Security restrictions bypass in Ceph - CVE-2018-10861
Published: August 10, 2018 / Updated: August 28, 2018
Vulnerability identifier: #VU14329
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10861
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ceph
Ceph
Detailed vulnerability description
The vulnerability allows an adjacent authenticated attacker to bypass security restrictions on the target system.
The vulnerability exists in ceph branches master, mimic, luminous and jewel due to improper handling of user-supplied requests by ceph mon. An adjacent attacker with read access to ceph can delete, create ceph storage pools and corrupt snapshot images.
How to mitigate CVE-2018-10861
Install update from vendor's website.