The Gluster Blog

Gluster blog stories provide high-level spotlights on our users all over the world

Updated Gluster Releases

Amye Scavarda
April 30, 2018

The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.

 

Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:

  • Gluster server should be on LAN and not reachable from public networks.
  • Use gluster auth.allow and auth.reject.
  • Use TLS certificates between gluster server nodes and clients.

 

Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.

Further information can be found about CVE-2018-1088 from the MITRE CVE database.[2]

 

Our recommendation is to upgrade to these new releases:

https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/

https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/

https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/

 

[1] https://access.redhat.com/security/cve/cve-2018-1088

[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088

BLOG

  • 26 Apr 2019
    Gluster Monthly Newsletter, April 2...

    Upcoming Community Happy Hour at Red Hat Summit! Tue, May 7, 2019, 6:30 PM – 7:30 PM EDT https://cephandglusterhappyhour_rhsummit.eventbrite.com has all the details. Gluster 7 Roadmap Discussion kicked off for our 7 roadmap on the mailing lists, see [Gluster-users] GlusterFS v7.0 (and v8.0) roadmap discussion https://lists.gluster.org/pipermail/gluster-users/2019-March/036139.html for more details. Community...

    Read more
  • 24 Apr 2019
    Community Survey Feedback, 2019

    In this year’s survey, we asked quite a few questions about how people are using Gluster, how much storage they’re managing, their primary use for Gluster, and what they’d like to see added. Here’s some of the highlights from this year!

    Read more
  • 24 Apr 2019
    How to Deploy the OpenVPN Encryptio...

    This is part of a new series on using Gluster! OpenVPN is open source software that serves as the basis for a Virtual Private Network capable of supporting a point-to-point or site-to-site connection. Along with the fact that it’s free to use, it also has the benefit of being one...

    Read more