Gluster blog stories provide high-level spotlights on our users all over the world
The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.
Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:
Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Further information can be found about CVE-2018-1088 from the MITRE CVE database.
Our recommendation is to upgrade to these new releases:
mountpoint August 27-28 at the Vancouver Convention Center! We’ve published some schedule updates: https://mountpoint.io/ If you haven’t already registered, please do! Registration is available at https://mountpoint.io Community Meeting – August 1, 15:00 UTC in #gluster-meeting on freenode. https://bit.ly/gluster-community-meetings has the agenda. Want swag for your meetup? https://www.gluster.org/events/ has...
mountpoint We’ve published the program schedule for mountpoint! Registration available at: http://mountpoint.io/ 4.1 Released: our 4.1 release came out in June! Have you installed it? Do you have thoughts on how our releases could be improved? Our 4.1 retrospective is out! https://www.gluster.org/4-1-retrospective/ Community Meeting postponed due to July...