Date: Wed, 20 Jun 2018 15:58:10 -0400 (EDT) From: Siddharth Sharma <siddharth@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-10841 glusterfs: access trusted peer group via remote-host command A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. It was found that any gluster client authenticated via TLS could use gluster cli with --remote-host command to add itself to gluster trusted pool and perform all gluster operations like peer probe itself or other machines, start, stop, delete volumes etc. https://bugzilla.redhat.com/show_bug.cgi?id=1582043 Respectfully, Siddharth Sharma / Red Hat Product Security / Key ID : 0xD9F6489A Fingerprint : 6F04 C684 A49C E4CE 8148 E841 CD6F 8E55 D9F6 489A
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