Red Hat Product Errata RHSA-2018:3829 - Security Advisory

Issued:: 2018-12-17
Updated:: 2018-12-17

RHSA-2018:3829 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: RHGS WA security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage Web Administration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS.

Security Fix(es):

grafana: authentication bypass knowing only a username of an LDAP or OAuth user (CVE-2018-15727)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

All users of Red Hat Gluster Storage Web Administration are advised to upgrade to these updated packages, which provide numerous bug fixes.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64
Red Hat Gluster Storage Web Administration (for RHEL Server) 3 x86_64

Fixes

BZ - 1599291 - Strange behavior of closing functionality of list of hosts popup window
BZ - 1610668 - Multiple popups are created when deleting user
BZ - 1611991 - Unmanage information and confirmation popups are created multiple times
BZ - 1624088 - CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user
BZ - 1627651 - Upgrade patternfly version
BZ - 1627988 - Tendrl Branding changes
BZ - 1629520 - Fix context switcher CSS issue
BZ - 1630344 - Somtimes node-agent message socket file "message.sock" is missing
BZ - 1641413 - Volume utilization calculation not happening for all volumes when any one volume bricks are down
BZ - 1642574 - don't open port 3000/tcp on WA server for grafana
BZ - 1650557 - Grafana is not working after WA upgrade to BU2
BZ - 1656057 - Utilization alerts are not working
BZ - 1656064 - Capacity alerts are not working

CVEs

CVE-2018-15727

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

SRPM
tendrl-gluster-integration-1.6.3-13.el7rhgs.src.rpm	SHA-256: 2c7f7995bdaa226e84a695ffad46597cdbd885cbe4f9af6c6e0de9379db7d10e
tendrl-node-agent-1.6.3-11.el7rhgs.src.rpm	SHA-256: c33ec59572f7e41096e8da92f020d0306f1228f897da664bdb0c7fa78cc52f2b
x86_64
tendrl-gluster-integration-1.6.3-13.el7rhgs.noarch.rpm	SHA-256: 6c15cc19a7a0cae27a6f9858c42910a3f3281f6596780ebe1e7ba27083d4e5ad
tendrl-node-agent-1.6.3-11.el7rhgs.noarch.rpm	SHA-256: c93111529b9052f40765def615c93acb9f28c1a4a4c1e7851d3f39259cced455

Red Hat Gluster Storage Web Administration (for RHEL Server) 3

SRPM
grafana-4.6.4-1.el7rhgs.src.rpm	SHA-256: d2fc7636bcebc20dfb81a731996b5ae6f0ee2e5309cb1afa6bdedce0a3925e7b
tendrl-ansible-1.6.3-10.el7rhgs.src.rpm	SHA-256: e1b21eeebdc0fb963c65f98dab0e8514d3bd80346efd1e2657fe0b40b4aaeb83
tendrl-api-1.6.3-8.el7rhgs.src.rpm	SHA-256: 22b6dd5418cb1d11596ee38987e2a8284ae7e2db7040422f73be2e584e73603d
tendrl-monitoring-integration-1.6.3-16.el7rhgs.src.rpm	SHA-256: 31958d287b8f1542714350bae6b29dd801e15f029852c523d7e0d4d498bac74e
tendrl-node-agent-1.6.3-11.el7rhgs.src.rpm	SHA-256: c33ec59572f7e41096e8da92f020d0306f1228f897da664bdb0c7fa78cc52f2b
tendrl-ui-1.6.3-14.el7rhgs.src.rpm	SHA-256: 2682f245cbf3f0094ea007227cc12b8597132b0e736cf55a049634d1159a2805
x86_64
grafana-4.6.4-1.el7rhgs.x86_64.rpm	SHA-256: 867e33e1dfb919348499c177969579b0b653837440b5ecae526b7d0874ff6470
tendrl-ansible-1.6.3-10.el7rhgs.noarch.rpm	SHA-256: 6f8d657602aed1ef98dfb0d007b4c0663ef15ec6497bce43e338df141c9c1cba
tendrl-api-1.6.3-8.el7rhgs.noarch.rpm	SHA-256: 61653d455107d05dc42577fd486bb88bb476c2f2dfbd45e8a056d5c11ee1d59e
tendrl-api-httpd-1.6.3-8.el7rhgs.noarch.rpm	SHA-256: 4bccea431d4f335c159573d0fe375d262976edc90f45a5c7c46cffce7115dd9a
tendrl-grafana-plugins-1.6.3-16.el7rhgs.noarch.rpm	SHA-256: b64d8f13d2a166eb64dd35ba97d67c25d1de6ad11e21bfada54be5b71f82103c
tendrl-monitoring-integration-1.6.3-16.el7rhgs.noarch.rpm	SHA-256: 3d8d2b7c0bc08f4fbcd69d978d6c3409366fd6296ad29ef20bcc4e50a0c7f0df
tendrl-node-agent-1.6.3-11.el7rhgs.noarch.rpm	SHA-256: c93111529b9052f40765def615c93acb9f28c1a4a4c1e7851d3f39259cced455
tendrl-ui-1.6.3-14.el7rhgs.noarch.rpm	SHA-256: 47ee72cf567f60a86c366626c356fc9caba8fcf1c68b22c1c9a58c5a98aa3dfa

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories