It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
Find out more about CVE-2018-14651 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.
| CVSS3 Base Score | 8.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts | RHSA-2018:3432 | 2018-10-31 |
| Red Hat Gluster Storage 3.4 for RHEL 7 (glusterfs) | RHSA-2018:3432 | 2018-10-31 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 7 (glusterfs) | RHSA-2018:3432 | 2018-10-31 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 6 (glusterfs) | RHSA-2018:3431 | 2018-10-31 |
| Red Hat Gluster Storage 3.4 for RHEL 6 (glusterfs) | RHSA-2018:3431 | 2018-10-31 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | glusterfs | Not affected |
| Red Hat Enterprise Linux 6 | glusterfs | Not affected |
Vulmon