rhsa-2020_4143
Vulnerability from csaf_redhat
Published
2020-09-30 15:18
Modified
2024-11-22 15:25
Summary
Red Hat Security Advisory: OCS 3.11.z async security, bug fix, and enhancement update
Notes
Topic
Updated OpenShift Container Storage packages fixing various security issues and other bugs are now available for Red Hat OpenShift Container Storage with 3.11.z Async update.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Storage(OCS) is a provider of agnostic persistent storage for OpenShift Container Platform either in-house or in a hybrid cloud. As a Red Hat storage solution, OCS is completely integrated with OpenShift Container Platform for deployment, management, and monitoring.
Security Fix(es):
* gluster-block: information disclosure through world-readable gluster-block log files (CVE-2020-10762)
* heketi: gluster-block volume password details available in logs (CVE-2020-10763)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Earlier, the tcmu-runner did not give details about the file operations stuck at the backend glusterfs block hosting volume. With this change, the tcmu-runner is now able to log details about the file operations stuck at the backend glusterfs block hosting volume and this will help identify the root cause of the input/output errors easily. (BZ#1850361)
* Earlier, there was no log rotation with gluster-block logs. With this release, log rotation is possible for gluster-block and tcmu-runner relevant logs. (BZ#1850365)
* Earlier, heketi did not track all the changes made to volumes as part of device remove operation. With this release, heketi’s device remove operation is fully tracked and is based on a series of brick evict operations making the operation more reliable. (BZ#1850072)
* An access flaw CVE-2020-13867 was found in targetcli due to which the files under ‘/etc/target’ and '/etc/target/backup' directory were widely accessible. With this release, the access flaw is fixed as a workaround in gluster-block to protect these files from any potential attacks for accessing sensitive information, until the flaw is resolved and made available in targetcli.(BZ#1850077)
All Red Hat OpenShift Container Storage users are advised to upgrade to these updated packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated OpenShift Container Storage packages fixing various security issues and other bugs are now available for Red Hat OpenShift Container Storage with 3.11.z Async update.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Storage(OCS) is a provider of agnostic persistent storage for OpenShift Container Platform either in-house or in a hybrid cloud. As a Red Hat storage solution, OCS is completely integrated with OpenShift Container Platform for deployment, management, and monitoring.\n\nSecurity Fix(es):\n\n* gluster-block: information disclosure through world-readable gluster-block log files (CVE-2020-10762)\n\n* heketi: gluster-block volume password details available in logs (CVE-2020-10763)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Earlier, the tcmu-runner did not give details about the file operations stuck at the backend glusterfs block hosting volume. With this change, the tcmu-runner is now able to log details about the file operations stuck at the backend glusterfs block hosting volume and this will help identify the root cause of the input/output errors easily. (BZ#1850361)\n\n* Earlier, there was no log rotation with gluster-block logs. With this release, log rotation is possible for gluster-block and tcmu-runner relevant logs. (BZ#1850365)\n\n* Earlier, heketi did not track all the changes made to volumes as part of device remove operation. With this release, heketi\u2019s device remove operation is fully tracked and is based on a series of brick evict operations making the operation more reliable. (BZ#1850072)\n\n* An access flaw CVE-2020-13867 was found in targetcli due to which the files under \u2018/etc/target\u2019 and \u0027/etc/target/backup\u0027 directory were widely accessible. With this release, the access flaw is fixed as a workaround in gluster-block to protect these files from any potential attacks for accessing sensitive information, until the flaw is resolved and made available in targetcli.(BZ#1850077)\n\nAll Red Hat OpenShift Container Storage users are advised to upgrade to these updated packages.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:4143",
"url": "https://access.redhat.com/errata/RHSA-2020:4143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1845067",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845067"
},
{
"category": "external",
"summary": "1845387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"
},
{
"category": "external",
"summary": "1850072",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850072"
},
{
"category": "external",
"summary": "1850077",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850077"
},
{
"category": "external",
"summary": "1850361",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850361"
},
{
"category": "external",
"summary": "1855178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855178"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4143.json"
}
],
"title": "Red Hat Security Advisory: OCS 3.11.z async security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T15:25:43+00:00",
"generator": {
"date": "2024-11-22T15:25:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:4143",
"initial_release_date": "2020-09-30T15:18:45+00:00",
"revision_history": [
{
"date": "2020-09-30T15:18:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-09-30T15:18:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T15:25:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product": {
"name": "Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:3.5:server:el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Storage Native Client for Red Hat Enterprise Linux 7",
"product": {
"name": "Red Hat Storage Native Client for Red Hat Enterprise Linux 7",
"product_id": "7Server-RHSClient",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:storage:3:client:el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Gluster Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"product": {
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"product_id": "gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gluster-block@0.2.1-36.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"product": {
"name": "gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"product_id": "gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gluster-block-debuginfo@0.2.1-36.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"product": {
"name": "libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"product_id": "libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/libtcmu@1.2.0-32.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"product": {
"name": "libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"product_id": "libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/libtcmu-devel@1.2.0-32.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"product": {
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"product_id": "tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tcmu-runner@1.2.0-32.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"product": {
"name": "tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"product_id": "tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tcmu-runner-debuginfo@1.2.0-32.2.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product": {
"name": "heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product_id": "heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/heketi@9.0.0-9.5.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"product": {
