(RHSA-2023:3642) Important: Red Hat Ceph Storage 6.1 Container security and bug fix update

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9.

Security Fix(es):

• crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements (CVE-2022-41912)

• eventsource: Exposure of Sensitive Information (CVE-2022-1650)

• grafana: stored XSS vulnerability (CVE-2022-31097)

• grafana: OAuth account takeover (CVE-2022-31107)

• ramda: prototype poisoning (CVE-2021-42581)

• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

• marked: regular expression block.def may lead Denial of Service (CVE-2022-21680)

• marked: regular expression inline.reflinkSearch may lead Denial of Service (CVE-2022-21681)

• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

• Moment.js: Path traversal in moment.locale (CVE-2022-24785)

• grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix (CVE-2022-26148)

• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)

• golang: syscall: faccessat checks wrong group (CVE-2022-29526)

• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

• grafana: plugin signature bypass (CVE-2022-31123)

• grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)

• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

• grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)

• grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)

• grafana: using email as a username can block other users from signing in (CVE-2022-39229)

• grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)

• grafana: User enumeration via forget password (CVE-2022-39307)

• grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)

• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes.