RHSA-2023:3642 - Security Advisory

Topic

A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9.

Security Fix(es):

• crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements (CVE-2022-41912)
• eventsource: Exposure of Sensitive Information (CVE-2022-1650)
• grafana: stored XSS vulnerability (CVE-2022-31097)
• grafana: OAuth account takeover (CVE-2022-31107)
• ramda: prototype poisoning (CVE-2021-42581)
• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
• marked: regular expression block.def may lead Denial of Service (CVE-2022-21680)
• marked: regular expression inline.reflinkSearch may lead Denial of Service (CVE-2022-21681)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• Moment.js: Path traversal in moment.locale (CVE-2022-24785)
• grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix (CVE-2022-26148)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: syscall: faccessat checks wrong group (CVE-2022-29526)
• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
• grafana: plugin signature bypass (CVE-2022-31123)
• grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
• grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
• grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
• grafana: using email as a username can block other users from signing in (CVE-2022-39229)
• grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
• grafana: User enumeration via forget password (CVE-2022-39307)
• grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes.

Solution

For details on how to apply this update, see Upgrade a Red Hat Ceph Storage
cluster using cephadm in the Red Hat Storage Ceph Upgrade
Guide.(https://access.redhat.com/documentation/en-us/red_hat_ceph_storage)

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le

Fixes

• BZ - 2066563 - CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
• BZ - 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2082705 - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service
• BZ - 2082706 - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service
• BZ - 2083778 - CVE-2021-42581 ramda: prototype poisoning
• BZ - 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
• BZ - 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2104365 - CVE-2022-31097 grafana: stored XSS vulnerability
• BZ - 2104367 - CVE-2022-31107 grafana: OAuth account takeover
• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2125514 - CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used
• BZ - 2131146 - CVE-2022-31130 grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
• BZ - 2131147 - CVE-2022-31123 grafana: plugin signature bypass
• BZ - 2131148 - CVE-2022-39201 grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
• BZ - 2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2138014 - CVE-2022-39306 grafana: email addresses and usernames cannot be trusted
• BZ - 2138015 - CVE-2022-39307 grafana: User enumeration via forget password
• BZ - 2148252 - CVE-2022-39324 grafana: Spoofing of the originalUrl parameter of snapshots
• BZ - 2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
• BZ - 2168965 - [cee/sd][rook-ceph]cephfs-top utility is not available under rook-ceph-oprator/tools pod
• BZ - 2174461 - add dbus-daemon binary - required for NFS in ODF 4.13
• BZ - 2174462 - add ceph-exporter pkg to RHCS 6.1 image
• BZ - 2186142 - [RHCS 6.1] [Deployment] Cephadm bootstrap failing with default image.

CVEs

• CVE-2021-42581
• CVE-2022-1650
• CVE-2022-1705
• CVE-2022-2880
• CVE-2022-21680
• CVE-2022-21681
• CVE-2022-23498
• CVE-2022-24675
• CVE-2022-24785
• CVE-2022-26148
• CVE-2022-27664
• CVE-2022-28131
• CVE-2022-28327
• CVE-2022-29526
• CVE-2022-30629
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-31097
• CVE-2022-31107
• CVE-2022-31123
• CVE-2022-31130
• CVE-2022-32148
• CVE-2022-32189
• CVE-2022-32190
• CVE-2022-35957
• CVE-2022-39201
• CVE-2022-39229
• CVE-2022-39306
• CVE-2022-39307
• CVE-2022-39324
• CVE-2022-41715
• CVE-2022-41912

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index