gluster-block records the output from gluster-block cli to cmd_history.log and gluster-blockd.log (cmd_history.log journals all the cli operations). The block volume create/modify/info commands will contain sensitive information such as passwords which will be stored into these world readable log files cmd_history.log and gluster-blockd.log. This issue has been introduced since gluster-block-v0.2.1 release.
Acknowledgments: Name: Prasanna Kumar Kalever (Red Hat)
Mitigation: Manually change the log files permission to remove readable bits for others, e.g; # chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log NOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update gluster-block to the fixed version.
Statement: The version of gluster-block shipped with Red Hat Gluster Storage 3 sets the world-readable permissions on gluster-block directory and log files that store the sensitive information, hence affected by this vulnerability.
Upstream PR: https://github.com/gluster/gluster-block/pull/280
External References: https://github.com/gluster/gluster-block/releases/tag/v0.5.1
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2020:4143 https://access.redhat.com/errata/RHSA-2020:4143
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10762