1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202312-10 ] Ceph: Root Privilege Escalation

    From glsamaker@gentoo.org@21:1/5 to All on Sat Dec 23 09:10:01 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202312-10
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Ceph: Root Privilege Escalation
    Date: December 23, 2023
    Bugs: #878277
    ID: 202312-10

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in Ceph which can lead to root privilege escalation.

    Background
    ==========

    Ceph is a distributed network file system designed to provide excellent performance, reliability, and scalability.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ---------------- ------------ ------------
    sys-cluster/ceph < 17.2.6 >= 17.2.6

    Description
    ===========

    A vulnerability has been discovered in Ceph. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    The ceph-crash.service runs the ceph-crash Python script as root. The
    script is operating in the directory /var/lib/ceph/crash which is
    controlled by the unprivileged ceph user (ceph:ceph mode 0750). The
    script periodically scans for new crash directories and forwards the
    content via `ceph crash post`.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Ceph users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-17.2.6"

    References
    ==========

    [ 1 ] CVE-2022-3650
    https://nvd.nist.gov/vuln/detail/CVE-2022-3650

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202312-10

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWGlLIACgkQFMQkOaVy +9kXGxAA1/Lsyeye8/i68ngxVAbJSlTwn98k9pi4xg5kXWCGELJ/p1tNhj1A5kxT 6F1koiOfAOBZ4X85ZPo45t5dMP5l4aOlLkY/BsTnNh8alqdQOkgbAH6CKjkh7eQ7 ep7Y48Ce+yNYHu10FVVrRRwQaXnl4CLSHKyKW8vHSdDXVg/MG1prWCQYE0Gm5HOx 8jsr5yb1wGhkEySUJ9mCEZ7Ys1OuUxD23bAubZIWjBdQ3QkhUB5Y4mrHzZMuP7uD afrjXkN3mVA16O/BACPCDKjSJYG1hmzi13OEw9FKvQAu1Z4vhFKMGx+zcjMk0ayu wcjqAU8xucP2si7dfVed0PegPmQyNHsGIs4GeniXrKmdMniylvI+CFoyr9ge73nn L/gkF29g2fdY4uqDdcURS/7FIP2d+zlvRRnz3HYP1hJdLtgwxrdr4wlK44r+hccc 6SCIm2bYCwVBsINKiJm7yoDSAFUKiGWzwXaLY/b9gesuvX5h4EF5mrN9kYkosfh4 I4183DteI/EgDkomK1BUUuU2OgyjB/WHuapCBhTaIjzS59obu1FSJXmNQeeIT7Om vM4opqIwS3YdGO53dGgsJZo/KCQ64fWZSbUCW1yQvpy8UVKtVn/XQhUl2Fw7p0FX 5h6r5MB43afc9ktvGkNv8yb8ogNAa2btj5Yhe5gBykzuZu5HMAw=
    =yxyN
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)