Ceph: Root Privilege Escalation — GLSA 202312-10

A vulnerability has been found in Ceph which can lead to root privilege escalation.

Affected packages

sys-cluster/ceph on all architectures
Affected versions < 17.2.6
Unaffected versions >= 17.2.6

Background

Ceph is a distributed network file system designed to provide excellent performance, reliability, and scalability.

Description

A vulnerability has been discovered in Ceph. Please review the CVE identifier referenced below for details.

Impact

The ceph-crash.service runs the ceph-crash Python script as root. The script is operating in the directory /var/lib/ceph/crash which is controlled by the unprivileged ceph user (ceph:ceph mode 0750). The script periodically scans for new crash directories and forwards the content via `ceph crash post`.

Workaround

There is no known workaround at this time.

Resolution

All Ceph users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-17.2.6"
 

References

Release date
December 23, 2023

Latest revision
December 23, 2023: 1

Severity
high

Exploitable
local

Bugzilla entries