Red Hat Customer Portal

Skip to main content

Main Navigation

  • Products & Services
    • Back
    • View All Products
    • Infrastructure and Management
      • Back
      • Red Hat Enterprise Linux
      • Red Hat Virtualization
      • Red Hat Identity Management
      • Red Hat Directory Server
      • Red Hat Certificate System
      • Red Hat Satellite
      • Red Hat Subscription Management
      • Red Hat Update Infrastructure
      • Red Hat Insights
      • Red Hat Ansible Automation Platform
    • Cloud Computing
      • Back
      • Red Hat CloudForms
      • Red Hat OpenStack Platform
      • Red Hat OpenShift Container Platform
      • Red Hat OpenShift Online
      • Red Hat OpenShift Dedicated
      • Red Hat Advanced Cluster Management for Kubernetes
      • Red Hat Quay
      • Red Hat CodeReady Workspaces
    • Storage
      • Back
      • Red Hat Gluster Storage
      • Red Hat Hyperconverged Infrastructure
      • Red Hat Ceph Storage
      • Red Hat Openshift Container Storage
    • Runtimes
      • Back
      • Red Hat Runtimes
      • Red Hat JBoss Enterprise Application Platform
      • Red Hat Data Grid
      • Red Hat JBoss Web Server
      • Red Hat Single Sign On
      • Red Hat support for Spring Boot
      • Red Hat build of Node.js
      • Red Hat build of Thorntail
      • Red Hat build of Eclipse Vert.x
      • Red Hat build of OpenJDK
      • Red Hat build of Quarkus
      • Red Hat CodeReady Studio
    • Integration and Automation
      • Back
      • Red Hat Integration
      • Red Hat Fuse
      • Red Hat AMQ
      • Red Hat 3scale API Management
      • Red Hat JBoss Data Virtualization
      • Red Hat Process Automation
      • Red Hat Process Automation Manager
      • Red Hat Decision Manager
    • Support
    • Production Support
    • Development Support
    • Product Life Cycles
    • Documentation
    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    • Services
    • Consulting
    • Technical Account Management
    • Training & Certifications
    • Ecosystem Catalog
    • Partner Resources
    • Red Hat in the Public Cloud
  • Tools
    • Back
    • Red Hat Insights
    • Tools
    • Solution Engine
    • Packages
    • Errata
    • Customer Portal Labs
    • Explore Labs
    • Configuration
    • Deployment
    • Security
    • Troubleshooting
  • Security
    • Back
    • Product Security Center
    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Security Labs
    • Resources
    • Overview
    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community
    • Back
    • Customer Portal Community
    • Discussions
    • Blogs
    • Private Groups
    • Community Activity
    • Customer Events
    • Red Hat Convergence
    • Red Hat Summit
    • Stories
    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Account
    • Back
    • Log In
    • Register
    • Red Hat Account Number:
    • Account Details
    • User Management
    • Account Maintenance
    • My Profile
    • Notifications
    • Help
    • Log Out
  • Language
    • Back
    • English
    • 한국어
    • 日本語
    • 中文 (中国)
Red Hat Customer Portal
  • Products & Services
    • Back
    • View All Products
    • Infrastructure and Management
      • Back
      • Red Hat Enterprise Linux
      • Red Hat Virtualization
      • Red Hat Identity Management
      • Red Hat Directory Server
      • Red Hat Certificate System
      • Red Hat Satellite
      • Red Hat Subscription Management
      • Red Hat Update Infrastructure
      • Red Hat Insights
      • Red Hat Ansible Automation Platform
    • Cloud Computing
      • Back
      • Red Hat CloudForms
      • Red Hat OpenStack Platform
      • Red Hat OpenShift Container Platform
      • Red Hat OpenShift Online
      • Red Hat OpenShift Dedicated
      • Red Hat Advanced Cluster Management for Kubernetes
      • Red Hat Quay
      • Red Hat CodeReady Workspaces
    • Storage
      • Back
      • Red Hat Gluster Storage
      • Red Hat Hyperconverged Infrastructure
      • Red Hat Ceph Storage
      • Red Hat Openshift Container Storage
    • Runtimes
      • Back
      • Red Hat Runtimes
      • Red Hat JBoss Enterprise Application Platform
      • Red Hat Data Grid
      • Red Hat JBoss Web Server
      • Red Hat Single Sign On
      • Red Hat support for Spring Boot
      • Red Hat build of Node.js
      • Red Hat build of Thorntail
      • Red Hat build of Eclipse Vert.x
      • Red Hat build of OpenJDK
      • Red Hat build of Quarkus
      • Red Hat CodeReady Studio
    • Integration and Automation
      • Back
      • Red Hat Integration
      • Red Hat Fuse
      • Red Hat AMQ
      • Red Hat 3scale API Management
      • Red Hat JBoss Data Virtualization
      • Red Hat Process Automation
      • Red Hat Process Automation Manager
      • Red Hat Decision Manager
    • Support
    • Production Support
    • Development Support
    • Product Life Cycles
    • Documentation
    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    • Services
    • Consulting
    • Technical Account Management
    • Training & Certifications
    • Ecosystem Catalog
    • Partner Resources
    • Red Hat in the Public Cloud
  • Tools
    • Back
    • Red Hat Insights
    • Tools
    • Solution Engine
    • Packages
    • Errata
    • Customer Portal Labs
    • Explore Labs
    • Configuration
    • Deployment
    • Security
    • Troubleshooting
  • Security
    • Back
    • Product Security Center
    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Security Labs
    • Resources
    • Overview
    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community
    • Back
    • Customer Portal Community
    • Discussions
    • Blogs
    • Private Groups
    • Community Activity
    • Customer Events
    • Red Hat Convergence
    • Red Hat Summit
    • Stories
    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Account
    • Back
    • Log In
    • Register
    • Red Hat Account Number:
    • Account Details
    • User Management
    • Account Maintenance
    • My Profile
    • Notifications
    • Help
    • Log Out
  • Language
    • Back
    • English
    • 한국어
    • 日本語
    • 中文 (中国)
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Search
  • Log In
  • Language
Or troubleshoot an issue.

Log in to Your Red Hat Account

Log In

Your Red Hat account gives you access to your profile, preferences, and services, depending on your status.

Register

If you are a new customer, register now for access to product evaluations and purchasing capabilities.

Need access to an account?

If your company has an existing Red Hat account, your organization administrator can grant you access.

If you have any questions, please contact customer service.

Red Hat Account Number:

Red Hat Account

  • Account Details
  • User Management
  • Account Maintenance
  • Account Team

Customer Portal

  • My Profile
  • Notifications
  • Help

For your security, if you’re on a public computer and have finished using your Red Hat services, please be sure to log out.

Log Out

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)
Red Hat Customer Portal Red Hat Customer Portal
  • Products & Services
  • Tools
  • Security
  • Community
  • Infrastructure and Management

  • Cloud Computing

  • Storage

  • Runtimes

  • Integration and Automation

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS
  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat Openshift Container Storage
  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus
  • Red Hat CodeReady Studio
  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
View All Products
  • Support
  • Production Support
  • Development Support
  • Product Life Cycles

Services

  • Consulting
  • Technical Account Management
  • Training & Certifications
  • Documentation
  • Red Hat Enterprise Linux
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Ecosystem Catalog
  • Red Hat in the Public Cloud
  • Partner Resources

Tools

  • Solution Engine
  • Packages
  • Errata
  • Customer Portal Labs
  • Configuration
  • Deployment
  • Security
  • Troubleshooting

Red Hat Insights

Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

  • Learn more
  • Go to Insights

Red Hat Product Security Center

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

Security Updates

  • Security Advisories
  • Red Hat CVE Database
  • Security Labs

Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

  • View Responses

Resources

  • Overview
  • Security Blog
  • Security Measurement
  • Severity Ratings
  • Backporting Policies
  • Product Signing (GPG) Keys

Customer Portal Community

  • Discussions
  • Blogs
  • Private Groups
  • Community Activity

Customer Events

  • Red Hat Convergence
  • Red Hat Summit

Stories

  • Red Hat Subscription Value
  • You Asked. We Acted.
  • Open Source Communities
Red Hat Product Errata RHSA-2018:3432 - Security Advisory
Issued:
2018-10-31
Updated:
2018-10-31

RHSA-2018:3432 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: glusterfs security and bug fix update

Type/Severity

Security Advisory: Important

Topic

Updated glusterfs packages that fix multiple security issues and bugs are now available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system.

Security Fix(es):

  • glusterfs: glusterfs server exploitable via symlinks to relative paths (CVE-2018-14651)
  • glusterfs: Buffer overflow in "features/locks" translator allows for denial of service (CVE-2018-14652)
  • glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message (CVE-2018-14653)
  • glusterfs: "features/index" translator can create arbitrary, empty files (CVE-2018-14654)
  • glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service (CVE-2018-14659)
  • glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion (CVE-2018-14660)
  • glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service (CVE-2018-14661)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting these issues.

