990833 – (CVE-2013-4186) CVE-2013-4186 Gluster: access trusted peer group via remote-host command

Bug 990833 (CVE-2013-4186) - CVE-2013-4186 Gluster: access trusted peer group via remote-host command

Summary: CVE-2013-4186 Gluster: access trusted peer group via remote-host command

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-4186
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	990284 990838 990839
Blocks:	990841
TreeView+	depends on / blocked

Reported:	2013-08-01 05:30 UTC by Kurt Seifried
Modified:	2019-09-29 13:06 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-08 23:03:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2013-08-01 05:30:57 UTC

Joe Julian (joe) reports:

Any host, whether a peer member or not, can use the remote-host command to 
gain access to the trusted peer group.

The remote host can peer probe itself, modify the volume, set up geo-rep to a 
3rd party, etc.

Network security is not enough. Take, for instance, a storage-as-a-service 
model where you allow untrusted users to mount volumes. Since they need access 
to 24007 to retrieve their volume configuration, they can also issue 
remote-host commands.

Comment 3 Kurt Seifried 2015-02-08 23:03:13 UTC

This is by design, the network and hosts used by Gluster must be trusted.

Note You need to log in before you can comment on or make changes to this bug.