1593525 – CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1593525 - CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [glusterfs upstream]

Summary: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command [...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Deadline:	2018-07-20
Product:	GlusterFS
Classification:	Community
Component:	core
Sub Component:
Version:	4.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Mohit Agrawal
QA Contact:
Docs Contact:
URL:
Whiteboard:	component:glusterfs
Depends On:	1582129 1593526
Blocks:	1593232
TreeView+	depends on / blocked

Reported:	2018-06-21 01:59 UTC by Mohit Agrawal
Modified:	2019-05-11 11:43 UTC (History)
CC List:	9 users (show)
Fixed In Version:	glusterfs-4.1.1
Doc Type:	Release Note
Doc Text:
Clone Of:	1582129
Environment:
Last Closed:	2019-05-11 11:43:46 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Mohit Agrawal 2018-06-21 02:02:31 UTC

RCA: In SSL environment the user is able to access volume via remote-host command 
     without adding node in a trusted pool, and a user has access to delete/ stop
     the volume.To resolve the same replace the list of RPC programs at the time
     of connection initialization in glusterd.


Regards
Mohit Agrawal

Comment 2 Mohit Agrawal 2018-06-21 02:08:42 UTC

Patch is posted 
https://review.gluster.org/#/c/20338


Regards
Mohit Agrawal

Comment 3 Worker Ant 2018-06-25 13:40:29 UTC

REVIEW: https://review.gluster.org/20338 (glusterfs: access trusted peer group via remote-host command) posted (#2) for review on release-4.1 by Shyamsundar Ranganathan

Comment 4 Worker Ant 2018-06-25 13:59:07 UTC

COMMIT: https://review.gluster.org/20338 committed in release-4.1 by "Shyamsundar Ranganathan" <srangana> with a commit message- glusterfs: access trusted peer group via remote-host command

Problem: In SSL environment the user is able to access volume
         via remote-host command without adding node in a trusted pool

Solution: Change the list of rpc program in glusterd.c at the
          time of initialization while SSL is enabled

> Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
> cherry picked from commit 234d611160840899bcfd5ab1c17a6253673d38ed

BUG: 1593525
fixes: bz#1593525
Change-Id: Ice4eda3d8104a4d5641de3cffd7249e46080d48f
Signed-off-by: Mohit Agrawal <moagrawa>

Note You need to log in before you can comment on or make changes to this bug.