Bug Fix(es):

  • MD5 instances are replaced with FIPS-compliant SHA256 checksums and glusterd no longer crashes when run on a FIPS enabled machine. (BZ#1459709)
  • The flock is unlocked specifically and the status file is updated so that the reference is not leaked to any worker or agent process. As a result of this fix, all workers come up without fail. (BZ#1623749)
  • All HTIME index files are checked for the specified start and end times, and the History API does not fail when multiple HTIME files exist. (BZ#1627639)
  • After upgrading to Red Hat Gluster Storage 3.4 from earlier versions of Red Hat Gluster Storage, the volume size displayed by the df command was smaller than the actual volume size. This has been fixed and the df command now shows the correct size for all volumes. (BZ#1630997)
  • The algorithm to disable the eager-lock is modified and it disables only when multiple write operations are trying to modify a file at the same time. This led to performance improvement while a write operation is performed on a file irrespective of the number of times it is opened at the same time for a read operation. (BZ#1630688)
  • heal-info does not consider the presence of dirty markers as an indication of split-brain and does not display these entries to be in a split-brain state. (BZ#1610743)

All users of Red Hat Gluster Storage are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64

Fixes

  • BZ - 1610743 - Directory is incorrectly reported as in split-brain when dirty marking is there
  • BZ - 1618221 - If a node disconnects during volume delete, it assumes deleted volume as a freshly created volume when it is back online
  • BZ - 1619627 - Add performance options to virt profile
  • BZ - 1622649 - [RHEL7] Some of the Posix compliance tests are failing on gluster mount
  • BZ - 1623749 - Geo-rep: Few workers fails to start with out any failure
  • BZ - 1623874 - IO errors on block device post rebooting one brick node
  • BZ - 1624444 - Fail volume stop operation in case brick detach request fails
  • BZ - 1625622 - [Disperse] Improve log messages for EC volume while getting/setting xattrs and finding good child to wind
  • BZ - 1626780 - sas workload job getting stuck after sometime
  • BZ - 1627098 - RFE: make fuse dumping available as mount option
  • BZ - 1627617 - SAS job aborts complaining about file doesn't exist
  • BZ - 1627639 - libgfchangelog: History API fails
  • BZ - 1630688 - Low Random write IOPS in VM in RHHI 2.0
  • BZ - 1631329 - rpc marks brick disconnected from glusterd
  • BZ - 1631372 - glusterfsd keeping fd open in index xlator after stop the volume
  • BZ - 1631576 - CVE-2018-14654 glusterfs: "features/index" translator can create arbitrary, empty files
  • BZ - 1632557 - CVE-2018-14651 glusterfs: glusterfs server exploitable via symlinks to relative paths
  • BZ - 1632974 - CVE-2018-14652 glusterfs: Buffer overflow in "features/locks" translator allows for denial of service
  • BZ - 1633431 - CVE-2018-14653 glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message
  • BZ - 1635926 - CVE-2018-14660 glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
  • BZ - 1635929 - CVE-2018-14659 glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service
  • BZ - 1636880 - CVE-2018-14661 glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service
  • BZ - 1636902 - "gluster vol heal <vol name> info" is hung on Distributed-Replicated ( Arbiter )
  • BZ - 1640135 - Wrong version number in /etc/redhat-storage-release
  • BZ - 1641489 - [Brick-Mux] gluster vol stop fails with Error : Request timed out.
  • BZ - 1641586 - spec: wrong release number for RHGS 3.4.1 in /usr/share/glusterfs/release
  • BZ - 1643355 - [RHEL7] update with entitlement certificate for RHEL 7.6

CVEs

  • CVE-2018-14651
  • CVE-2018-14652
  • CVE-2018-14653
  • CVE-2018-14654
  • CVE-2018-14659
  • CVE-2018-14660
  • CVE-2018-14661

References

  • https://access.redhat.com/security/updates/classification/#important
  • Note: More recent versions of these packages may be available. Click a package name for more details.

    Red Hat Enterprise Linux Server 7

    SRPM
    glusterfs-3.12.2-25.el7.src.rpm SHA-256: f10ae3de5b0e1c52bfb6252e14b902093ccdc784fdf2a0730603b240a0ba8281
    x86_64
    glusterfs-3.12.2-25.el7.x86_64.rpm SHA-256: 6e98d94cc58ff3730324b8761bacf213b882beee8094e98425ce97a40cbffaa4
    glusterfs-api-3.12.2-25.el7.x86_64.rpm SHA-256: 7a8e2826a480449af3a92a4e88d9624f5a3849da6db961ef9f18bc89d1f3042d
    glusterfs-api-devel-3.12.2-25.el7.x86_64.rpm SHA-256: 408c307c8f595f063e81f54262a0542c5d2cf184bb737111f2a658ea741b1128
    glusterfs-cli-3.12.2-25.el7.x86_64.rpm SHA-256: 721086228b770c7d33a64c07c6939ad0630b5063a6826cf6e5634194341aad98
    glusterfs-client-xlators-3.12.2-25.el7.x86_64.rpm SHA-256: 726fb86fd421db9073d7016892e30a06d46b03fc17e336836f9896f76899ec6c
    glusterfs-debuginfo-3.12.2-25.el7.x86_64.rpm SHA-256: 626292ba146eaf94e53c40657175dde8c5fe6b69ccc598047e9d61df87b548bc
    glusterfs-devel-3.12.2-25.el7.x86_64.rpm SHA-256: a4b8c3ce8abe8858370d7c13057f907cbf1c5c5ffee9f66dd0123cdc07bd0a3d
    glusterfs-fuse-3.12.2-25.el7.x86_64.rpm SHA-256: 8a7554ef98698d0ffd1d7c4dda74be3a40aabf8f474e5196829c8ec77717d6f6
    glusterfs-libs-3.12.2-25.el7.x86_64.rpm SHA-256: ba48821033515b60ce2ad9980d6b8b35618d9ff33ac1c7c9db78e59247364103
    glusterfs-rdma-3.12.2-25.el7.x86_64.rpm SHA-256: 7f5d8ee5664e8d4c369bb1b8db064f0118fa4978d5583ca6a7792713623dda2f
    python2-gluster-3.12.2-25.el7.x86_64.rpm SHA-256: ee9caa6cada9bf40f15ee7625bc8efd3e309dd006e866468e8900521610d0646

    Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

    SRPM
    glusterfs-3.12.2-25.el7rhgs.src.rpm SHA-256: 985e745e8131db2d7b8167ca08b8b3f551dfb542864c83065666464abb9dbad6
    redhat-storage-server-3.4.1.0-1.el7rhgs.src.rpm SHA-256: a271926cfe967de0506983c2d11bc0777e9c49979350cbf89301cd70ec676460
    x86_64
    glusterfs-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 99da66c1475fb981a9248d44ae3fd796a648dd9f810003ec6495df8ee034857b
    glusterfs-api-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: c5d3bd14630f9c327060e86ee4d71131c930614fabec550924abefca66dc26cc
    glusterfs-api-devel-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: c389eed641776945d47c4f80503b4176554d3dc71f1f303858078cef9801cc49
    glusterfs-cli-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: ed9115795cf1dfa5a671e9bc1dc9ce3d31bd26f89b6ac08e6982ebd896107bc9
    glusterfs-client-xlators-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 9c68a7a9e576bab5cfde7c8cf57c9390a069dcc2cc621c67b83ebbffe7fdbf72
    glusterfs-debuginfo-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: a0f8cd352d9b9aed6f8c4dd15e4c97b456cdcc8267994de55a4da7c68a7e69b5
    glusterfs-devel-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: f0964b6ae00017ae972299ba1ed8d47afec1929469096547d8ed2c6f4a71289e
    glusterfs-events-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 45c71127a16eaea4c2afd99197299e3c952d99691258480bf187f6e3f6f7f53b
    glusterfs-fuse-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 002bcb028ed8c06e9005ddcaac2bf3fe278eb21254049d03076aba05272e8239
    glusterfs-ganesha-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: e25d519267ddaa612c0e29ae6535e2ec2df86e7c16c18379adfbf75745661ae6
    glusterfs-geo-replication-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 36f30cba0439a742c7afafe8a656a016159e125b7d38eb8952631378046fe266
    glusterfs-libs-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: b05a492e168cbff2149728c6c5b6f932e5bea64e5ad0911f6e6284e3e6ea4234
    glusterfs-rdma-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 8ed5cb6a84768bded65e4a79fc9aa6dc3e8893e677569de71d259dc5fd96eb4b
    glusterfs-resource-agents-3.12.2-25.el7rhgs.noarch.rpm SHA-256: 153f92fad7706d4b89ea480f23d68b4db6457a11d8a2b56ef8fa1880ae9a3a00
    glusterfs-server-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: 7ff701ed142a82eb615e4caad3a1c40b7574031e139a4285499621c68ce4c426
    python2-gluster-3.12.2-25.el7rhgs.x86_64.rpm SHA-256: dee559326241a4150d0ec3d421bf7650cfbdca70f5d9826bcaf1fce4fc8b26e7
    redhat-storage-server-3.4.1.0-1.el7rhgs.noarch.rpm SHA-256: 6bc7d7da227358a5c2eeca29e781ea3ef29677922f0e2a60e1ba8bd28ad5fa44

    The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

    Red Hat

    Quick Links

    • Downloads
    • Subscriptions
    • Support Cases
    • Customer Service
    • Product Documentation

    Help

    • Contact Us
    • Customer Portal FAQ
    • Log-in Assistance

    Site Info

    • Trust Red Hat
    • Browser Support Policy
    • Accessibility
    • Awards and Recognition
    • Colophon

    Related Sites

    • redhat.com
    • openshift.com
    • developers.redhat.com
    • connect.redhat.com

    About

    • Red Hat Subscription Value
    • About Red Hat
    • Red Hat Jobs
    Copyright © 2021 Red Hat, Inc.
    • Privacy Statement
    • Customer Portal Terms of Use
    • All Policies and Guidelines
    Red Hat Summit
    Twitter Facebook