Security Bulletin: IBM Storage Ceph is vulnerable to Improper Output Neutralization for Logs in the RHEL UBI (CVE-2023-28486)

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-28486.

Vulnerability Details

CVEID:CVE-2023-28486
**DESCRIPTION:**Sudo Project Sudo could allow a remote attacker to obtain sensitive information, caused by improper escaping terminal control characters during logging operations. By sending specially crafted terminal control commands, an attacker could exploit this vulnerability to obtain restricted information information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 6.1z5 or later by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/&gt;
<https://www.ibm.com/docs/en/storage-ceph/6?topic=upgrading&gt;

Workarounds and Mitigations

None