rhsa-2018_3431
Vulnerability from csaf_redhat
Published
2018-10-31 08:43
Modified
2024-11-15 00:36
Summary
Red Hat Security Advisory: glusterfs security and bug fix update
Notes
Topic
Updated glusterfs packages that fix multiple security issues and bugs are now available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system.
Security Fix(es):
* glusterfs: glusterfs server exploitable via symlinks to relative paths (CVE-2018-14651)
* glusterfs: Buffer overflow in "features/locks" translator allows for denial of service (CVE-2018-14652)
* glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message (CVE-2018-14653)
* glusterfs: "features/index" translator can create arbitrary, empty files (CVE-2018-14654)
* glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service (CVE-2018-14659)
* glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion (CVE-2018-14660)
* glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service (CVE-2018-14661)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting these issues.
This update provides the following bug fix(es):
* MD5 instances are replaced with FIPS compliant SHA256 checksums and
glusterd no longer crashes when run on a FIPS enabled machine. (BZ#1459709)
* The flock is unlocked specifically and the status file is updated so that
the reference is not leaked to any worker or agent process. As a result of
this fix, all workers come up without fail. (BZ#1623749)
* All HTIME index files are checked for the specified start and end times,
and the History API does not fail when multiple HTIME files exist.
(BZ#1627639)
* After upgrading to Red Hat Gluster Storage 3.4 from earlier versions of
Red Hat Gluster Storage, the volume size displayed by the df command was
smaller than the actual volume size. This has been fixed and the df command
now shows the correct size for all volumes. (BZ#1630997)
* The algorithm to disable the eager-lock is modified and it disables only
when multiple write operations are trying to modify a file at the same
time. This led to performance improvement while a write operation is
performed on a file irrespective of the number of times it is opened at the
same time for a read operation. (BZ#1630688)
* heal-info does not consider the presence of dirty markers as an
indication of split-brain and does not display these entries to be in a
split-brain state. (BZ#1610743)
All users of Red Hat Gluster Storage are advised to upgrade to these
updated packages, which provide numerous bug fixes and enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glusterfs packages that fix multiple security issues and bugs are now available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system.\n\nSecurity Fix(es):\n\n* glusterfs: glusterfs server exploitable via symlinks to relative paths (CVE-2018-14651)\n\n* glusterfs: Buffer overflow in \"features/locks\" translator allows for denial of service (CVE-2018-14652)\n\n* glusterfs: Heap-based buffer overflow via \"gf_getspec_req\" RPC message (CVE-2018-14653)\n\n* glusterfs: \"features/index\" translator can create arbitrary, empty files (CVE-2018-14654)\n\n* glusterfs: Unlimited file creation via \"GF_XATTR_IOSTATS_DUMP_KEY\" xattr allows for denial of service (CVE-2018-14659)\n\n* glusterfs: Repeat use of \"GF_META_LOCK_KEY\" xattr allows for memory exhaustion (CVE-2018-14660)\n\n* glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service (CVE-2018-14661)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting these issues.\n\nThis update provides the following bug fix(es):\n\n* MD5 instances are replaced with FIPS compliant SHA256 checksums and\nglusterd no longer crashes when run on a FIPS enabled machine. (BZ#1459709)\n\n* The flock is unlocked specifically and the status file is updated so that\nthe reference is not leaked to any worker or agent process. As a result of\nthis fix, all workers come up without fail. (BZ#1623749)\n\n* All HTIME index files are checked for the specified start and end times,\nand the History API does not fail when multiple HTIME files exist.\n(BZ#1627639)\n\n* After upgrading to Red Hat Gluster Storage 3.4 from earlier versions of\nRed Hat Gluster Storage, the volume size displayed by the df command was\nsmaller than the actual volume size. This has been fixed and the df command\nnow shows the correct size for all volumes. (BZ#1630997)\n\n* The algorithm to disable the eager-lock is modified and it disables only\nwhen multiple write operations are trying to modify a file at the same\ntime. This led to performance improvement while a write operation is\nperformed on a file irrespective of the number of times it is opened at the\nsame time for a read operation. (BZ#1630688)\n\n* heal-info does not consider the presence of dirty markers as an\nindication of split-brain and does not display these entries to be in a\nsplit-brain state. (BZ#1610743)\n\nAll users of Red Hat Gluster Storage are advised to upgrade to these\nupdated packages, which provide numerous bug fixes and enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:3431",
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
},
{
"category": "external",
"summary": "1631576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1631576"
},
{
"category": "external",
"summary": "1632119",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632119"
},
{
"category": "external",
"summary": "1632557",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632557"
},
{
"category": "external",
"summary": "1632974",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632974"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1635926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1635926"
},
{
"category": "external",
"summary": "1635929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1635929"
},
{
"category": "external",
"summary": "1636880",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1636880"
},
{
"category": "external",
"summary": "1643194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643194"
},
{
"category": "external",
"summary": "1633431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1633431"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_3431.json"
}
],
"title": "Red Hat Security Advisory: glusterfs security and bug fix update",
"tracking": {
"current_release_date": "2024-11-15T00:36:59+00:00",
"generator": {
"date": "2024-11-15T00:36:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:3431",
"initial_release_date": "2018-10-31T08:43:14+00:00",
"revision_history": [
{
"date": "2018-10-31T08:43:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-10-31T08:43:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T00:36:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product": {
"name": "Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:3.4:server:el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product": {
