Multiple vulnerabilities in Red Hat Ceph Storage 6.1
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-2801 CVE-2023-2183 |
| CWE-ID | CWE-662 CWE-862 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Enterprise Linux for Power, little endian Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux for x86_64 Operating systems & Components / Operating system Ceph Server applications / Other server solutions cephadm-ansible (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper synchronization
EUVDB-ID: #VU77623
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2801
CWE-ID:
CWE-662 - Improper Synchronization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect synchronization when processing multiple requests. A remote user can query multiple distinct data sources using mixed queries via public dashboard or API and crash Grafana instances.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
Ceph: before 17.2.6-167.el9cp
cephadm-ansible (Red Hat package): before 2.18.0-1.el9cp
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux:9:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:ceph:*:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:cephadm-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:7740
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Missing Authorization
EUVDB-ID: #VU78470
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2183
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to missing authorization in the alerts feature within API. A remote user can use the API to send multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
Ceph: before 17.2.6-167.el9cp
cephadm-ansible (Red Hat package): before 2.18.0-1.el9cp
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux:9:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:ceph:*:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:cephadm-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:7740
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
