Bug 1582043 (CVE-2018-10841)
Summary: | CVE-2018-10841 glusterfs: access trusted peer group via remote-host command | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Siddharth Sharma <sisharma> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amukherj, anoopcs, atumball, bmcclain, dblechte, dmoppert, eedri, extras-orphan, humble.devassy, jonathansteffan, jpadman, kkeithle, matthias, mgoldboi, michal.skrivanek, moagrawa, ndevos, ramkrsna, rhs-bugs, sabose, sankarshan, sbonazzo, security-response-team, sfowler, sherold, sisharma, ssaha, vbellur, yjog, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:26:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1582128, 1582129, 1593219, 1593230, 1593232, 1593238, 1593525, 1593526 | ||
Bug Blocks: | 1578127 |
Description
Siddharth Sharma
2018-05-24 05:27:24 UTC
Created glusterfs tracking bugs for this issue: Affects: fedora-all [bug 1593230] This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 6 Native Client for RHEL 6 for Red Hat Storage Via RHSA-2018:1955 https://access.redhat.com/errata/RHSA-2018:1955 This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2018:1954 https://access.redhat.com/errata/RHSA-2018:1954 upstream fix: https://review.gluster.org/#/c/20328/ Created glusterfs tracking bugs for this issue: Affects: epel-all [bug 1593238] Statement: Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm. |