Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1593232 - CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]
Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Deadline: 2018-07-20
Product: GlusterFS
Classification: Community
Component: core
Version: mainline
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Mohit Agrawal
QA Contact:
URL:
Whiteboard: component:glusterfs
Depends On: 1582129 1593525 1593526
Blocks: 1593230
TreeView+ depends on / blocked
 
Reported: 2018-06-20 10:24 UTC by Mohit Agrawal
Modified: 2018-10-23 15:12 UTC (History)
10 users (show)

Fixed In Version: glusterfs-5.0
Doc Type: Release Note
Doc Text:
Clone Of: 1582129
Environment:
Last Closed: 2018-10-08 10:29:50 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Comment 1 Mohit Agrawal 2018-06-20 10:39:59 UTC 
RCA: In SSL environment the user is able to access volume via remote-host command 
     without adding node in a trusted pool, and user has access to delete/ stop
     the volume.To resolve the same replace the list of rpc programs at the time
     of connection initialization in glusterd.


Regards
Mohit Agreawal
Comment 2 Mohit Agrawal 2018-06-20 10:46:09 UTC 
Patch is posted on upstream
https://review.gluster.org/#/c/20328/

Regards
Mohit Agrawal
Comment 3 Worker Ant 2018-06-20 23:59:06 UTC 
COMMIT: https://review.gluster.org/20328 committed in master by "Atin Mukherjee" <amukherj> with a commit message- glusterfs: access trusted peer group via remote-host command

Problem: In SSL environment the user is able to access volume
         via remote-host command without adding node in a trusted pool

Solution: Change the list of rpc program in glusterd.c at the
          time of initialization while SSL is enabled

BUG: 1593232
Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
fixes: bz#1593232
Signed-off-by: Mohit Agrawal <moagrawa>
Comment 4 Worker Ant 2018-06-21 02:08:02 UTC 
REVIEW: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-4.1 by MOHIT AGRAWAL
Comment 5 Worker Ant 2018-06-21 02:12:32 UTC 
REVIEW: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#1) for review on release-3.12 by MOHIT AGRAWAL
Comment 6 Worker Ant 2018-06-25 13:40:26 UTC 
REVISION POSTED: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-4.1 by Shyamsundar Ranganathan
Comment 7 Worker Ant 2018-06-25 13:41:32 UTC 
REVISION POSTED: https://review.gluster.org/20339 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-3.12 by Shyamsundar Ranganathan
Comment 8 Shyamsundar 2018-10-23 15:12:07 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report.

glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html
[2] https://www.gluster.org/pipermail/gluster-users/
Note You need to log in before you can comment on or make changes to this bug.