Lucene search

IBM08299E75218F26DCF94BA2225B3C87187B7F618737094891FAE8C0E0D675554E

HistoryAug 05, 2024 - 7:42 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to an Improper Link Resolution Before File Access in the RHEL UBI (CVE-2021-35938)

2024-08-0519:42:12

www.ibm.com

ibm storage ceph

rhel ubi

cve-2021-35938

rpm project

elevated privileges

vulnerability

upgrade

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.3

Confidence

High

JSON

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2021-35938.

Vulnerability Details

CVEID:CVE-2021-35938
**DESCRIPTION:**RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a symbolic link when setting the desired permissions and credentials after installing a file. An attacker could exploit this vulnerability to exchange the original file with a symbolic link to a security-critical file and gain elevated privileges on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211337 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph	6.0, 6.1-6.1z6
IBM Storage Ceph	5.3z1-z5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.0 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_cephMatch6.0

ibmstorage_cephMatch6.1

ibmstorage_cephMatch6

ibmstorage_cephMatch5.3

ibmstorage_cephMatch1

ibmstorage_cephMatch5

VendorProductVersionCPE
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph6cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph5cpe:2.3:a:ibm:storage_ceph:5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_ceph	6.0	cpe:2.3:a:ibm:storage_ceph:6.0:::::::*
ibm	storage_ceph	6.1	cpe:2.3:a:ibm:storage_ceph:6.1:::::::*
ibm	storage_ceph	6	cpe:2.3:a:ibm:storage_ceph:6:::::::*
ibm	storage_ceph	5.3	cpe:2.3:a:ibm:storage_ceph:5.3:::::::*
ibm	storage_ceph	1	cpe:2.3:a:ibm:storage_ceph:1:::::::*
ibm	storage_ceph	5	cpe:2.3:a:ibm:storage_ceph:5:::::::*