Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2018-1112

Related Vulnerabilities: CVE-2018-1112  

It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes.

Source
It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes.

Find out more about CVE-2018-1112 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This vulnerability affects gluster servers that use 'auth.allow' to restrict access to gluster volumes. Gluster servers using TLS to authenticate gluster clients are not affected by this. This vulnerability allows any client to connect to any gluster volume which only uses auth.allow to restrict access.

This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6 and 7 because only gluster client is shipped in these products. CVE-2018-1112 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.

CVSS v3 metrics

CVSS3 Base Score 8
CVSS3 Base Metrics CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Adjacent Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Storage Native Client for Red Hat Enterprise Linux 6 (glusterfs) RHSA-2018:1268 2018-04-30
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts RHSA-2018:1269 2018-04-30
Red Hat Gluster Storage Server 3.3 on RHEL-7 (glusterfs) RHSA-2018:1269 2018-04-30
Red Hat Storage Native Client for Red Hat Enterprise Linux 7 (glusterfs) RHSA-2018:1269 2018-04-30
Red Hat Gluster Storage Server 3.3 on RHEL-6 (glusterfs) RHSA-2018:1268 2018-04-30

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 glusterfs Not affected
Red Hat Enterprise Linux 6 glusterfs Not affected

Mitigation

1. Use TLS Authentication to authenticate gluster clients to limit access to gluster storage volumes

2. The gluster server should be on LAN, firewalled to trusted systems, and not reachable from public networks.

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started