Bug 990833 - (CVE-2013-4186) CVE-2013-4186 Gluster: access trusted peer group via remote-host command
CVE-2013-4186 Gluster: access trusted peer group via remote-host command
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150218,repo...
: Security
Depends On: 990284 990838 990839
Blocks: 990841
  Show dependency treegraph
 
Reported: 2013-08-01 01:30 EDT by Kurt Seifried
Modified: 2015-07-29 09:34 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-08 18:03:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-08-01 01:30:57 EDT
Joe Julian (joe@julianfamily.org) reports:

Any host, whether a peer member or not, can use the remote-host command to 
gain access to the trusted peer group.

The remote host can peer probe itself, modify the volume, set up geo-rep to a 
3rd party, etc.

Network security is not enough. Take, for instance, a storage-as-a-service 
model where you allow untrusted users to mount volumes. Since they need access 
to 24007 to retrieve their volume configuration, they can also issue 
remote-host commands.
Comment 3 Kurt Seifried 2015-02-08 18:03:13 EST
This is by design, the network and hosts used by Gluster must be trusted.

Note You need to log in before you can comment on or make changes to this bug.