The Gluster Blog

Gluster blog stories provide high-level spotlights on our users all over the world

Updated Gluster Releases

Amye Scavarda
2018-04-30

The Gluster community has released an out-of-normal-cadence release for Gluster 3.10, 3.12, and 4.0 that resolves a CVE[1] that has been classified as Important. A privilege escalation flaw was found in the gluster snapshot scheduler.

 

Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volumes and escalate privileges by scheduling malicious cronjobs via symlink. Beyond installing the new release, additional mitigation would include limiting exposure of gluster server nodes by these practices:

  • Gluster server should be on LAN and not reachable from public networks.
  • Use gluster auth.allow and auth.reject.
  • Use TLS certificates between gluster server nodes and clients.

 

Please note: these practices would only mitigate attacks from unauthorized malicious clients. Gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.

Further information can be found about CVE-2018-1088 from the MITRE CVE database.[2]

 

Our recommendation is to upgrade to these new releases:

https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.12/

https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/

https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/

 

[1] https://access.redhat.com/security/cve/cve-2018-1088

[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088

BLOG

  • 28 Nov 2019
    Planning ahead for Gluster releases

    In order to plan the content for upcoming releases, it is good to take a moment of pause, step back and attempt to look at the consumption of GlusterFS within large enterprises. With the enterprise architecture taking large strides towards cloud and more specifically, the hybrid cloud, continued efforts towards...

    Read more
  • 13 Nov 2019
    Announcing Gluster 7.0

    The Gluster community is pleased to announce the release of 7.0, our latest release. This is a major release that includes a range of code improvements and stability fixes along with a few features as noted below. A selection of the key features and bugs addressed are documented in this...

    Read more
  • 15 Oct 2019
    Gluster and CentOS Stream

    Progress cannot be made without change. As technologists, we recognize this every day. Most of the time, these changes are iterative: progresssive additions of features to projects like Gluster. Sometimes those changes are small, and sometimes not. And that’s, of course, just talking about our project. But one of the...

    Read more