#VU13068 Assertion failure in Ceph - CVE-2017-16818

Cybersecurity Help s.r.o.

Published: 2018-05-30 | Updated: 2018-05-31

Vulnerability identifier: #VU13068

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-16818

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ceph
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to assertion failure and application exit. A remote attacker can leverage "full" privileges, post an invalid profile to the admin API, related to rgw/rgw_iam_policy.cc, rgw/rgw_basic_types.h, and rgw/rgw_iam_types.h and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ceph: 12.1.0 - 12.2.1

External links
https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for ceph

Multiple vulnerabilities in IBM Planning Analytics Local

OpenSUSE Linux update for ceph