Bug 1258743 (CVE-2015-5242) - CVE-2015-5242 swiftonfile: use of insecure Python pickle for metadata serialization and storage
Summary: CVE-2015-5242 swiftonfile: use of insecure Python pickle for metadata seriali...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5242
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1258752
Blocks: 1257505
TreeView+ depends on / blocked
 
Reported: 2015-09-01 07:40 UTC by Siddharth Sharma
Modified: 2019-09-29 13:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way swiftonfile (gluster-swift) serialized and stored metadata on disk by using Python's pickle module. A remote, authenticated user could use this flaw to execute arbitrary code on the storage node.
Clone Of:
Environment:
Last Closed: 2015-10-21 04:06:42 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1918 0 normal SHIPPED_LIVE Important: swiftonfile security update 2015-10-20 22:20:32 UTC

Description Siddharth Sharma 2015-09-01 07:40:18 UTC 
A flaw was found in the way swiftonfile (gluster-swift) serializes and stores metadata on disk by using Python's pickle module (https://docs.python.org/2/library/pickle.html). Exploiting this flaw causes remote code execution of arbitrary code on the storage node.
Comment 3 errata-xmlrpc 2015-10-20 18:20:46 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 6
  Red Hat Gluster Storage 3.1 for RHEL 7

Via RHSA-2015:1918 https://rhn.redhat.com/errata/RHSA-2015-1918.html
Note You need to log in before you can comment on or make changes to this bug.