RHSA-2015:1918 - Security Advisory

Topic

An updated swiftonfile package that fixes one security issue is now
available for Red Hat Gluster Storage 3.1 for Red Hat Enterprise Linux 6
and 7.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

Red Hat Gluster Storage is a software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.

Red Hat Gluster Storage's Unified File and Object Storage is built on
OpenStack's Object Storage (swift).

A flaw was found in the way swiftonfile (gluster-swift) serialized and
stored metadata on disk by using Python's pickle module. A remote,
authenticated user could use this flaw to execute arbitrary code on the
storage node. (CVE-2015-5242)

For more information about CVE-2015-5242, please see
https://access.redhat.com/solutions/1985893

Red Hat would like to thank Bill Owen of IBM for reporting this issue.

All swiftonfile users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64
• Red Hat Gluster Storage Server for On-premise 3 for RHEL 6 x86_64

Fixes

• BZ - 1258743 - CVE-2015-5242 swiftonfile: use of insecure Python pickle for metadata serialization and storage

CVEs

• CVE-2015-5242

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/solutions/1985893