1593232 – CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]

Bug 1593232 - CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]

Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Deadline:	2018-07-20
Product:	GlusterFS
Classification:	Community
Component:	core
Sub Component:
Version:	mainline
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Mohit Agrawal
QA Contact:
Docs Contact:
URL:
Whiteboard:	component:glusterfs
Depends On:	1582129 1593525 1593526
Blocks:	CVE-2018-10841 1593230
TreeView+	depends on / blocked

Reported:	2018-06-20 10:24 UTC by Mohit Agrawal
Modified:	2018-10-23 15:12 UTC (History)
CC List:	10 users (show)
Fixed In Version:	glusterfs-5.0
Doc Type:	Release Note
Doc Text:
Clone Of:	1582129
Environment:
Last Closed:	2018-10-08 10:29:50 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Mohit Agrawal 2018-06-20 10:39:59 UTC

RCA: In SSL environment the user is able to access volume via remote-host command 
     without adding node in a trusted pool, and user has access to delete/ stop
     the volume.To resolve the same replace the list of rpc programs at the time
     of connection initialization in glusterd.


Regards
Mohit Agreawal

Comment 2 Mohit Agrawal 2018-06-20 10:46:09 UTC

Patch is posted on upstream
https://review.gluster.org/#/c/20328/

Regards
Mohit Agrawal

Comment 3 Worker Ant 2018-06-20 23:59:06 UTC

COMMIT: https://review.gluster.org/20328 committed in master by "Atin Mukherjee" <amukherj> with a commit message- glusterfs: access trusted peer group via remote-host command

Problem: In SSL environment the user is able to access volume
         via remote-host command without adding node in a trusted pool

Solution: Change the list of rpc program in glusterd.c at the
          time of initialization while SSL is enabled

BUG: 1593232
Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
fixes: bz#1593232
Signed-off-by: Mohit Agrawal <moagrawa>

Comment 4 Worker Ant 2018-06-21 02:08:02 UTC

REVIEW: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-4.1 by MOHIT AGRAWAL

Comment 5 Worker Ant 2018-06-21 02:12:32 UTC

REVIEW: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-3.12 by MOHIT AGRAWAL

Comment 6 Worker Ant 2018-06-25 13:40:26 UTC

REVISION POSTED: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-4.1 by Shyamsundar Ranganathan

Comment 7 Worker Ant 2018-06-25 13:41:32 UTC

REVISION POSTED: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-3.12 by Shyamsundar Ranganathan

Comment 8 Shyamsundar 2018-10-23 15:12:07 UTC

This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report.

glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html
[2] https://www.gluster.org/pipermail/gluster-users/

Note You need to log in before you can comment on or make changes to this bug.