Bug 1570891 (CVE-2018-1112)

Summary: CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amukherj, anoopcs, atumball, bmcclain, btotty, carnil, dblechte, dmoppert, eedri, humble.devassy, jonathansteffan, kkeithle, matthias, mgoldboi, michal.skrivanek, ndevos, ramkrsna, rhs-bugs, sabose, sankarshan, sbonazzo, security-response-team, sherold, sisharma, skontar, smohan, ssaha, vbellur, yjog, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glusterfs 3.10.12, glusterfs 4.0.2 Doc Type: If docs needed, set a value
Doc Text:
It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-04 13:59:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1570906, 1571037, 1571038, 1571448, 1572188    
Bug Blocks: 1570893    

Description Pedro Sampaio 2018-04-23 16:28:16 UTC 
The fix for CVE-2018-1088 in glusterfs introduced a new flaw where auth.allow allows all clients to mount volumes.
Comment 11 Siddharth Sharma 2018-04-24 14:31:25 UTC 
Upstream Fix(es):

https://review.gluster.org/#/c/19899/1..2
Comment 12 Siddharth Sharma 2018-04-24 18:11:45 UTC 
External References:

https://access.redhat.com/articles/3422521
Comment 13 Siddharth Sharma 2018-04-24 18:20:17 UTC 
Mitigation:

1. Use TLS Authentication to authenticate gluster clients to limit access to gluster storage volumes

2. The gluster server should be on LAN, firewalled to trusted systems, and not reachable from public networks.
Comment 14 Siddharth Sharma 2018-04-24 20:15:46 UTC 
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1571448]
Comment 17 Eric Christensen 2018-04-27 11:59:21 UTC 
Statement:

This vulnerability affects gluster servers that use 'auth.allow' to restrict access to gluster volumes. Gluster servers using TLS to authenticate gluster clients are not affected by this. This vulnerability allows any client to connect to any gluster volume which only uses auth.allow to restrict access.

This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6 and 7 because only gluster client is shipped in these products. CVE-2018-1112 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.
Comment 21 errata-xmlrpc 2018-04-30 12:48:07 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1268 https://access.redhat.com/errata/RHSA-2018:1268
Comment 22 errata-xmlrpc 2018-04-30 12:50:57 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1269 https://access.redhat.com/errata/RHSA-2018:1269