"name": "Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:3:client:el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Gluster Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "glusterfs-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-api-devel@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-libs@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-devel@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-debuginfo@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-api@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"product_id": "python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python2-gluster@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-geo-replication@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-rdma@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-fuse@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-server@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-events@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-ganesha@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-client-xlators@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"product": {
"name": "glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"product_id": "glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-cli@3.12.2-25.el6rhs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-libs-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-libs-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-libs-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-libs@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-cli-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-cli-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-cli-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-cli@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-api-devel@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-client-xlators@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-debuginfo@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-api-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-api-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-api-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-api@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python2-gluster-0:3.12.2-25.el6.x86_64",
"product": {
"name": "python2-gluster-0:3.12.2-25.el6.x86_64",
"product_id": "python2-gluster-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python2-gluster@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-fuse@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-rdma@3.12.2-25.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "glusterfs-devel-0:3.12.2-25.el6.x86_64",
"product": {
"name": "glusterfs-devel-0:3.12.2-25.el6.x86_64",
"product_id": "glusterfs-devel-0:3.12.2-25.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs-devel@3.12.2-25.el6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "glusterfs-0:3.12.2-25.el6rhs.src",
"product": {
"name": "glusterfs-0:3.12.2-25.el6rhs.src",
"product_id": "glusterfs-0:3.12.2-25.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs@3.12.2-25.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"product": {
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"product_id": "redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-storage-server@3.4.1.0-1.el6rhs?arch=src"
}
}
},
{
"category": "product_version",
"name": "glusterfs-0:3.12.2-25.el6.src",
"product": {
"name": "glusterfs-0:3.12.2-25.el6.src",
"product_id": "glusterfs-0:3.12.2-25.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/glusterfs@3.12.2-25.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"product": {
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"product_id": "redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-storage-server@3.4.1.0-1.el6rhs?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-0:3.12.2-25.el6rhs.src as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src"
},
"product_reference": "glusterfs-0:3.12.2-25.el6rhs.src",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-api-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-cli-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-devel-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-events-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-libs-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-server-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-gluster-0:3.12.2-25.el6rhs.x86_64 as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64"
},
"product_reference": "python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch"
},
"product_reference": "redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-storage-server-0:3.4.1.0-1.el6rhs.src as a component of Red Hat Gluster Storage Server 3.4 on RHEL-6",
"product_id": "6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src"
},
"product_reference": "redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"relates_to_product_reference": "6Server-RH-Gluster-3.4-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-0:3.12.2-25.el6.src as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src"
},
"product_reference": "glusterfs-0:3.12.2-25.el6.src",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-api-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-api-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-api-devel-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-cli-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-cli-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-client-xlators-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-debuginfo-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-devel-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-devel-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-fuse-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-libs-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-libs-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glusterfs-rdma-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64"
},
"product_reference": "glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-gluster-0:3.12.2-25.el6.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 6",
"product_id": "6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
},
"product_reference": "python2-gluster-0:3.12.2-25.el6.x86_64",
"relates_to_product_reference": "6Server-RHSClient"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14651",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2018-09-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1632557"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: glusterfs server exploitable via symlinks to relative paths",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14651"
},
{
"category": "external",
"summary": "RHBZ#1632557",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632557"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14651",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14651"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "glusterfs: glusterfs server exploitable via symlinks to relative paths"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14652",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"discovery_date": "2018-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1632974"
}
],
"notes": [
{
"category": "description",
"text": "A buffer overflow was found in strncpy of the pl_getxattr() function. An authenticated attacker could remotely overflow the buffer by sending a buffer of larger length than the size of the key resulting in remote denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: Buffer overflow in \"features/locks\" translator allows for denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14652"
},
{
"category": "external",
