Bug 1593232
| Summary: | CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream] | ||
|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | Mohit Agrawal <moagrawa> |
| Component: | core | Assignee: | Mohit Agrawal <moagrawa> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | mainline | CC: | amukherj, atumball, bmekala, rhinduja, sankarshan, sisharma, smohan, ssaha, vbellur, vmalkoti |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | component:glusterfs | ||
| Fixed In Version: | glusterfs-5.0 | Doc Type: | Release Note |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1582129 | Environment: | |
| Last Closed: | 2018-10-08 10:29:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1582129, 1593525, 1593526 | ||
| Bug Blocks: | 1582043, 1593230 | ||
| Deadline: | 2018-07-20 | ||
Patch is posted on upstream https://review.gluster.org/#/c/20328/ Regards Mohit Agrawal COMMIT: https://review.gluster.org/20328 committed in master by "Atin Mukherjee" <amukherj> with a commit message- glusterfs: access trusted peer group via remote-host command Problem: In SSL environment the user is able to access volume via remote-host command without adding node in a trusted pool Solution: Change the list of rpc program in glusterd.c at the time of initialization while SSL is enabled BUG: 1593232 Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199 fixes: bz#1593232 Signed-off-by: Mohit Agrawal <moagrawa> REVIEW: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-4.1 by MOHIT AGRAWAL REVIEW: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-3.12 by MOHIT AGRAWAL REVISION POSTED: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-4.1 by Shyamsundar Ranganathan REVISION POSTED: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-3.12 by Shyamsundar Ranganathan This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report. glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html [2] https://www.gluster.org/pipermail/gluster-users/ |
RCA: In SSL environment the user is able to access volume via remote-host command without adding node in a trusted pool, and user has access to delete/ stop the volume.To resolve the same replace the list of rpc programs at the time of connection initialization in glusterd. Regards Mohit Agreawal