The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.
Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:
Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Further information can be found about CVE-2018-1088 from the MITRE CVE database.[2]
Our recommendation is to upgrade to these new releases:
https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/
https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/
https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/
[1] https://access.redhat.com/security/cve/cve-2018-1088
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088
2020 has not been a year we would have been able to predict. With a worldwide pandemic and lives thrown out of gear, as we head into 2021, we are thankful that our community and project continued to receive new developers, users and make small gains. For that and a...
It has been a while since we provided an update to the Gluster community. Across the world various nations, states and localities have put together sets of guidelines around shelter-in-place and quarantine. We request our community members to stay safe, to care for their loved ones, to continue to be...
The initial rounds of conversation around the planning of content for release 8 has helped the project identify one key thing – the need to stagger out features and enhancements over multiple releases. Thus, while release 8 is unlikely to be feature heavy as previous releases, it will be the...