[Gluster-users] Updated Gluster Releases
Amye Scavarda
amye at redhat.com
Mon Apr 30 17:00:57 UTC 2018
The Gluster community has released an out-of-normal-cadence release for
Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified
as Important. A privilege escalation flaw was found in the gluster snapshot
scheduler.
Any gluster client allowed to mount gluster volumes could also mount shared
gluster storage volumes and escalate privileges by scheduling malicious
cronjobs via symlink. Beyond installing the new release, additional
mitigation would include limiting exposure of gluster server nodes by these
practices:
Gluster server should be on LAN and not reachable from public networks.
Use gluster auth.allow and auth.reject.
Use TLS certificates between gluster server nodes and clients.
Please note: these practices would only mitigate attacks from unauthorized
malicious clients. Gluster clients allowed by auth.allow or having signed
TLS client certificates would still be able to trigger this attack.
Further information can be found about CVE-2018-1088 from the MITRE CVE
database.[2]
Our recommendation is to upgrade to these new releases:
https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/
https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/
https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/
[1] https://access.redhat.com/security/cve/cve-2018-1088
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088
--
Amye Scavarda | amye at redhat.com | Gluster Community Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20180430/571a042c/attachment.html>
More information about the Gluster-users
mailing list