Security Bulletin: IBM Storage Ceph is vulnerable to an Improper Link Resolution Before File Access ('Link Following') in the RHEL UBI (CVE-2021-35939)

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2021-35939.

Vulnerability Details

CVEID:CVE-2021-35939
**DESCRIPTION:**RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to perform checks for unsafe symlinks for intermediary directories. An attacker could exploit this vulnerability to gain root privileges on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211338 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 6.1z5 or later by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/&gt;
<https://www.ibm.com/docs/en/storage-ceph/6?topic=upgrading&gt;

Workarounds and Mitigations

None