Red Hat Bugzilla – Bug 990833
CVE-2013-4186 Gluster: access trusted peer group via remote-host command
Last modified: 2015-07-29 09:34:57 EDT
Joe Julian (email@example.com) reports:
Any host, whether a peer member or not, can use the remote-host command to
gain access to the trusted peer group.
The remote host can peer probe itself, modify the volume, set up geo-rep to a
3rd party, etc.
Network security is not enough. Take, for instance, a storage-as-a-service
model where you allow untrusted users to mount volumes. Since they need access
to 24007 to retrieve their volume configuration, they can also issue
This is by design, the network and hosts used by Gluster must be trusted.