The Gluster Blog

Gluster blog stories provide high-level spotlights on our users all over the world

Updated Gluster Releases

Amye Scavarda
April 30, 2018

The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.

 

Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:

  • Gluster server should be on LAN and not reachable from public networks.
  • Use gluster auth.allow and auth.reject.
  • Use TLS certificates between gluster server nodes and clients.

 

Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.

Further information can be found about CVE-2018-1088 from the MITRE CVE database.[2]

 

Our recommendation is to upgrade to these new releases:

https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/

https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/

https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/

 

[1] https://access.redhat.com/security/cve/cve-2018-1088

[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088

BLOG

  • 31 May 2018
    Gluster Monthly Newsletter, May 201...

    Announcing mountpoint, August 27-28, 2018 Our inaugural software-defined storage conference combining Gluster, Ceph and other projects! More details at: http://lists.gluster.org/pipermail/gluster-users/2018-May/034039.html CFP at: http://mountpoint.io/   – closes June 15   Gluster Summit Videos – All our available videos (and slides) from Gluster Summit 2017 are up! Check out the GlusterCommunity YouTube homepage...

    Read more
  • 07 May 2018
    Gluster Monthly Newsletter, April 2...

    Announcing mountpoint, August 27-28, 2018 Our inaugural software-defined storage conference combining Gluster, Ceph and other projects! More details at: http://lists.gluster.org/pipermail/gluster-users/2018-May/034039.html CFP at: http://mountpoint.io/   Out of cycle updates for all maintained Gluster versions: New updates for 3.10, 3.12 and 4.0 http://lists.gluster.org/pipermail/announce/2018-April/000098.html   Project Technical Leadership Council Announced http://lists.gluster.org/pipermail/announce/2018-April/000094.html   Gluster...

    Read more
  • 30 Apr 2018
    Updated Gluster Releases

    The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.   Any gluster client allowed to mount gluster volumes could also mount shared gluster storage...

    Read more