Bug 1701091 (CVE-2019-3899) - CVE-2019-3899 heketi: heketi can be installed using insecure defaults
Summary: CVE-2019-3899 heketi: heketi can be installed using insecure defaults
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3899
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1701838 1705856
Blocks: 1699406
TreeView+ depends on / blocked
 
Reported: 2019-04-18 03:26 UTC by Siddharth Sharma
Modified: 2019-10-30 12:51 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI.
Clone Of:
Environment:
Last Closed: 2019-10-30 12:51:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3255 None None None 2019-10-30 12:34:02 UTC

Description Siddharth Sharma 2019-04-18 03:26:05 UTC
Heketi is used to manage GlusterFS nodes and volumes. The default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse.

Comment 3 John Mulligan 2019-04-18 12:48:07 UTC
If configuring via the JSON above you also need to set "use_auth" to true.
This differs slightly if you are setting the keys via environment variables as using the env vars will automatically do the equivalent of setting "use_auth" to true.

Comment 6 Joshua Padman 2019-04-19 08:56:08 UTC
Mitigation:

After installation of Heketi

1. configure user and admin key in /etc/heketi/heketi.json file
...
{
  "_port_comment": "Heketi Server Port Number",
  "port": "8080",

  "_use_auth": "Enable JWT authorization. Please enable for deployment",
  "use_auth": true,

  "_jwt": "Private keys for access",
  "jwt": {
    "_admin": "Admin has access to all APIs",
    "admin": {
      "key": "My Secret"
    },
    "_user": "User only has access to /volumes endpoint",
    "user": {
      "key": "My Secret"
    }
  },
...

2. restart heketi server

Comment 9 Laura Pardo 2019-05-02 17:06:43 UTC
Acknowledgments:

Name: Daniel Moessner (Red Hat)

Comment 10 Siddharth Sharma 2019-05-03 03:57:13 UTC
Created heketi tracking bugs for this issue:

Affects: fedora-all [bug 1705856]

Comment 12 errata-xmlrpc 2019-10-30 12:34:01 UTC
This issue has been addressed in the following products:

  Native Client for RHEL 7 for Red Hat Storage
  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2019:3255 https://access.redhat.com/errata/RHSA-2019:3255

Comment 13 Product Security DevOps Team 2019-10-30 12:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3899


Note You need to log in before you can comment on or make changes to this bug.