公告ID（KYSA-202101-0044）

摘要：ceph安全漏洞安全等級：重要公告ID：KYSA-202101-0044 發布日期：2022-01-24 影響CVE： CVE-2020-10753、CVE-2020-10736、CVE-2020-25660

詳細介紹

1.修復的CVE

CVE-2020-10753

Red Hat Ceph是美國紅帽（Red Hat）公司的一套Linux PB級分布式文件系統。該系統的主要目標是設計成基于POSIX（可移植操作系統接口）的沒有單點故障的分布式文件系統，使數據能容錯和無縫的復制。

Red Hat Ceph 3.x版本和4.x版本中的RadosGW存在注入漏洞。該漏洞源于用戶輸入構造命令、數據結構或記錄的操作過程中，網絡系統或產品缺乏對用戶輸入數據的正確驗證，未過濾或未正確過濾掉其中的特殊元素，導致系統或產品產生解析或解釋方式錯誤。

CVE-2020-10736

Red Hat Ceph 15.2.2之前的15.2.0版本中存在授權問題漏洞，該漏洞源于ceph-mon和ceph-mgr守護進程沒有正確限制訪問。攻擊者可利用該漏洞修改配置或可能發起進一步攻擊。

CVE-2020-25660

ceph 14.2.5版本存在安全漏洞，該漏洞源于ceph無法正確驗證客戶端，攻擊者都可以使用此漏洞向ceph服務進行身份驗證，并執行ceph服務允許的操作。

2.影響的操作系統

銀河麒麟桌面操作系統V10 SP1

3.修復版本

軟件包：ceph

15.2.7-0kylin0.20.04.2(V10 SP1)

4.受影響的軟件包

·銀河麒麟桌面操作系統V10 SP1

ceph

ceph-base

ceph-common

ceph-fuse

ceph-immutable-object-cache

ceph-mds

ceph-mgr

ceph-mgr-cephadm

ceph-mgr-dashboard

ceph-mgr-diskprediction-cloud

ceph-mgr-diskprediction-local

ceph-mgr-k8sevents

ceph-mgr-modules-core

ceph-mgr-rook

ceph-mon

ceph-osd

ceph-resource-agents

cephadm

cephfs-shell

libcephfs-dev

libcephfs-java

libcephfs-jni

libcephfs2

librados-dev

librados2

libradospp-dev

libradosstriper-dev

libradosstriper1

librbd-dev

librbd1

librgw-dev

librgw2

python3-ceph

python3-ceph-argparse

python3-ceph-common

python3-cephfs

python3-rados

python3-rbd

python3-rgw

rados-objclass-dev

radosgw

rbd-fuse

rbd-mirror

rbd-nbd

5.修復方法

方法一：配置源進行升級安裝

打開軟件包源配置文件，根據倉庫地址進行修改。

4.0.2桌面版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2-desktop main restricted universe multiverse

4.0.2-sp1桌面版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp1-desktop main restricted universe multiverse

4.0.2-sp2桌面版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp2-desktop main restricted universe multiverse

4.0.2-sp3桌面版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp3-desktop main restricted universe multiverse

4.0.2-sp4桌面版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp4-desktop main restricted universe multiverse

10.0版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 10.0 main restricted universe multiverse

10SP1版本:

http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1 main restricted universe multiverse

配置完成后執行更新命令進行升級

$sudo apt update

方法二：下載安裝包進行升級安裝

通過軟件包地址下載軟件包，使用軟件包升級命令根據受影響的組件包列表升級相關的組件包。

$dpkg -i Packagelists

6.軟件包下載地址

銀河麒麟操作系統桌面版V10 SP1

X86_64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-base_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-common_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-fuse_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-immutable-object-cache_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mds_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-cephadm_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-dashboard_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-diskprediction-cloud_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-diskprediction-local_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-k8sevents_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-modules-core_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-rook_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mon_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-osd_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-resource-agents_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/cephadm_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/cephfs-shell_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-java_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-jni_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs2_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librados-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librados2_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradospp-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradosstriper-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradosstriper1_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librbd-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librbd1_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librgw-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librgw2_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph-argparse_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph-common_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-cephfs_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rados_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rbd_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rgw_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rados-objclass-dev_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/radosgw_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-fuse_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-mirror_15.2.7-0kylin0.20.04.2_amd64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-nbd_15.2.7-0kylin0.20.04.2_amd64.deb

arm64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-base_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-common_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-immutable-object-cache_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mds_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-cephadm_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-dashboard_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-diskprediction-cloud_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-diskprediction-local_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-k8sevents_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-modules-core_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr-rook_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mgr_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-mon_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-osd_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph-resource-agents_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/ceph_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/cephadm_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/cephfs-shell_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-java_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs-jni_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libcephfs2_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librados-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librados2_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradospp-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradosstriper-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/libradosstriper1_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librbd-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librbd1_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librgw-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/librgw2_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph-argparse_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph-common_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-ceph_15.2.7-0kylin0.20.04.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-cephfs_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rados_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rbd_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/python3-rgw_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rados-objclass-dev_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/radosgw_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-fuse_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-mirror_15.2.7-0kylin0.20.04.2_arm64.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/c/ceph/rbd-nbd_15.2.7-0kylin0.20.04.2_arm64.deb

mips64el軟件包下載地址