Security Bulletin: IBM Storage Ceph is vulnerable to assorted vulnerabilities in Grafana

Summary

Moby is used by IBM Storage Ceph in Grafana as part of Metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2021-21285, CVE-2021-31525, CVE-2021-3121, CVE-2022-34038, CVE-2021-41103, CVE-2021-41089, CVE-2020-29652, CVE-2022-27536, CVE-2021-44716, CVE-2023-28842, CVE-2021-21284, CVE-2021-30465, CVE-2018-16875, CVE-2021-32760, CVE-2020-15257, CVE-2022-24769, CVE-2022-21698, CVE-2021-41091, CVE-2022-36109, CVE-2022-27191, CVE-2021-43565.

Vulnerability Details

CVEID:CVE-2021-21285
**DESCRIPTION:**Docker is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to pull a specially-crafted Docker image, a remote attacker could exploit this vulnerability to cause the dockerd daemon to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196049 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-31525
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted header to ReadRequest or ReadResponse. Server, Transport, and Client, a remote attacker could exploit this vulnerability to cause a (panic) denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202709 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-3121
**DESCRIPTION:**An unspecified error with the lack of certain index validation, aka the skippy peanut butter issue in GoGo Protobuf has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194539 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-34038
**DESCRIPTION:**etcd-io etcd is vulnerable to a denial of service, caused by a flaw in the PageWriter.write in pagewriter.go function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266591 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-41103
**DESCRIPTION:**containerd could allow a local authenticated attacker to traverse directories on the system, caused by improper restricted permissions on container root and plugin directories. An attacker could send a specially-crafted request containing “dot dot” sequences (/…/) to view directory contents and execute programs.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-41089
**DESCRIPTION:**Moby could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the docker cp command. By copying files using docker cp into a specially-crafted container, an attacker could exploit this vulnerability to change the existing Unix file permission in the host’s filesystem.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210637 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:CVE-2020-29652
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a NULL pointer dereference in the golang.org/x/crypto/ssh component. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-27536
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by improper input validation by the Certificate.Verify function in crypto/x509. By using a specially-crafted certificate, a remote attacker could exploit this vulnerability to cause a TLS client to panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224870 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-44716
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216553 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-28842
**DESCRIPTION:**Moby could allow a remote attacker to bypass security restrictions, caused by an unprotected alternate channel within encrypted overlay networks. By sending a specially crafted request, an attacker could exploit this vulnerability to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2021-21284
**DESCRIPTION:**Docker could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when using the --userns-remap option. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root on the system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196047 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-30465
**DESCRIPTION:**Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange attack. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow host filesystem being bind-mounted into the container.
CVSS Base score: 7.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202132 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)

CVEID:CVE-2018-16875
**DESCRIPTION:**Go Programming Language is vulnerable to a denial of service, caused by the failure to limit the amount of work performed for each chain verification. By sending specially-crafted pathological inputs, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154318 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-32760
**DESCRIPTION:**Containerd could allow a remote attacker to gain elevated privileges on the system, caused by improper file permissions. By pulling and extracting a specially-crafted container image, an attacker could exploit this vulnerability to perform Unix file permission changes for existing files in the host’s filesystem.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205942 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-15257
**DESCRIPTION:**Containerd could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper access control in containerd-shim API. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause new processes to be run with elevated privileges.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192452 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-24769
**DESCRIPTION:**Moby could allow a local attacker to gain elevated privileges on the system, caused by an issue with containers started incorrectly with non-empty inheritable Linux process capabilities. By executing specially-crafted programs, an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222517 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-21698
**DESCRIPTION:**Prometheus Go client library (client_golang ) is vulnerable to a denial of service, caused by a flaw when handling requests with non-standard HTTP methods. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a memory exhaustion.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219707 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-41091
**DESCRIPTION:**Moby could allow a local authenticated attacker to traverse directories on the system, caused by improper restricted permissions on data directory. An attacker could send a specially-crafted request containing “dot dot” sequences (/…/) to view directory contents and execute arbitrary programs.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210711 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:CVE-2022-36109
**DESCRIPTION:**Moby could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw with the supplementary groups are not set up properly. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass primary group restrictions to execute arbitrary code or obtain sensitive information from the container.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-27191
**DESCRIPTION:**Go ssh package is vulnerable to a denial of service, caused by an unspecified flaw in certain circumstances involving AddHostKey. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222162 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-43565
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an input validation flaw in golang.org/x/crypto’s readCipherPacket() function. By sending an empty plaintext packet to a program linked with golang.org/x/crypto/ssh, a remote attacker could exploit this vulnerability to cause a panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219761 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**240631
**DESCRIPTION:**Moby could allow a remote attacker to obtain sensitive information, caused by improper access control. By using a specially-crafted container build, an attacker could exploit this vulnerability to obtain any path on the host into the container, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240631 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/&gt;
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading&gt;

Workarounds and Mitigations

None