Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1570891 - (CVE-2018-1112) CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)
CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount g...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180419,repo...
: Security
Depends On: 1570906 1571037 1571038 1571448 1572188
Blocks: 1570893
  Show dependency treegraph
 
Reported: 2018-04-23 12:28 EDT by Pedro Sampaio
Modified: 2018-05-04 09:59 EDT (History)
31 users (show)

See Also:
Fixed In Version: glusterfs 3.10.12, glusterfs 4.0.2
Doc Type: If docs needed, set a value
Doc Text:
It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-04 09:59:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1268 None None None 2018-04-30 08:48 EDT
Red Hat Product Errata RHSA-2018:1269 None None None 2018-04-30 08:51 EDT

  None (edit)
Description Pedro Sampaio 2018-04-23 12:28:16 EDT 
The fix for CVE-2018-1088 in glusterfs introduced a new flaw where auth.allow allows all clients to mount volumes.
Comment 11 Siddharth Sharma 2018-04-24 10:31:25 EDT 
Upstream Fix(es):

https://review.gluster.org/#/c/19899/1..2
Comment 12 Siddharth Sharma 2018-04-24 14:11:45 EDT 
External References:

https://access.redhat.com/articles/3422521
Comment 13 Siddharth Sharma 2018-04-24 14:20:17 EDT 
Mitigation:

1. Use TLS Authentication to authenticate gluster clients to limit access to gluster storage volumes

2. The gluster server should be on LAN, firewalled to trusted systems, and not reachable from public networks.
Comment 14 Siddharth Sharma 2018-04-24 16:15:46 EDT 
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1571448]
Comment 17 Eric Christensen 2018-04-27 07:59:21 EDT 
Statement:

This vulnerability affects gluster servers that use 'auth.allow' to restrict access to gluster volumes. Gluster servers using TLS to authenticate gluster clients are not affected by this. This vulnerability allows any client to connect to any gluster volume which only uses auth.allow to restrict access.

This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6 and 7 because only gluster client is shipped in these products. CVE-2018-1112 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.
Comment 21 errata-xmlrpc 2018-04-30 08:48:07 EDT 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1268 https://access.redhat.com/errata/RHSA-2018:1268
Comment 22 errata-xmlrpc 2018-04-30 08:50:57 EDT 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1269 https://access.redhat.com/errata/RHSA-2018:1269
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.