The Gluster Blog

Gluster blog stories provide high-level spotlights on our users all over the world

Updated Gluster Releases

Amye Scavarda
April 30, 2018

The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.

 

Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:

  • Gluster server should be on LAN and not reachable from public networks.
  • Use gluster auth.allow and auth.reject.
  • Use TLS certificates between gluster server nodes and clients.

 

Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.

Further information can be found about CVE-2018-1088 from the MITRE CVE database.[2]

 

Our recommendation is to upgrade to these new releases:

https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/

https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/

https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/

 

[1] https://access.redhat.com/security/cve/cve-2018-1088

[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088

BLOG

  • 11 Jan 2019
    Gluster Container Storage 0.5 relea...

    Today, we are announcing the availability of GCS (Gluster Container Storage) 0.5. Highlights and updates since v0.4: GCS environment updated to kube 1.13 CSI deployment moved to 1.0 Integrated Anthill deployment Kube & etcd metrics added to prometheus Tuning of etcd to increase stability GD2 bug fixes from scale testing...

    Read more
  • 07 Jan 2019
    Gluster Monthly Newsletter, Decembe...

    See you at FOSDEM! We have a jampacked Software Defined Storage day on Sunday, Feb 3rd  (with a few sessions on the previous day): https://fosdem.org/2019/schedule/track/software_defined_storage/ We also have a shared stand with Ceph, come find us! Gluster 6 – We’re in planning for our Gluster 6 release, currently scheduled for...

    Read more
  • 12 Dec 2018
    Gluster Container Storage milestone...

    Today, we are announcing the availability of GCS (Gluster Container Storage) 0.4. The release was bit delayed to address some of the critical issues identified. This release brings in a good amount of bug fixes along with some key feature enhancements in GlusterD2. We’d request all of you to try...

    Read more