"name": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"product_id": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/heketi-client@9.0.0-9.5.el7rhgs?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product": {
"name": "python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product_id": "python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-heketi@9.0.0-9.5.el7rhgs?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.src",
"product": {
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.src",
"product_id": "gluster-block-0:0.2.1-36.2.el7rhgs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gluster-block@0.2.1-36.2.el7rhgs?arch=src"
}
}
},
{
"category": "product_version",
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"product": {
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"product_id": "tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tcmu-runner@1.2.0-32.2.el7rhgs?arch=src"
}
}
},
{
"category": "product_version",
"name": "heketi-0:9.0.0-9.5.el7rhgs.src",
"product": {
"name": "heketi-0:9.0.0-9.5.el7rhgs.src",
"product_id": "heketi-0:9.0.0-9.5.el7rhgs.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/heketi@9.0.0-9.5.el7rhgs?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.src as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src"
},
"product_reference": "gluster-block-0:0.2.1-36.2.el7rhgs.src",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gluster-block-0:0.2.1-36.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64"
},
"product_reference": "gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64"
},
"product_reference": "gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "heketi-0:9.0.0-9.5.el7rhgs.src as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src"
},
"product_reference": "heketi-0:9.0.0-9.5.el7rhgs.src",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "heketi-0:9.0.0-9.5.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64"
},
"product_reference": "heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
},
"product_reference": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtcmu-0:1.2.0-32.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64"
},
"product_reference": "libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64"
},
"product_reference": "libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-heketi-0:9.0.0-9.5.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64"
},
"product_reference": "python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.src as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src"
},
"product_reference": "tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64"
},
"product_reference": "tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64 as a component of Red Hat Gluster Storage Server 3.5 on RHEL-7",
"product_id": "7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64"
},
"product_reference": "tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RH-Gluster-3.5-Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "heketi-0:9.0.0-9.5.el7rhgs.src as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 7",
"product_id": "7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src"
},
"product_reference": "heketi-0:9.0.0-9.5.el7rhgs.src",
"relates_to_product_reference": "7Server-RHSClient"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64 as a component of Red Hat Storage Native Client for Red Hat Enterprise Linux 7",
"product_id": "7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
},
"product_reference": "heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"relates_to_product_reference": "7Server-RHSClient"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Prasanna Kumar Kalever"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-10762",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2020-06-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1845067"
}
],
"notes": [
{
"category": "description",
"text": "An information-disclosure flaw was found in the way that gluster-block logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gluster-block: information disclosure through world-readable gluster-block log files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The version of gluster-block shipped with Red Hat Gluster Storage 3 sets the world-readable permissions on gluster-block directory and log files that store the sensitive information, hence affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10762"
},
{
"category": "external",
"summary": "RHBZ#1845067",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845067"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10762",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10762"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10762",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10762"
},
{
"category": "external",
"summary": "https://github.com/gluster/gluster-block/releases/tag/v0.5.1",
"url": "https://github.com/gluster/gluster-block/releases/tag/v0.5.1"
}
],
"release_date": "2020-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-30T15:18:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4143"
},
{
"category": "workaround",
"details": "Manually change the log files permission to remove readable bits for others, e.g;\n\n# chmod 640 /var/log/glusterfs/gluster-block/cmd_history.log\n\nNOTE: The above mitigation only restricts access to the other local users. To avoid storing passwords to the log file, kindly update gluster-block to the fixed version.",
"product_ids": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "gluster-block: information disclosure through world-readable gluster-block log files"
},
{
"acknowledgments": [
{
"names": [
"Prasanna Kumar Kalever"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-10763",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2020-06-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1845387"
}
],
"notes": [
{
"category": "description",
"text": "An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "heketi: gluster-block volume password details available in logs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The version of heketi shipped with Red Hat Gluster Storage 3 does not filter out gluster-block volume passwords, hence affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10763"
},
{
"category": "external",
"summary": "RHBZ#1845387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845387"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10763",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10763"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10763",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10763"
},
{
"category": "external",
"summary": "https://github.com/heketi/heketi/releases/tag/v10.1.0",
"url": "https://github.com/heketi/heketi/releases/tag/v10.1.0"
}
],
"release_date": "2020-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-30T15:18:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4143"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:gluster-block-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:gluster-block-debuginfo-0:0.2.1-36.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:libtcmu-devel-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:python-heketi-0:9.0.0-9.5.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.src",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RH-Gluster-3.5-Server:tcmu-runner-debuginfo-0:1.2.0-32.2.el7rhgs.x86_64",
"7Server-RHSClient:heketi-0:9.0.0-9.5.el7rhgs.src",
"7Server-RHSClient:heketi-client-0:9.0.0-9.5.el7rhgs.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "heketi: gluster-block volume password details available in logs"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.