{"schema_version":"1.7.2","id":"OESA-2025-1206","modified":"2025-02-28T15:33:43Z","published":"2025-02-28T15:33:43Z","upstream":["CVE-2024-48916"],"summary":"ceph security update","details":"Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\n\nA vulnerability in the Ceph Rados Gateway (RadosGW) OIDC provider allows attackers to bypass JWT signature verification by supplying a token with \u0026quot;none\u0026quot; as the algorithm (alg). This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid tokens without a signature.(CVE-2024-48916)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"ceph","purl":"pkg:rpm/openEuler/ceph\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"16.2.7-22.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["ceph-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-base-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-common-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-debuginfo-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-debugsource-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-fuse-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-immutable-object-cache-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-mds-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-mgr-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-mon-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-osd-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-radosgw-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-resource-agents-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-selinux-16.2.7-22.oe2203sp4.aarch64.rpm","ceph-test-16.2.7-22.oe2203sp4.aarch64.rpm","cephfs-mirror-16.2.7-22.oe2203sp4.aarch64.rpm","libcephfs-devel-16.2.7-22.oe2203sp4.aarch64.rpm","libcephfs2-16.2.7-22.oe2203sp4.aarch64.rpm","libcephsqlite-16.2.7-22.oe2203sp4.aarch64.rpm","libcephsqlite-devel-16.2.7-22.oe2203sp4.aarch64.rpm","librados-devel-16.2.7-22.oe2203sp4.aarch64.rpm","librados2-16.2.7-22.oe2203sp4.aarch64.rpm","libradospp-devel-16.2.7-22.oe2203sp4.aarch64.rpm","libradosstriper-devel-16.2.7-22.oe2203sp4.aarch64.rpm","libradosstriper1-16.2.7-22.oe2203sp4.aarch64.rpm","librbd-devel-16.2.7-22.oe2203sp4.aarch64.rpm","librbd1-16.2.7-22.oe2203sp4.aarch64.rpm","librgw-devel-16.2.7-22.oe2203sp4.aarch64.rpm","librgw2-16.2.7-22.oe2203sp4.aarch64.rpm","python3-ceph-argparse-16.2.7-22.oe2203sp4.aarch64.rpm","python3-ceph-common-16.2.7-22.oe2203sp4.aarch64.rpm","python3-cephfs-16.2.7-22.oe2203sp4.aarch64.rpm","python3-rados-16.2.7-22.oe2203sp4.aarch64.rpm","python3-rbd-16.2.7-22.oe2203sp4.aarch64.rpm","python3-rgw-16.2.7-22.oe2203sp4.aarch64.rpm","rados-objclass-devel-16.2.7-22.oe2203sp4.aarch64.rpm","rbd-fuse-16.2.7-22.oe2203sp4.aarch64.rpm","rbd-mirror-16.2.7-22.oe2203sp4.aarch64.rpm","rbd-nbd-16.2.7-22.oe2203sp4.aarch64.rpm"],"noarch":["ceph-grafana-dashboards-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-cephadm-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-dashboard-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-diskprediction-local-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-k8sevents-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-modules-core-16.2.7-22.oe2203sp4.noarch.rpm","ceph-mgr-rook-16.2.7-22.oe2203sp4.noarch.rpm","ceph-prometheus-alerts-16.2.7-22.oe2203sp4.noarch.rpm","cephadm-16.2.7-22.oe2203sp4.noarch.rpm","cephfs-top-16.2.7-22.oe2203sp4.noarch.rpm"],"src":["ceph-16.2.7-22.oe2203sp4.src.rpm"],"x86_64":["ceph-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-base-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-common-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-debuginfo-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-debugsource-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-fuse-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-immutable-object-cache-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-mds-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-mgr-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-mon-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-osd-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-radosgw-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-resource-agents-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-selinux-16.2.7-22.oe2203sp4.x86_64.rpm","ceph-test-16.2.7-22.oe2203sp4.x86_64.rpm","cephfs-mirror-16.2.7-22.oe2203sp4.x86_64.rpm","libcephfs-devel-16.2.7-22.oe2203sp4.x86_64.rpm","libcephfs2-16.2.7-22.oe2203sp4.x86_64.rpm","libcephsqlite-16.2.7-22.oe2203sp4.x86_64.rpm","libcephsqlite-devel-16.2.7-22.oe2203sp4.x86_64.rpm","librados-devel-16.2.7-22.oe2203sp4.x86_64.rpm","librados2-16.2.7-22.oe2203sp4.x86_64.rpm","libradospp-devel-16.2.7-22.oe2203sp4.x86_64.rpm","libradosstriper-devel-16.2.7-22.oe2203sp4.x86_64.rpm","libradosstriper1-16.2.7-22.oe2203sp4.x86_64.rpm","librbd-devel-16.2.7-22.oe2203sp4.x86_64.rpm","librbd1-16.2.7-22.oe2203sp4.x86_64.rpm","librgw-devel-16.2.7-22.oe2203sp4.x86_64.rpm","librgw2-16.2.7-22.oe2203sp4.x86_64.rpm","python3-ceph-argparse-16.2.7-22.oe2203sp4.x86_64.rpm","python3-ceph-common-16.2.7-22.oe2203sp4.x86_64.rpm","python3-cephfs-16.2.7-22.oe2203sp4.x86_64.rpm","python3-rados-16.2.7-22.oe2203sp4.x86_64.rpm","python3-rbd-16.2.7-22.oe2203sp4.x86_64.rpm","python3-rgw-16.2.7-22.oe2203sp4.x86_64.rpm","rados-objclass-devel-16.2.7-22.oe2203sp4.x86_64.rpm","rbd-fuse-16.2.7-22.oe2203sp4.x86_64.rpm","rbd-mirror-16.2.7-22.oe2203sp4.x86_64.rpm","rbd-nbd-16.2.7-22.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1206"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48916"}],"database_specific":{"severity":"High"}}