Bug 1570432
| Summary: | CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled [fedora-all] | ||
|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | Shyamsundar <srangana> |
| Component: | snapshot | Assignee: | bugs <bugs> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.0 | CC: | anoopcs, atumball, bugs, extras-qa, humble.devassy, jonathansteffan, kkeithle, matthias, ndevos, ramkrsna, rhinduja, rhs-bugs, sankarshan, sisharma, storage-qa-internal, vbellur |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | glusterfs-4.0.2 | Doc Type: | Release Note |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1568973 | Environment: | |
| Last Closed: | 2018-05-07 15:15:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1568973 | ||
| Bug Blocks: | 1558721 | ||
|
Comment 1
Worker Ant
2018-04-22 22:19:11 UTC
REVIEW: https://review.gluster.org/19921 (server/auth: add option for strict authentication) posted (#1) for review on release-4.0 by Shyamsundar Ranganathan COMMIT: https://review.gluster.org/19920 committed in release-4.0 by "Shyamsundar Ranganathan" <srangana> with a commit message- shared storage: Prevent mounting shared storage from non-trusted client gluster shared storage is a volume used for internal storage for various features including ganesha, geo-rep, snapshot. So this volume should not be exposed to the client, as it is a special volume for internal use. This fix wont't generate non trusted volfile for shared storage volume. Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c updates: bz#1570432 Signed-off-by: Mohammed Rafi KC <rkavunga> COMMIT: https://review.gluster.org/19921 committed in release-4.0 by "Shyamsundar Ranganathan" <srangana> with a commit message- server/auth: add option for strict authentication When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1570432 Signed-off-by: Mohammed Rafi KC <rkavunga> Signed-off-by: ShyamsundarR <srangana> This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.0.2, please open a new bug report. glusterfs-4.0.2 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://lists.gluster.org/pipermail/announce/2018-April/000097.html [2] https://www.gluster.org/pipermail/gluster-users/ |