Bug 987144 - (CVE-2016-5009) VUL-0: CVE-2016-5009: ceph: moncommand with empty prefix crashes monitor
(CVE-2016-5009)
VUL-0: CVE-2016-5009: ceph: moncommand with empty prefix crashes monitor
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Nathan Cutler
Security Team bot
https://smash.suse.de/issue/170570/
CVSSv2:RedHat:CVE-2016-5009:4.9:(AV:A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-30 08:22 UTC by Andreas Stieger
Modified: 2017-03-28 14:44 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2016-06-30 08:25:46 UTC
Reproducer (not verified):

cluster.mon_command() in rados.py with 
> *perfix*="osd pool stats",format="json"
Comment 2 Nathan Cutler 2016-06-30 09:17:48 UTC
Upstream fix for jewel branch is https://github.com/ceph/ceph/pull/10036
Comment 3 Lars Marowsky-Bree 2016-06-30 13:16:30 UTC
For Jewel this is a great opportunity to update customers to 10.2.2.

I assume we can't wait for 10.2.3 ;-)
Comment 4 Swamp Workflow Management 2016-06-30 22:00:11 UTC
bugbot adjusting priority
Comment 7 Nathan Cutler 2016-08-01 07:10:03 UTC
Upstream bug for SES2.1 codestream is http://tracker.ceph.com/issues/16550 which is fixed by https://github.com/ceph/ceph/pull/10038 - this was merged recently and will be part of the upcoming 0.94.8 point release.
Comment 8 Nathan Cutler 2016-08-28 19:35:29 UTC
The upstream Jewel fix mentioned in Comment 2 has been merged and will be in the upcoming 10.2.3 point release.
Comment 9 Nathan Cutler 2016-09-05 15:24:23 UTC
The hammer upstream fix is http://tracker.ceph.com/issues/16550  https://github.com/ceph/ceph/pull/10038 - it was included in the upstream 0.94.8 point release. The next SES2.1 MR will update the downstream code to 0.94.9.
Comment 10 Nathan Cutler 2016-10-10 08:34:23 UTC
SES3 update to 10.2.3: https://build.suse.de/request/show/122411

SES2.1 update to 0.94.9: https://build.suse.de/request/show/121481

Both MRs have been accepted and are making their way through maintenance/QA
Comment 11 Swamp Workflow Management 2016-11-02 16:07:10 UTC
SUSE-RU-2016:2701-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 968766,987144
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ceph-0.94.9+git.1474374266.239fe15-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    ceph-0.94.9+git.1474374266.239fe15-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ceph-0.94.9+git.1474374266.239fe15-17.1
SUSE Enterprise Storage 2.1 (src):    ceph-0.94.9+git.1474374266.239fe15-17.1
Comment 12 Swamp Workflow Management 2016-11-15 21:07:41 UTC
SUSE-SU-2016:2809-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1005954,982141,985232,987144,987594,989512,990438,999688
CVE References: CVE-2016-5009
Sources used:
SUSE Enterprise Storage 3 (src):    ceph-10.2.3+git.1475228057.755cf99-7.3
Comment 13 Swamp Workflow Management 2016-12-20 20:08:28 UTC
openSUSE-SU-2016:3201-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1005179,1007216,1008501,1008894,1014338,977940,982141,985232,987144,990438,999688
CVE References: CVE-2016-5009
Sources used:
openSUSE Leap 42.2 (src):    ceph-10.2.4+git.1481215985.12b091b-4.1, ceph-test-10.2.4+git.1481215985.12b091b-4.1
Comment 14 Swamp Workflow Management 2017-02-02 23:11:19 UTC
SUSE-SU-2017:0367-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1005179,1007216,1008501,1008894,1014338,977940,982141,985232,987144,990438,999688
CVE References: CVE-2016-5009
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ceph-10.2.4+git.1481215985.12b091b-15.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ceph-10.2.4+git.1481215985.12b091b-15.2
SUSE Linux Enterprise Server 12-SP2 (src):    ceph-10.2.4+git.1481215985.12b091b-15.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    ceph-10.2.4+git.1481215985.12b091b-15.2