A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
Find out more about CVE-2018-10841 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.
| CVSS3 Base Score | 6.6 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Gluster Storage Server 3.3 on RHEL-6 (glusterfs) | RHSA-2018:1955 | 2018-06-20 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts | RHSA-2018:1954 | 2018-06-20 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 7 (glusterfs) | RHSA-2018:1954 | 2018-06-20 |
| Red Hat Gluster Storage Server 3.3 on RHEL-7 (glusterfs) | RHSA-2018:1954 | 2018-06-20 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 6 (glusterfs) | RHSA-2018:1955 | 2018-06-20 |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | redhat-virtualization-host | Not affected |
| Red Hat Enterprise Linux 7 | glusterfs | Not affected |
| Red Hat Enterprise Linux 6 | glusterfs | Not affected |
Vulmon