Security update for ceph SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0544-1 Final 1 1 2021-04-12T04:05:20Z current 2021-04-12T04:05:20Z 2021-04-12T04:05:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ceph This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-544 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNSWJAZ3F5NDFCU63NISQ76JHRYOI25U/ E-Mail link for openSUSE-SU-2021:0544-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172926 SUSE Bug 1172926 https://bugzilla.suse.com/1176390 SUSE Bug 1176390 https://bugzilla.suse.com/1176489 SUSE Bug 1176489 https://bugzilla.suse.com/1176679 SUSE Bug 1176679 https://bugzilla.suse.com/1176828 SUSE Bug 1176828 https://bugzilla.suse.com/1177360 SUSE Bug 1177360 https://bugzilla.suse.com/1177857 SUSE Bug 1177857 https://bugzilla.suse.com/1178837 SUSE Bug 1178837 https://bugzilla.suse.com/1178860 SUSE Bug 1178860 https://bugzilla.suse.com/1178905 SUSE Bug 1178905 https://bugzilla.suse.com/1178932 SUSE Bug 1178932 https://bugzilla.suse.com/1179569 SUSE Bug 1179569 https://bugzilla.suse.com/1179997 SUSE Bug 1179997 https://bugzilla.suse.com/1182766 SUSE Bug 1182766 https://www.suse.com/security/cve/CVE-2020-25678/ SUSE CVE CVE-2020-25678 page https://www.suse.com/security/cve/CVE-2020-27839/ SUSE CVE CVE-2020-27839 page openSUSE Leap 15.2 ceph-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-grafana-dashboards-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-immutable-object-cache-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mds-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-dashboard-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-k8sevents-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-modules-core-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mgr-rook-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-mon-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-osd-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-prometheus-alerts-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-radosgw-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1 cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 cephfs-shell-15.2.9.83+g4275378de0-lp152.2.12.1 libcephfs-devel-15.2.9.83+g4275378de0-lp152.2.12.1 libcephfs2-15.2.9.83+g4275378de0-lp152.2.12.1 librados-devel-15.2.9.83+g4275378de0-lp152.2.12.1 librados2-15.2.9.83+g4275378de0-lp152.2.12.1 libradospp-devel-15.2.9.83+g4275378de0-lp152.2.12.1 librbd-devel-15.2.9.83+g4275378de0-lp152.2.12.1 librbd1-15.2.9.83+g4275378de0-lp152.2.12.1 librgw-devel-15.2.9.83+g4275378de0-lp152.2.12.1 librgw2-15.2.9.83+g4275378de0-lp152.2.12.1 python3-ceph-argparse-15.2.9.83+g4275378de0-lp152.2.12.1 python3-ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 python3-cephfs-15.2.9.83+g4275378de0-lp152.2.12.1 python3-rados-15.2.9.83+g4275378de0-lp152.2.12.1 python3-rbd-15.2.9.83+g4275378de0-lp152.2.12.1 python3-rgw-15.2.9.83+g4275378de0-lp152.2.12.1 rados-objclass-devel-15.2.9.83+g4275378de0-lp152.2.12.1 rbd-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 rbd-mirror-15.2.9.83+g4275378de0-lp152.2.12.1 rbd-nbd-15.2.9.83+g4275378de0-lp152.2.12.1 ceph-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-grafana-dashboards-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-immutable-object-cache-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mds-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-dashboard-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-k8sevents-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-modules-core-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mgr-rook-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-mon-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-osd-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-prometheus-alerts-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-radosgw-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 cephfs-shell-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 libcephfs-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 libcephfs2-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librados-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librados2-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 libradospp-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librbd-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librbd1-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librgw-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 librgw2-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-ceph-argparse-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-cephfs-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-rados-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-rbd-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 python3-rgw-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 rados-objclass-devel-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 rbd-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 rbd-mirror-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 rbd-nbd-15.2.9.83+g4275378de0-lp152.2.12.1 as a component of openSUSE Leap 15.2 A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible. CVE-2020-25678 openSUSE Leap 15.2:ceph-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-grafana-dashboards-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-immutable-object-cache-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mds-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-dashboard-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-k8sevents-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-modules-core-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-rook-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mon-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-osd-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-prometheus-alerts-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-radosgw-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:cephfs-shell-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libcephfs-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libcephfs2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librados-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librados2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libradospp-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librbd-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librbd1-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librgw-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librgw2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-ceph-argparse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-cephfs-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rados-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rbd-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rgw-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rados-objclass-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-mirror-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-nbd-15.2.9.83+g4275378de0-lp152.2.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNSWJAZ3F5NDFCU63NISQ76JHRYOI25U/ https://www.suse.com/security/cve/CVE-2020-25678.html CVE-2020-25678 https://bugzilla.suse.com/1178905 SUSE Bug 1178905 A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser's localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity. CVE-2020-27839 openSUSE Leap 15.2:ceph-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-base-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-grafana-dashboards-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-immutable-object-cache-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mds-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-dashboard-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-diskprediction-cloud-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-diskprediction-local-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-k8sevents-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-modules-core-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mgr-rook-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-mon-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-osd-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-prometheus-alerts-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-radosgw-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:ceph-test-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:cephadm-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:cephfs-shell-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libcephfs-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libcephfs2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librados-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librados2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:libradospp-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librbd-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librbd1-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librgw-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:librgw2-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-ceph-argparse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-ceph-common-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-cephfs-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rados-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rbd-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:python3-rgw-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rados-objclass-devel-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-fuse-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-mirror-15.2.9.83+g4275378de0-lp152.2.12.1 openSUSE Leap 15.2:rbd-nbd-15.2.9.83+g4275378de0-lp152.2.12.1 low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNSWJAZ3F5NDFCU63NISQ76JHRYOI25U/ https://www.suse.com/security/cve/CVE-2020-27839.html CVE-2020-27839 https://bugzilla.suse.com/1179997 SUSE Bug 1179997