Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1582043 - (CVE-2018-10841) CVE-2018-10841 glusterfs: access trusted peer group via remote-host command
CVE-2018-10841 glusterfs: access trusted peer group via remote-host command
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180620:1000...
: Security
Depends On: 1593219 1593525 1582128 1582129 1593230 1593232 1593238 1593526
Blocks: 1578127
  Show dependency treegraph
 
Reported: 2018-05-24 01:27 EDT by Siddharth Sharma
Modified: 2018-07-10 10:22 EDT (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1954 None None None 2018-06-20 06:32 EDT
Red Hat Product Errata RHSA-2018:1955 None None None 2018-06-20 06:30 EDT

  None (edit)
Description Siddharth Sharma 2018-05-24 01:27:24 EDT 
A flaw was found in glusterfs which can lead to privilege escalation on 
gluster server nodes.

It was found that any gluster client authenticated via TLS could use
gluster cli with --remote-host command to add itself to gluster trusted 
pool and perform all gluster operations like peer probe itself or other 
machines, start, stop, delete volumes etc.
Comment 11 Siddharth Sharma 2018-06-20 06:23:07 EDT 
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1593230]
Comment 12 errata-xmlrpc 2018-06-20 06:30:00 EDT 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1955 https://access.redhat.com/errata/RHSA-2018:1955
Comment 13 errata-xmlrpc 2018-06-20 06:32:27 EDT 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1954 https://access.redhat.com/errata/RHSA-2018:1954
Comment 14 Siddharth Sharma 2018-06-20 06:48:49 EDT 
upstream fix:

https://review.gluster.org/#/c/20328/
Comment 15 Siddharth Sharma 2018-06-20 06:51:27 EDT 
Created glusterfs tracking bugs for this issue:

Affects: epel-all [bug 1593238]
Comment 16 Siddharth Sharma 2018-06-21 02:08:46 EDT 
Statement:

Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.