Red Hat update for glusterfs

Published: 2018-06-20

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-10841
CWE-ID	CWE-119
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Red Hat Virtualization Host Web applications / Remote management & hosting panels Red Hat Gluster Storage Server for On-premise Server applications / File servers (FTP/HTTP) Red Hat Virtualization Server applications / Virtualization software Red Hat Enterprise Linux Server Operating systems & Components / Operating system
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Privilege escalation

EUVDB-ID: #VU13886

Risk: Low

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-10841

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists due to boundary error when XXXXX. A remote authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Virtualization Host: 4

Red Hat Gluster Storage Server for On-premise: 3

Red Hat Virtualization: 4

Red Hat Enterprise Linux Server: 7

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2018:1954

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.