Bug 1582043 (CVE-2018-10841)

Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amukherj, anoopcs, atumball, bmcclain, dblechte, dmoppert, eedri, extras-orphan, humble.devassy, jonathansteffan, jpadman, kkeithle, matthias, mgoldboi, michal.skrivanek, moagrawa, ndevos, ramkrsna, rhs-bugs, sabose, sankarshan, sbonazzo, security-response-team, sfowler, sherold, sisharma, ssaha, vbellur, yjog, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:26:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1582128, 1582129, 1593219, 1593230, 1593232, 1593238, 1593525, 1593526    
Bug Blocks: 1578127    

Description Siddharth Sharma 2018-05-24 05:27:24 UTC
A flaw was found in glusterfs which can lead to privilege escalation on 
gluster server nodes.

It was found that any gluster client authenticated via TLS could use
gluster cli with --remote-host command to add itself to gluster trusted 
pool and perform all gluster operations like peer probe itself or other 
machines, start, stop, delete volumes etc.

Comment 11 Siddharth Sharma 2018-06-20 10:23:07 UTC
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1593230]

Comment 12 errata-xmlrpc 2018-06-20 10:30:00 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1955 https://access.redhat.com/errata/RHSA-2018:1955

Comment 13 errata-xmlrpc 2018-06-20 10:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1954 https://access.redhat.com/errata/RHSA-2018:1954

Comment 14 Siddharth Sharma 2018-06-20 10:48:49 UTC
upstream fix:

https://review.gluster.org/#/c/20328/

Comment 15 Siddharth Sharma 2018-06-20 10:51:27 UTC
Created glusterfs tracking bugs for this issue:

Affects: epel-all [bug 1593238]

Comment 16 Siddharth Sharma 2018-06-21 06:08:46 UTC
Statement:

Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.