Bug 1593526

Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]
Product: [Community] GlusterFS Reporter: Mohit Agrawal <moagrawa>
Component: coreAssignee: Mohit Agrawal <moagrawa>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 3.12CC: amukherj, bmekala, rhinduja, sankarshan, sisharma, smohan, ssaha, vbellur, vmalkoti
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: component:glusterfs
Fixed In Version: glusterfs-3.12.11 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1582129 Environment:
Last Closed: 2018-10-23 14:11:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1582129    
Bug Blocks: 1582043, 1593232, 1593525    
Deadline: 2018-07-20   

Comment 1 Mohit Agrawal 2018-06-21 02:02:23 UTC
RCA: In SSL environment the user is able to access volume via remote-host command 
     without adding node in a trusted pool, and a user has access to delete/ stop
     the volume.To resolve the same replace the list of RPC programs at the time
     of connection initialization in glusterd.


Regards
Mohit Agrawal

Comment 2 Mohit Agrawal 2018-06-21 02:13:10 UTC
Patch is posted 
https://review.gluster.org/#/c/20339

Regards
Mohit Agrawal

Comment 3 Worker Ant 2018-06-25 13:41:36 UTC
REVIEW: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-3.12 by Shyamsundar Ranganathan

Comment 4 Worker Ant 2018-06-25 13:58:47 UTC
COMMIT: https://review.gluster.org/20339 committed in release-3.12 by "Shyamsundar Ranganathan" <srangana> with a commit message- glusterfs: access trusted peer group via remote-host command

Problem: In SSL environment the user is able to access volume
         via remote-host command without adding node in a trusted pool

Solution: Change the list of rpc program in glusterd.c at the
          time of initialization while SSL is enabled

> Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
> cherry picked from commit 234d611160840899bcfd5ab1c17a6253673d38ed

BUG: 1593526
fixes: bz#1593526
Change-Id: I705253e032239e92ecad1c6a9b7e423a022132b5
Signed-off-by: Mohit Agrawal <moagrawa>

Comment 5 Shyamsundar 2018-10-23 14:11:29 UTC
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.12.11, please open a new bug report.

glusterfs-3.12.11 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] https://lists.gluster.org/pipermail/announce/2018-July/000104.html
[2] https://www.gluster.org/pipermail/gluster-users/