Security update for ceph SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1108-1 Final 1 1 2021-04-08T09:48:59Z current 2021-04-08T09:48:59Z 2021-04-08T09:48:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles/15.2/virt-launcher:0.38.1-2021-1108,Container suse/sles/15.3/virt-launcher:0.45.0-2021-1108,SUSE-2021-1108,SUSE-SLE-Module-Basesystem-15-SP2-2021-1108,SUSE-Storage-7-2021-1108 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211108-1/ Link for SUSE-SU-2021:1108-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008598.html E-Mail link for SUSE-SU-2021:1108-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172926 SUSE Bug 1172926 https://bugzilla.suse.com/1176390 SUSE Bug 1176390 https://bugzilla.suse.com/1176489 SUSE Bug 1176489 https://bugzilla.suse.com/1176679 SUSE Bug 1176679 https://bugzilla.suse.com/1176828 SUSE Bug 1176828 https://bugzilla.suse.com/1177360 SUSE Bug 1177360 https://bugzilla.suse.com/1177857 SUSE Bug 1177857 https://bugzilla.suse.com/1178837 SUSE Bug 1178837 https://bugzilla.suse.com/1178860 SUSE Bug 1178860 https://bugzilla.suse.com/1178905 SUSE Bug 1178905 https://bugzilla.suse.com/1178932 SUSE Bug 1178932 https://bugzilla.suse.com/1179569 SUSE Bug 1179569 https://bugzilla.suse.com/1179997 SUSE Bug 1179997 https://bugzilla.suse.com/1182766 SUSE Bug 1182766 https://www.suse.com/security/cve/CVE-2020-25678/ SUSE CVE CVE-2020-25678 page https://www.suse.com/security/cve/CVE-2020-27839/ SUSE CVE CVE-2020-27839 page Container suse/sles/15.2/virt-launcher:0.38.1 Container suse/sles/15.3/virt-launcher:0.45.0 SUSE Enterprise Storage 7 SUSE Linux Enterprise Module for Basesystem 15 SP2 librados2-15.2.9.83+g4275378de0-3.17.1 librbd1-15.2.9.83+g4275378de0-3.17.1 ceph-15.2.9.83+g4275378de0-3.17.1 ceph-base-15.2.9.83+g4275378de0-3.17.1 ceph-common-15.2.9.83+g4275378de0-3.17.1 ceph-fuse-15.2.9.83+g4275378de0-3.17.1 ceph-grafana-dashboards-15.2.9.83+g4275378de0-3.17.1 ceph-immutable-object-cache-15.2.9.83+g4275378de0-3.17.1 ceph-mds-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-cephadm-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-dashboard-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-k8sevents-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-modules-core-15.2.9.83+g4275378de0-3.17.1 ceph-mgr-rook-15.2.9.83+g4275378de0-3.17.1 ceph-mon-15.2.9.83+g4275378de0-3.17.1 ceph-osd-15.2.9.83+g4275378de0-3.17.1 ceph-prometheus-alerts-15.2.9.83+g4275378de0-3.17.1 ceph-radosgw-15.2.9.83+g4275378de0-3.17.1 ceph-test-15.2.9.83+g4275378de0-3.17.1 cephadm-15.2.9.83+g4275378de0-3.17.1 cephfs-shell-15.2.9.83+g4275378de0-3.17.1 libcephfs-devel-15.2.9.83+g4275378de0-3.17.1 libcephfs2-15.2.9.83+g4275378de0-3.17.1 librados-devel-15.2.9.83+g4275378de0-3.17.1 libradospp-devel-15.2.9.83+g4275378de0-3.17.1 librbd-devel-15.2.9.83+g4275378de0-3.17.1 librgw-devel-15.2.9.83+g4275378de0-3.17.1 librgw2-15.2.9.83+g4275378de0-3.17.1 python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 python3-cephfs-15.2.9.83+g4275378de0-3.17.1 python3-rados-15.2.9.83+g4275378de0-3.17.1 python3-rbd-15.2.9.83+g4275378de0-3.17.1 python3-rgw-15.2.9.83+g4275378de0-3.17.1 rados-objclass-devel-15.2.9.83+g4275378de0-3.17.1 rbd-fuse-15.2.9.83+g4275378de0-3.17.1 rbd-mirror-15.2.9.83+g4275378de0-3.17.1 rbd-nbd-15.2.9.83+g4275378de0-3.17.1 librados2-15.2.9.83+g4275378de0-3.17.1 as a component of Container suse/sles/15.2/virt-launcher:0.38.1 librbd1-15.2.9.83+g4275378de0-3.17.1 as a component of Container suse/sles/15.2/virt-launcher:0.38.1 librados2-15.2.9.83+g4275378de0-3.17.1 as a component of Container suse/sles/15.3/virt-launcher:0.45.0 librbd1-15.2.9.83+g4275378de0-3.17.1 as a component of Container suse/sles/15.3/virt-launcher:0.45.0 ceph-base-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 ceph-common-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 cephadm-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 libcephfs2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 librados2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 librbd1-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 librgw2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-cephfs-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-rados-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-rbd-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 python3-rgw-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 rbd-nbd-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Enterprise Storage 7 ceph-common-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 libcephfs-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 libcephfs2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librados-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librados2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 libradospp-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librbd-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librbd1-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librgw-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 librgw2-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-cephfs-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-rados-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-rbd-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-rgw-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 rados-objclass-devel-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 rbd-nbd-15.2.9.83+g4275378de0-3.17.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible. CVE-2020-25678 Container suse/sles/15.2/virt-launcher:0.38.1:librados2-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.2/virt-launcher:0.38.1:librbd1-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.3/virt-launcher:0.45.0:librados2-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.3/virt-launcher:0.45.0:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:ceph-base-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:cephadm-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:libcephfs2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librados2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librgw2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-cephfs-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rados-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rbd-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rgw-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:rbd-nbd-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libcephfs-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libcephfs2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librados-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librados2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libradospp-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librbd-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librgw-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librgw2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-cephfs-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rados-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rbd-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rgw-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:rados-objclass-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:rbd-nbd-15.2.9.83+g4275378de0-3.17.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211108-1/ https://www.suse.com/security/cve/CVE-2020-25678.html CVE-2020-25678 https://bugzilla.suse.com/1178905 SUSE Bug 1178905 A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser's localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity. CVE-2020-27839 Container suse/sles/15.2/virt-launcher:0.38.1:librados2-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.2/virt-launcher:0.38.1:librbd1-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.3/virt-launcher:0.45.0:librados2-15.2.9.83+g4275378de0-3.17.1 Container suse/sles/15.3/virt-launcher:0.45.0:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:ceph-base-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:cephadm-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:libcephfs2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librados2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:librgw2-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-cephfs-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rados-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rbd-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:python3-rgw-15.2.9.83+g4275378de0-3.17.1 SUSE Enterprise Storage 7:rbd-nbd-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libcephfs-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libcephfs2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librados-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librados2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libradospp-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librbd-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librbd1-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librgw-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:librgw2-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-cephfs-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rados-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rbd-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-rgw-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:rados-objclass-devel-15.2.9.83+g4275378de0-3.17.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:rbd-nbd-15.2.9.83+g4275378de0-3.17.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211108-1/ https://www.suse.com/security/cve/CVE-2020-27839.html CVE-2020-27839 https://bugzilla.suse.com/1179997 SUSE Bug 1179997