OSG-SEC-2018-10-04 Vulnerability in Red Hat Ceph Storage
Dear OSG Security Contacts,
A vulnerability described in CVE-2018-14649  has been reported in RedHat Ceph Storage that could potentially allow an unauthenticated attacker to remotely execute arbitrary code and escalate privileges. OSG security team considers patching this vulnerability to be IMPORTANT.
This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. 
Any site using Red Hat Ceph storage should check whether they are using ceph-iscsi-cli package, and if they are should update urgently.
Red Hat Enterprise Linux 7 Red Hat Ceph Storage 2.5: https://access.redhat.com/errata/RHSA-2018:2837 Red Hat Ceph Storage 3.1: https://access.redhat.com/errata/RHSA-2018:2838
HOW IT WORKS:
It was found that the rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges. 
-  https://access.redhat.com/security/cve/cve-2018-14649
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team