Bug 1558721 (CVE-2018-1088)
Summary: | CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amukherj, anoopcs, atumball, bmcclain, dblechte, dmoppert, eedri, gmollett, humble.devassy, jonathansteffan, jstrunk, kkeithle, matthias, mgoldboi, michal.skrivanek, ndevos, ramkrsna, rhs-bugs, sabose, sankarshan, sbonazzo, security-response-team, sherold, sisharma, smohan, srangana, ssaha, vbellur, ycui, yjog, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-03 23:46:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1559331, 1564971, 1564972, 1568832, 1568973, 1570428, 1570430, 1570432 | ||
Bug Blocks: | 1558724 |
Description
Pedro Sampaio
2018-03-20 21:30:53 UTC
Acknowledgments: Name: John Strunk (Red Hat) Mitigation: To limit exposure of gluster server nodes : 1. gluster server should be on LAN and not reachable from public networks. 2. Use gluster auth.allow and auth.reject. 3. Use TLS certificates between gluster server nodes and clients. Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack. Created glusterfs tracking bugs for this issue: Affects: fedora-all [bug 1568832] This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 6 Native Client for RHEL 6 for Red Hat Storage Via RHSA-2018:1137 https://access.redhat.com/errata/RHSA-2018:1137 This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2018:1136 https://access.redhat.com/errata/RHSA-2018:1136 External References: https://access.redhat.com/articles/3414511 Statement: This vulnerability affects gluster servers that have, or have previously had, Gluster volume snapshot scheduling enabled from the CLI. Red Hat Enterprise Virtualization supports volume snapshot scheduling from the Web UI, which uses a distinct mechanism that is not subject to this vulnerability. VM snapshots are not impacted by this flaw. For more information, please see the Vulnerability Article linked under External References. This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6, and 7 because only gluster client is shipped in these products. CVE-2018-1088 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3. This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1275 https://access.redhat.com/errata/RHSA-2018:1275 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1524 https://access.redhat.com/errata/RHSA-2018:1524 |