[USN-7706-1] Ceph vulnerabilities

noreply+usn-bot at canonical.com noreply+usn-bot at canonical.com
Thu Aug 21 05:06:15 UTC 2025 

==========================================================================
Ubuntu Security Notice USN-7706-1
August 20, 2025

ceph vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Ceph.

Software Description:
- ceph: distributed storage and file system

Details:

It was discovered that Ceph incorrectly handled read-only permissions. An
authenticated attacker could use this issue to obtain dm-crypt encryption
keys. This issue only affected Ubuntu 14.04 LTS. (CVE-2018-14662)

Sergey Bobrov discovered that Ceph’s RadosGW (Ceph Object Gateway) allowed
the injection of HTTP headers in responses to CORS requests. An attacker
could possibly use this issue to compromise system integrity. This issue
only
affected Ubuntu 16.04 LTS. (CVE-2021-3524)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
  ceph                            10.2.11-0ubuntu0.16.04.3+esm2
                                  Available with Ubuntu Pro
  ceph-common                     10.2.11-0ubuntu0.16.04.3+esm2
                                  Available with Ubuntu Pro
  radosgw                         10.2.11-0ubuntu0.16.04.3+esm2
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  ceph                            0.80.11-0ubuntu1.14.04.4+esm3
                                  Available with Ubuntu Pro
  ceph-common                     0.80.11-0ubuntu1.14.04.4+esm3
                                  Available with Ubuntu Pro
  radosgw                         0.80.11-0ubuntu1.14.04.4+esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7706-1
  CVE-2018-14662, CVE-2021-3524
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250821/b9dc3993/attachment.sig>

More information about the ubuntu-security-announce mailing list