The Gluster community has released an out-of-normal-cadence release for Gluster 3.12, and 4.1 that resolves a CVE[1]. A privilege escalation flaw was found.
Glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
Installing the updated packages and restarting gluster services on gluster brick hosts, will help prevent the security issue.
Further information can be found at NVD[2].
Our recommendation is to upgrade to these new releases:
https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.11/
https://download.gluster.org/pub/gluster/glusterfs/4.0/4.1.1/
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10841
[2] https://nvd.nist.gov/vuln/detail/CVE-2018-10841
_______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-users