Bug 1570432 - CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled [fedora-all]
Summary: CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: snapshot
Version: 4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: bugs@gluster.org
QA Contact:
URL:
Whiteboard:
Depends On: 1568973
Blocks: CVE-2018-1088
TreeView+ depends on / blocked
 
Reported: 2018-04-22 22:15 UTC by Shyamsundar
Modified: 2018-05-07 15:15 UTC (History)
16 users (show)

Fixed In Version: glusterfs-4.0.2
Doc Type: Release Note
Doc Text:
Clone Of: 1568973
Environment:
Last Closed: 2018-05-07 15:15:47 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)

Comment 1 Worker Ant 2018-04-22 22:19:11 UTC
REVIEW: https://review.gluster.org/19920 (shared storage: Prevent mounting shared storage from non-trusted client) posted (#1) for review on release-4.0 by Shyamsundar Ranganathan

Comment 2 Worker Ant 2018-04-22 22:20:14 UTC
REVIEW: https://review.gluster.org/19921 (server/auth: add option for strict authentication) posted (#1) for review on release-4.0 by Shyamsundar Ranganathan

Comment 3 Worker Ant 2018-04-24 12:52:50 UTC
COMMIT: https://review.gluster.org/19920 committed in release-4.0 by "Shyamsundar Ranganathan" <srangana@redhat.com> with a commit message- shared storage: Prevent mounting shared storage from non-trusted client

gluster shared storage is a volume used for internal storage for
various features including ganesha, geo-rep, snapshot.

So this volume should not be exposed to the client, as it is
a special volume for internal use.

This fix wont't generate non trusted volfile for shared storage volume.

Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
updates: bz#1570432
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>

Comment 4 Worker Ant 2018-04-24 12:53:13 UTC
COMMIT: https://review.gluster.org/19921 committed in release-4.0 by "Shyamsundar Ranganathan" <srangana@redhat.com> with a commit message- server/auth: add option for strict authentication

When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile

The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.

This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.

Tested:
  ./tests/bugs/protocol/bug-1321578.t
  ./tests/features/ssl-authz.t
  - Ran tests on volumes with and without strict auth
    checking (as brick vol file needed to be edited to test,
    or rather to enable the option)
  - Ran tests on volumes to ensure existing mounts are
    disconnected when we enable strict checking

Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
fixes: bz#1570432
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Signed-off-by: ShyamsundarR <srangana@redhat.com>

Comment 5 Shyamsundar 2018-05-07 15:15:47 UTC
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.0.2, please open a new bug report.

glusterfs-4.0.2 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2018-April/000097.html
[2] https://www.gluster.org/pipermail/gluster-users/


Note You need to log in before you can comment on or make changes to this bug.