Josh Baergen

**Name of the Vulnerable Software and Affected Versions** IBM Storage Ceph versions 5.3z1 through 6.1z1 **Description** The issue allows an authenticated user on the network to cause a denial of service from RGW. **Recommendations** For versions 5.3z1, 5.3z5, and 6.1z1, update to a version that fixes the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2 **Description** The issue is related to improper bucket access in the RGW service of the Ceph data storage system. It allows an attacker to perform unauthorized actions by exploiting the lack of access restrictions when handling bucket keys. This can enable a remote attacker to bypass security limitations and upload arbitrary files. **Recommendations** For IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2, consider restricting access to the RGW service until a patch is available. As a temporary workaround, limit the ability to write to buckets using the vulnerable `RGWPostObj ObjStore S3::get params()` function. Avoid using the vulnerable function to process form-data containing keys that could allow unauthorized access to buckets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.