gluster-block records the output from gluster-block cli to cmd_history.log and gluster-blockd.log (cmd_history.log journals all the cli operations). The block volume create/modify/info commands will contain sensitive information such as passwords which will be stored into these world readable log files cmd_history.log and gluster-blockd.log. This issue has been introduced since gluster-block-v0.2.1 release.
Name: Prasanna Kumar Kalever (Red Hat)
Manually change the log files permission to remove readable bits for others, e.g;
# chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log
NOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update gluster-block to the fixed version.
The version of gluster-block shipped with Red Hat Gluster Storage 3 sets the world-readable permissions on gluster-block directory and log files that store the sensitive information, hence affected by this vulnerability.
Upstream PR: https://github.com/gluster/gluster-block/pull/280
This issue has been addressed in the following products:
Red Hat Gluster Storage 3.5 for RHEL 7
Native Client for RHEL 7 for Red Hat Storage
Via RHSA-2020:4143 https://access.redhat.com/errata/RHSA-2020:4143
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):