SB2023121250 - Multiple vulnerabilities in Red Hat Ceph Storage 6.1
Published: December 12, 2023 Updated: February 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2023-29491)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing malformed data in a terminfo database file. A local user can trigger memory corruption and execute arbitrary code on the target system.
2) Double Free (CVE-ID: CVE-2023-39975)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the free_req_info(). A remote attacker send a specially crafted request to trigger a double free error and perform a denial of service (DoS) attack.
3) External control of file name or path (CVE-ID: CVE-2023-38546)
The vulnerability allows an attacker to inject arbitrary cookies into request.
The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the
file name as none (using the four ASCII letters, no quotes).
none - if such a file exists and is readable in the current directory of the program using libcurl. 4) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).
5) Access of Uninitialized Pointer (CVE-ID: CVE-2023-36054)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to the _xdr_kadm5_principal_ent_rec() function in lib/kadm5/kadm_rpc_xdr.c does not validate the relationship between n_key_data and the key_data array count and frees an uninitialized pointer. A remote user can send a specially crafted request to the application and perform a denial of service (DoS) attack.
6) Resource exhaustion (CVE-ID: CVE-2023-32665)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
7) Resource exhaustion (CVE-ID: CVE-2023-32611)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the g_variant_byteswap() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Input validation error (CVE-ID: CVE-2023-29499)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
9) Information disclosure (CVE-ID: CVE-2023-4641)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to an error in gpasswd(1), which fails to clean memory properly. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. A local user with enough access can retrieve the password from the memory.
10) Stored cross-site scripting (CVE-ID: CVE-2023-1410)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Graphite FunctionDescription tooltip. A remote user can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Memory leak (CVE-ID: CVE-2023-0836)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak as there are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. A remote attacker can force the application to leak memory and disclose potentially sensitive data to configured FastCGI backends.
12) Integer overflow (CVE-ID: CVE-2021-43618)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in mpz/inp_raw.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
13) Resource exhaustion (CVE-ID: CVE-2023-39325)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.
14) Resource exhaustion (CVE-ID: CVE-2023-44487)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
15) Missing Authorization (CVE-ID: CVE-2023-2183)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to missing authorization in the alerts feature within API. A remote user can use the API to send multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.
16) Improper synchronization (CVE-ID: CVE-2023-2801)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect synchronization when processing multiple requests. A remote user can query multiple distinct data sources using mixed queries via public dashboard or API and crash Grafana instances.
17) Information disclosure (CVE-ID: CVE-2023-1387)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to application allows users to login with a JWT token passed in the URL query parameter auth_token. A remote attacker can intercept the query and gain unauthorized access to the application.
Remediation
Install update from vendor's website.