A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. It was found that any gluster client authenticated via TLS could use gluster cli with --remote-host command to add itself to gluster trusted pool and perform all gluster operations like peer probe itself or other machines, start, stop, delete volumes etc.
Created glusterfs tracking bugs for this issue: Affects: fedora-all [bug 1593230]
This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 6 Native Client for RHEL 6 for Red Hat Storage Via RHSA-2018:1955 https://access.redhat.com/errata/RHSA-2018:1955
This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2018:1954 https://access.redhat.com/errata/RHSA-2018:1954
upstream fix: https://review.gluster.org/#/c/20328/
Created glusterfs tracking bugs for this issue: Affects: epel-all [bug 1593238]
Statement: Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.