"summary": "RHBZ#1632974",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632974"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14652",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14652"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14652",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14652"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: Buffer overflow in \"features/locks\" translator allows for denial of service"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14653",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2018-09-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1633431"
}
],
"notes": [
{
"category": "description",
"text": "A buffer overflow on the heap was found in gf_getspec_req RPC request. A remote, authenticated attacker could use this flaw to cause denial of service and read arbitrary files on glusterfs server node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: Heap-based buffer overflow via \"gf_getspec_req\" RPC message",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14653"
},
{
"category": "external",
"summary": "RHBZ#1633431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1633431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14653",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14653"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: Heap-based buffer overflow via \"gf_getspec_req\" RPC message"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14654",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-09-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1631576"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way glusterfs server handles client requests. A remote, authenticated attacker could set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop file operation resulting in creation and deletion of arbitrary files on glusterfs server node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: \"features/index\" translator can create arbitrary, empty files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14654"
},
{
"category": "external",
"summary": "RHBZ#1631576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1631576"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14654",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14654"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14654",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14654"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: \"features/index\" translator can create arbitrary, empty files"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14659",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-10-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1635929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in glusterfs server which allowed clients to create io-stats dumps on server node. A remote, authenticated attacker could use this flaw to create io-stats dump on a server without any limitation and utilizing all available inodes resulting in remote denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: Unlimited file creation via \"GF_XATTR_IOSTATS_DUMP_KEY\" xattr allows for denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14659"
},
{
"category": "external",
"summary": "RHBZ#1635929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1635929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14659",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14659"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14659",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14659"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: Unlimited file creation via \"GF_XATTR_IOSTATS_DUMP_KEY\" xattr allows for denial of service"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14660",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2018-10-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1635926"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in glusterfs server which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: Repeat use of \"GF_META_LOCK_KEY\" xattr allows for memory exhaustion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14660"
},
{
"category": "external",
"summary": "RHBZ#1635926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1635926"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14660",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14660"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14660",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14660"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: Repeat use of \"GF_META_LOCK_KEY\" xattr allows for memory exhaustion"
},
{
"acknowledgments": [
{
"names": [
"Michael Hanselmann"
],
"organization": "hansmi.ch"
}
],
"cve": "CVE-2018-14661",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2018-10-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1636880"
}
],
"notes": [
{
"category": "description",
"text": "It was found that usage of snprintf function in feature/locks translator of glusterfs server was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\n\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14661"
},
{
"category": "external",
"summary": "RHBZ#1636880",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1636880"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14661",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14661"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14661",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14661"
}
],
"release_date": "2018-10-31T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-10-31T08:43:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:3431"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.src",
"6Server-RH-Gluster-3.4-Server:glusterfs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-api-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-cli-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-client-xlators-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-debuginfo-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-devel-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-events-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-fuse-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-ganesha-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-geo-replication-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-libs-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-rdma-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:glusterfs-server-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:python2-gluster-0:3.12.2-25.el6rhs.x86_64",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.noarch",
"6Server-RH-Gluster-3.4-Server:redhat-storage-server-0:3.4.1.0-1.el6rhs.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.src",
"6Server-RHSClient:glusterfs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-api-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-cli-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-client-xlators-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-debuginfo-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-devel-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-fuse-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-libs-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:glusterfs-rdma-0:3.12.2-25.el6.x86_64",
"6Server-RHSClient:python2-gluster-0:3.12.2-25.el6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.