
openSUSE Leap 42.3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-12.1, ceph-test-12.2.7+git.1531910353.c0ef85b854-12.1
Comment 12 Swamp Workflow Management 2018-08-10 13:10:03 UTC
SUSE-SU-2018:2299-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1072512,1080112,1081379,1086340,1096748,1099162
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129,CVE-2018-7262
Sources used:
SUSE Enterprise Storage 4 (src):    ceph-10.2.11+git.1531487710.3a12911a2e-12.14.2, ceph-test-10.2.11+git.1531487710.3a12911a2e-12.14.2
Comment 13 Swamp Workflow Management 2018-08-22 13:40:40 UTC
SUSE-SU-2018:2478-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1092874,1094932,1096748,1099162
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE CaaS Platform ALL (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
SUSE CaaS Platform 3.0 (src):    ceph-12.2.7+git.1531910353.c0ef85b854-2.12.1
Comment 19 Swamp Workflow Management 2019-01-22 13:00:55 UTC
This is an autogenerated message for OBS integration:
This bug (1099162) was mentioned in
https://build.opensuse.org/request/show/667784 15.0 / ceph
Comment 22 Swamp Workflow Management 2019-03-11 13:20:24 UTC
This is an autogenerated message for OBS integration:
This bug (1099162) was mentioned in
https://build.opensuse.org/request/show/683881 15.0 / ceph
Comment 23 Swamp Workflow Management 2019-03-12 20:15:17 UTC
SUSE-SU-2019:0586-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1084645,1086613,1096748,1099162,1101262,1111177,1114567
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129,CVE-2018-14662,CVE-2018-16846
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ceph-13.2.4.125+gad802694f5-3.7.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    ceph-13.2.4.125+gad802694f5-3.7.2
Comment 24 Swamp Workflow Management 2019-04-27 22:32:57 UTC
openSUSE-SU-2019:1284-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1084645,1086613,1096748,1099162,1101262,1111177,1114567,1114710
CVE References: CVE-2018-10861,CVE-2018-1128,CVE-2018-1129,CVE-2018-14662,CVE-2018-16846
Sources used:
openSUSE Leap 15.0 (src):    ceph-13.2.4.125+gad802694f5-lp150.2.3.1, ceph-test-13.2.4.125+gad802694f5-lp150.2.3.1