Heketi is used to manage GlusterFS nodes and volumes. The default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse.
If configuring via the JSON above you also need to set "use_auth" to true. This differs slightly if you are setting the keys via environment variables as using the env vars will automatically do the equivalent of setting "use_auth" to true.
Mitigation: After installation of Heketi 1. configure user and admin key in /etc/heketi/heketi.json file ... { "_port_comment": "Heketi Server Port Number", "port": "8080", "_use_auth": "Enable JWT authorization. Please enable for deployment", "use_auth": true, "_jwt": "Private keys for access", "jwt": { "_admin": "Admin has access to all APIs", "admin": { "key": "My Secret" }, "_user": "User only has access to /volumes endpoint", "user": { "key": "My Secret" } }, ... 2. restart heketi server
Acknowledgments: Name: Daniel Moessner (Red Hat)
Created heketi tracking bugs for this issue: Affects: fedora-all [bug 1705856]
This issue has been addressed in the following products: Native Client for RHEL 7 for Red Hat Storage Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2019:3255 https://access.redhat.com/errata/RHSA-2019:3255
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3899