A flaw was found in heketi API that permits issuing of OS commands through especially crafted requests, possibly leading to escalation of privileges. https://github.com/heketi/heketi/releases/tag/v5.0.1 https://github.com/heketi/heketi/commit/787bae461b23003a4daa4d1d639016a754cf6b00 https://access.redhat.com/security/vulnerabilities/3246991
Acknowledgments: Name: Markus Krell (NTT Security)
upstream fix: https://github.com/heketi/heketi/commit/787bae461b23003a4daa4d1d639016a754cf6b00
Created heketi tracking bugs for this issue: Affects: epel-all [bug 1527157] Affects: fedora-all [bug 1527158]
This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 7 Via RHSA-2017:3481 https://access.redhat.com/errata/RHSA-2017:3481