Bug 1701091 (CVE-2019-3899)

Summary: CVE-2019-3899 heketi: heketi can be installed using insecure defaults
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoessne, dominik.mierzejewski, hchiramm, jarrpa, jmulligan, jpadman, kramdoss, lpabon, madam, ndevos, ramkrsna, rhs-bugs, sisharma, storage-qa-internal, vbellur, yjog
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-30 12:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1701838, 1705856    
Bug Blocks: 1699406    

Description Siddharth Sharma 2019-04-18 03:26:05 UTC 
Heketi is used to manage GlusterFS nodes and volumes. The default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse.
Comment 3 John Mulligan 2019-04-18 12:48:07 UTC 
If configuring via the JSON above you also need to set "use_auth" to true.
This differs slightly if you are setting the keys via environment variables as using the env vars will automatically do the equivalent of setting "use_auth" to true.
Comment 6 Joshua Padman 2019-04-19 08:56:08 UTC 
Mitigation:

After installation of Heketi

1. configure user and admin key in /etc/heketi/heketi.json file
...
{
  "_port_comment": "Heketi Server Port Number",
  "port": "8080",

  "_use_auth": "Enable JWT authorization. Please enable for deployment",
  "use_auth": true,

  "_jwt": "Private keys for access",
  "jwt": {
    "_admin": "Admin has access to all APIs",
    "admin": {
      "key": "My Secret"
    },
    "_user": "User only has access to /volumes endpoint",
    "user": {
      "key": "My Secret"
    }
  },
...

2. restart heketi server
Comment 9 Laura Pardo 2019-05-02 17:06:43 UTC 
Acknowledgments:

Name: Daniel Moessner (Red Hat)
Comment 10 Siddharth Sharma 2019-05-03 03:57:13 UTC 
Created heketi tracking bugs for this issue:

Affects: fedora-all [bug 1705856]
Comment 12 errata-xmlrpc 2019-10-30 12:34:01 UTC 
This issue has been addressed in the following products:

  Native Client for RHEL 7 for Red Hat Storage
  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2019:3255 https://access.redhat.com/errata/RHSA-2019:3255
Comment 13 Product Security DevOps Team 2019-10-30 12:51:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3899