CVE-2018-10861
Summary
| CVE | CVE-2018-10861 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-07-10 14:29:00 UTC |
| Updated | 2019-10-09 23:33:00 UTC |
| Description | A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ceph | Ceph | 10.2.0 | All | All | All |
| Application | Ceph | Ceph | 10.2.1 | All | All | All |
| Application | Ceph | Ceph | 10.2.10 | All | All | All |
| Application | Ceph | Ceph | 10.2.11 | All | All | All |
| Application | Ceph | Ceph | 10.2.2 | All | All | All |
| Application | Ceph | Ceph | 10.2.3 | All | All | All |
| Application | Ceph | Ceph | 10.2.4 | All | All | All |
| Application | Ceph | Ceph | 10.2.5 | All | All | All |
| Application | Ceph | Ceph | 10.2.6 | All | All | All |
| Application | Ceph | Ceph | 10.2.7 | All | All | All |
| Application | Ceph | Ceph | 10.2.8 | All | All | All |
| Application | Ceph | Ceph | 10.2.9 | All | All | All |
| Application | Ceph | Ceph | 12.2.0 | All | All | All |
| Application | Ceph | Ceph | 12.2.1 | All | All | All |
| Application | Ceph | Ceph | 12.2.2 | All | All | All |
| Application | Ceph | Ceph | 12.2.3 | All | All | All |
| Application | Ceph | Ceph | 12.2.4 | All | All | All |
| Application | Ceph | Ceph | 12.2.5 | All | All | All |
| Application | Ceph | Ceph | 12.2.6 | All | All | All |
| Application | Ceph | Ceph | 12.2.7 | All | All | All |
| Application | Ceph | Ceph | 13.2.0 | All | All | All |
| Application | Ceph | Ceph | 13.2.1 | All | All | All |
| Application | Ceph | Ceph | 10.2.0 | All | All | All |
| Application | Ceph | Ceph | 10.2.1 | All | All | All |
| Application | Ceph | Ceph | 10.2.10 | All | All | All |
| Application | Ceph | Ceph | 10.2.11 | All | All | All |
| Application | Ceph | Ceph | 10.2.2 | All | All | All |
| Application | Ceph | Ceph | 10.2.3 | All | All | All |
| Application | Ceph | Ceph | 10.2.4 | All | All | All |
| Application | Ceph | Ceph | 10.2.5 | All | All | All |
| Application | Ceph | Ceph | 10.2.6 | All | All | All |
| Application | Ceph | Ceph | 10.2.7 | All | All | All |
| Application | Ceph | Ceph | 10.2.8 | All | All | All |
| Application | Ceph | Ceph | 10.2.9 | All | All | All |
| Application | Ceph | Ceph | 12.2.0 | All | All | All |
| Application | Ceph | Ceph | 12.2.1 | All | All | All |
| Application | Ceph | Ceph | 12.2.2 | All | All | All |
| Application | Ceph | Ceph | 12.2.3 | All | All | All |
| Application | Ceph | Ceph | 12.2.4 | All | All | All |
| Application | Ceph | Ceph | 12.2.5 | All | All | All |
| Application | Ceph | Ceph | 12.2.6 | All | All | All |
| Application | Ceph | Ceph | 12.2.7 | All | All | All |
| Application | Ceph | Ceph | 13.2.0 | All | All | All |
| Application | Ceph | Ceph | 13.2.1 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Application | Redhat | Ceph Storage | 3 | All | All | All |
| Application | Redhat | Ceph Storage | 3 | All | All | All |
| Application | Redhat | Ceph Storage Mon | 2 | All | All | All |
| Application | Redhat | Ceph Storage Mon | 3 | All | All | All |
| Application | Redhat | Ceph Storage Mon | 2 | All | All | All |
| Application | Redhat | Ceph Storage Mon | 3 | All | All | All |
| Application | Redhat | Ceph Storage Osd | 2 | All | All | All |
| Application | Redhat | Ceph Storage Osd | 3 | All | All | All |
| Application | Redhat | Ceph Storage Osd | 2 | All | All | All |
| Application | Redhat | Ceph Storage Osd | 3 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2019:1284-1: moderate: Security update f | SUSE | lists.opensuse.org | Third Party Advisory |
| Debian -- Security Information -- DSA-4339-1 ceph | DEBIAN | www.debian.org | Third Party Advisory |
| Merge remote-tracking branch 'private/wip-mon-snap-caps' · ceph/ceph@975528f · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Bug #24838: mon: auth checks not correct for pool ops - RADOS - Ceph | CONFIRM | tracker.ceph.com | Issue Tracking, Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| 1593308 – (CVE-2018-10861) CVE-2018-10861 ceph: ceph-mon does not perform authorization on OSD pool ops | CONFIRM | bugzilla.redhat.com | Issue Tracking, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.