Bugzilla – Bug 987144
VUL-0: CVE-2016-5009: ceph: moncommand with empty prefix crashes monitor
Last modified: 2017-03-28 14:44:29 UTC
http://tracker.ceph.com/issues/16297 Monitor command without prefix can cause a segfault in the monitor. https://github.com/ceph/ceph/pull/9700 https://github.com/ceph/ceph/commit/957ece7e95d8f8746191fd9629622d4457d690d6 References: https://bugzilla.redhat.com/show_bug.cgi?id=1351453 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5009
Reproducer (not verified): cluster.mon_command() in rados.py with > *perfix*="osd pool stats",format="json"
Upstream fix for jewel branch is https://github.com/ceph/ceph/pull/10036
For Jewel this is a great opportunity to update customers to 10.2.2. I assume we can't wait for 10.2.3 ;-)
bugbot adjusting priority
Upstream bug for SES2.1 codestream is http://tracker.ceph.com/issues/16550 which is fixed by https://github.com/ceph/ceph/pull/10038 - this was merged recently and will be part of the upcoming 0.94.8 point release.
The upstream Jewel fix mentioned in Comment 2 has been merged and will be in the upcoming 10.2.3 point release.
The hammer upstream fix is http://tracker.ceph.com/issues/16550 https://github.com/ceph/ceph/pull/10038 - it was included in the upstream 0.94.8 point release. The next SES2.1 MR will update the downstream code to 0.94.9.
SES3 update to 10.2.3: https://build.suse.de/request/show/122411 SES2.1 update to 0.94.9: https://build.suse.de/request/show/121481 Both MRs have been accepted and are making their way through maintenance/QA
SUSE-RU-2016:2701-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 968766,987144 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ceph-0.94.9+git.1474374266.239fe15-17.1 SUSE Linux Enterprise Server 12-SP1 (src): ceph-0.94.9+git.1474374266.239fe15-17.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ceph-0.94.9+git.1474374266.239fe15-17.1 SUSE Enterprise Storage 2.1 (src): ceph-0.94.9+git.1474374266.239fe15-17.1
SUSE-SU-2016:2809-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1005954,982141,985232,987144,987594,989512,990438,999688 CVE References: CVE-2016-5009 Sources used: SUSE Enterprise Storage 3 (src): ceph-10.2.3+git.1475228057.755cf99-7.3
openSUSE-SU-2016:3201-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (moderate) Bug References: 1005179,1007216,1008501,1008894,1014338,977940,982141,985232,987144,990438,999688 CVE References: CVE-2016-5009 Sources used: openSUSE Leap 42.2 (src): ceph-10.2.4+git.1481215985.12b091b-4.1, ceph-test-10.2.4+git.1481215985.12b091b-4.1
SUSE-SU-2017:0367-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (moderate) Bug References: 1005179,1007216,1008501,1008894,1014338,977940,982141,985232,987144,990438,999688 CVE References: CVE-2016-5009 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ceph-10.2.4+git.1481215985.12b091b-15.2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ceph-10.2.4+git.1481215985.12b091b-15.2 SUSE Linux Enterprise Server 12-SP2 (src): ceph-10.2.4+git.1481215985.12b091b-15.2 SUSE Linux Enterprise Desktop 12-SP2 (src): ceph-10.2.4+git.1481215985.12b091b-15.2