Issued:: 2017-12-18
Updated:: 2017-12-18

RHSA-2017:3481 - Security Advisory

Overview
Updated Packages

Synopsis

Important: heketi security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for heketi is now available for Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Heketi provides a RESTful management interface which can be used to manage the life cycle of GlusterFS volumes. With Heketi, cloud services like OpenStack Manila, Kubernetes, and OpenShift can dynamically provision GlusterFS volumes with any of the supported durability types. Heketi will automatically determine the location for bricks across the cluster, making sure to place bricks and its replicas across different failure domains. Heketi also supports any number of GlusterFS clusters, allowing cloud services to provide network file storage without being limited to a single GlusterFS cluster.

Security Fix(es):

A security-check flaw was found in the way the Heketi server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation. (CVE-2017-15103)
An access flaw was found in heketi, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file. (CVE-2017-15104)

Red Hat would like to thank Markus Krell (NTT Security) for reporting CVE-2017-15103. The CVE-2017-15104 issue was discovered by Siddharth Sharma (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64

Fixes

BZ - 1510147 - CVE-2017-15103 heketi: OS command injection in heketi API
BZ - 1510149 - CVE-2017-15104 heketi: Information disclosure through world readable file

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

SRPM
heketi-5.0.0-19.el7rhgs.src.rpm	SHA-256: a705e906b3f2cd3dcb2d421be814e8643878f32d7b58d99d966396794ba12b39
x86_64
heketi-5.0.0-19.el7rhgs.x86_64.rpm	SHA-256: 8259dd92328901396d91cdc0fbbdb83c5ef40e0269d9ac3eb7355d1ac7ae0b7b
heketi-client-5.0.0-19.el7rhgs.x86_64.rpm	SHA-256: 8780d664e3c5c4cc864de0d4e1beab2642b4691d67604ed501406300d38e7c27
python-heketi-5.0.0-19.el7rhgs.x86_64.rpm	SHA-256: 0a64c33a1a2baab447ed0a7f805f10fae1b3a9ce43a0f491e782784c950b4034

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation