Vulnerability-Lookup

RHSA-2018:2838

Vulnerability from csaf_redhat - Published: 2018-10-01 15:13 - Updated: 2025-11-21 18:06

Summary

Red Hat Security Advisory: ceph-iscsi-cli security update

Notes

Topic

An update for ceph-iscsi-cli is now available for Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

ceph-iscsi-cli provides a CLI interface similar to the targetcli tool used to interact with the kernel LIO subsystem. Security Fix(es): * It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges. (CVE-2018-14649)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ceph-iscsi-cli is now available for Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "ceph-iscsi-cli provides a CLI interface similar to the targetcli tool used to interact with the kernel LIO subsystem.\n\nSecurity Fix(es):\n\n* It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges. (CVE-2018-14649)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:2838",
        "url": "https://access.redhat.com/errata/RHSA-2018:2838"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/3623521",
        "url": "https://access.redhat.com/articles/3623521"
      },
      {
        "category": "external",
        "summary": "1632078",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632078"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2838.json"
      }
    ],
    "title": "Red Hat Security Advisory: ceph-iscsi-cli security update",
    "tracking": {
      "current_release_date": "2025-11-21T18:06:13+00:00",
      "generator": {
        "date": "2025-11-21T18:06:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2018:2838",
      "initial_release_date": "2018-10-01T15:13:30+00:00",
      "revision_history": [
        {
          "date": "2018-10-01T15:13:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-10-01T15:13:30+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:06:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Ceph Storage 3.1 Tools",
                "product": {
                  "name": "Red Hat Ceph Storage 3.1 Tools",
                  "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ceph_storage:3::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Ceph Storage"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                "product": {
                  "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                  "product_id": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ceph-iscsi-cli@2.7-7.el7cp?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                "product": {
                  "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                  "product_id": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ceph-iscsi-cli@2.7-7.el7cp?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch as a component of Red Hat Ceph Storage 3.1 Tools",
          "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch"
        },
        "product_reference": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
        "relates_to_product_reference": "7Server-RHEL-7-RHCEPH-3.1-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src as a component of Red Hat Ceph Storage 3.1 Tools",
          "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
        },
        "product_reference": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
        "relates_to_product_reference": "7Server-RHEL-7-RHCEPH-3.1-Tools"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-14649",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2018-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1632078"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
          "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "RHBZ#1632078",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632078"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14649",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14649",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/3623521",
          "url": "https://access.redhat.com/articles/3623521"
        }
      ],
      "release_date": "2018-09-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-01T15:13:30+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2838"
        },
        {
          "category": "workaround",
          "details": "To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:\n\n1. ~]# systemctl stop rbd-target-api\n\n2. ~]# vi /usr/bin/rbd-target-api\n\n# Start the API server\n...\n737     app.run(host=\u00270.0.0.0\u0027,\n738             port=settings.config.api_port,\n739             debug=True,       \u003c==== change this to debug=False\n                    use_evalex=False,   \u003c=== add this line to disable debugger code execution\n740             use_reloader=False,\n741             ssl_context=context)\n...\n\nafter changes it should be\n\n# Start the API server\n...\n737     app.run(host=\u00270.0.0.0\u0027,\n738             port=settings.config.api_port,\n739             debug=False, \n                    use_evalex=False,\n740             use_reloader=False,\n741             ssl_context=context)\n...\n\n3. ~]# systemctl start rbd-target-api\n\n4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run \u0027gwcli\u0027.",
          "product_ids": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution"
    }
  ]
}

CVE-2018-14649 (GCVE-0-2018-14649)

Vulnerability from cvelistv5 – Published: 2018-10-09 17:00 – Updated: 2024-08-05 09:38

Summary

It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-77

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/articles/3623521	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/105434	vdb-entryx_refsource_BID
	https://github.com/ceph/ceph-iscsi-cli/pull/121/c…	x_refsource_CONFIRM
	https://github.com/ceph/ceph-iscsi-cli/issues/120	x_refsource_CONFIRM
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:2838	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:2837	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	[UNKNOWN]	ceph-iscsi-cli	Affected: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/articles/3623521"
          },
          {
            "name": "105434",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105434"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
          },
          {
            "name": "RHSA-2018:2838",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2838"
          },
          {
            "name": "RHSA-2018:2837",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2837"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ceph-iscsi-cli",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-09-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-10T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://access.redhat.com/articles/3623521"
        },
        {
          "name": "105434",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105434"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
        },
        {
          "name": "RHSA-2018:2838",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2838"
        },
        {
          "name": "RHSA-2018:2837",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2837"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14649",
    "datePublished": "2018-10-09T17:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2018:2838

CVE-2018-14649 (GCVE-0-2018-14649)

Tags

Sightings

Nomenclature