Bug 1632557 (CVE-2018-14651)

Summary: CVE-2018-14651 glusterfs: glusterfs server exploitable via symlinks to relative paths
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, anoopcs, atumball, bmcclain, carnil, dbaker, dblechte, dfediuck, eedri, humble.devassy, jokerman, jonathansteffan, kkeithle, matthias, mgoldboi, michal.skrivanek, ndevos, public, ramkrsna, rhs-bugs, sankarshan, sbonazzo, security-response-team, sfowler, sherold, sisharma, ssaha, sthangav, trankin, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20181031:0800,reported=20180921,source=researcher,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-59,fedora-all/glusterfs=affected,rhes-3/glusterfs=affected,rhel-6/glusterfs=notaffected,rhel-7/glusterfs=notaffected,rhev-m-4/glusterfs=notaffected/impact=moderate/cvss3=6.8/CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,rhel-8/glusterfs=notaffected,openshift-online-3/glusterfs=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:38:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1633013, 1644730, 1644755, 1647663, 1647667    
Bug Blocks: 1631574, 1644080    

Description Sam Fowler 2018-09-25 05:33:35 UTC
Gluster versions 3.12.14 and 4.1.4 included incomplete fixes for the vulnerabilities, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930 and CVE-2018-10926. All five vulnerabilities remain exploitable via symlinks pointing to relative paths. A remote authenticated attacker could exploit one of these vulnerabilities to force a server to resolve target paths and achieve a maximum impact of arbitrary code execution.

Comment 1 Sam Fowler 2018-09-25 05:33:47 UTC
Acknowledgments:

Name: Michael Hanselmann (hansmi.ch)

Comment 6 Doran Moppert 2018-10-30 05:30:47 UTC
Statement:

This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.

Comment 7 errata-xmlrpc 2018-10-31 08:42:52 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:3431 https://access.redhat.com/errata/RHSA-2018:3431

Comment 8 errata-xmlrpc 2018-10-31 08:44:04 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:3432 https://access.redhat.com/errata/RHSA-2018:3432

Comment 9 Siddharth Sharma 2018-10-31 13:51:34 UTC
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1644730]

Comment 10 Salvatore Bonaccorso 2018-10-31 20:32:46 UTC
Can you share information on the fixing commit(s) for the CVE-2018-14651 issue (and in the other bugs respectively)?

Comment 11 Sam Fowler 2018-10-31 23:14:33 UTC
Redirecting needinfo to Siddharth.

Comment 12 Siddharth Sharma 2018-11-01 04:35:25 UTC
upstream fix:

https://review.gluster.org/#/c/glusterfs/+/21527/