Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1593525

Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]
Product: [Community] GlusterFS Reporter: Mohit Agrawal <moagrawa>
Component: coreAssignee: Mohit Agrawal <moagrawa>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.1CC: amukherj, atumball, bmekala, rhinduja, sankarshan, sisharma, smohan, ssaha, vbellur
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: component:glusterfs
Fixed In Version: glusterfs-4.1.1 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1582129 Environment:
Last Closed: 2019-05-11 11:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1582129, 1593526    
Bug Blocks: 1582043, 1593232    
Deadline: 2018-07-20   

Comment 1 Mohit Agrawal 2018-06-21 02:02:31 UTC 
RCA: In SSL environment the user is able to access volume via remote-host command 
     without adding node in a trusted pool, and a user has access to delete/ stop
     the volume.To resolve the same replace the list of RPC programs at the time
     of connection initialization in glusterd.


Regards
Mohit Agrawal
Comment 2 Mohit Agrawal 2018-06-21 02:08:42 UTC 
Patch is posted 
https://review.gluster.org/#/c/20338


Regards
Mohit Agrawal
Comment 3 Worker Ant 2018-06-25 13:40:29 UTC 
REVIEW: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-4.1 by Shyamsundar Ranganathan
Comment 4 Worker Ant 2018-06-25 13:59:07 UTC 
COMMIT: https://review.gluster.org/20338 committed in release-4.1 by "Shyamsundar Ranganathan" <srangana> with a commit message- glusterfs: access trusted peer group via remote-host command

Problem: In SSL environment the user is able to access volume
         via remote-host command without adding node in a trusted pool

Solution: Change the list of rpc program in glusterd.c at the
          time of initialization while SSL is enabled

> Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
> cherry picked from commit 234d611160840899bcfd5ab1c17a6253673d38ed

BUG: 1593525
fixes: bz#1593525
Change-Id: Ice4eda3d8104a4d5641de3cffd7249e46080d48f
Signed-off-by: Mohit Agrawal <moagrawa>