Gluster blog stories provide high-level spotlights on our users all over the world
The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.
Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:
Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Further information can be found about CVE-2018-1088 from the MITRE CVE database.
Our recommendation is to upgrade to these new releases:
Upcoming Community Happy Hour at Red Hat Summit! Tue, May 7, 2019, 6:30 PM – 7:30 PM EDT https://cephandglusterhappyhour_rhsummit.eventbrite.com has all the details. Gluster 7 Roadmap Discussion kicked off for our 7 roadmap on the mailing lists, see [Gluster-users] GlusterFS v7.0 (and v8.0) roadmap discussion https://lists.gluster.org/pipermail/gluster-users/2019-March/036139.html for more details. Community...
This is part of a new series on using Gluster! OpenVPN is open source software that serves as the basis for a Virtual Private Network capable of supporting a point-to-point or site-to-site connection. Along with the fact that it’s free to use, it also has the benefit of being one...