Issued:: 2020-12-17
Updated:: 2020-12-17

RHSA-2020:5599 - Security Advisory

Overview
Updated Packages

Synopsis

Important: web-admin-build security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated web-admin-build packages that fixes one bug are now available for Red Hat Gluster Storage 3.5 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Gluster Storage is software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.

Security Fix(es):

grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This advisory fixes the following bug:

Previously, tendrl-node-agent service was unable to import the cluster in a VMware environment as tendrl was looking for the serial number of the devices. With the current update, tendrl-node-agent service is able to import the cluster in a VMware environment without failure as the hardware_id and parent_id of the devices are used after proper validation instead of the serial number. (BZ#1809920)

Users of web-admin-build with Red Hat Gluster Storage are advised to upgrade to these updated packages.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64
Red Hat Gluster Storage Web Administration (for RHEL Server) 3.1 x86_64

Fixes

BZ - 1809920 - [TestOnly][RHEL 7 only]QE Web Admin on VMWare platform
BZ - 1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL

CVEs

CVE-2020-13379

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

SRPM
tendrl-node-agent-1.6.3-20.el7rhgs.src.rpm	SHA-256: ebd2e1f52e7e2ad4053633e767d35b4ea36e52127f48ebea0bb96002a66b16fe
x86_64
tendrl-node-agent-1.6.3-20.el7rhgs.noarch.rpm	SHA-256: 8a2bdbac1529e8fe4f17ea50000859ba1c0402ec363359ea093978bdce136a6d

Red Hat Gluster Storage Web Administration (for RHEL Server) 3.1

SRPM
grafana-5.2.4-3.el7rhgs.src.rpm	SHA-256: f87998fec91d824e34a29443ed2e2f72fccf7354fb83058a5f046689be74d29d
python-django-1.11.27-1.el7rhgs.src.rpm	SHA-256: 3e3bedd792405fc3e39dd3e481ebf77d2c775036200593422eb5648838da50d5
tendrl-monitoring-integration-1.6.3-23.el7rhgs.src.rpm	SHA-256: 380feaf6984f28d3d3c7b907efa68998006c30ca6a44670b1a949a32ba8e94d6
tendrl-node-agent-1.6.3-20.el7rhgs.src.rpm	SHA-256: ebd2e1f52e7e2ad4053633e767d35b4ea36e52127f48ebea0bb96002a66b16fe
x86_64
grafana-5.2.4-3.el7rhgs.x86_64.rpm	SHA-256: 60178fcc43ae86884ce719b417104363dac4e388168675308f8503cf5c60cc14
python-django-bash-completion-1.11.27-1.el7rhgs.noarch.rpm	SHA-256: e31776d5d323fc16c7b3913dfd3cde5c71fddbebdb39758fe4da7222180af74d
python2-django-1.11.27-1.el7rhgs.noarch.rpm	SHA-256: 2d874a6f4e963264f1c06897e722698a17eaca2b9c8b74679bedb8ec648a2426
python2-django-doc-1.11.27-1.el7rhgs.noarch.rpm	SHA-256: 7ebc7c2dd7c5c2935237c400aa3d6f99cf4dfda0b308f8d7fa78c131e3e22182
tendrl-grafana-plugins-1.6.3-23.el7rhgs.noarch.rpm	SHA-256: ad36ba3bc1cdd95450876be050396505221910d28d0b31b9f2507c8ba75050ce
tendrl-monitoring-integration-1.6.3-23.el7rhgs.noarch.rpm	SHA-256: 9e3864e044a67c7adcc45c869d30c996c24fdd486c46b3d1922fa5768d11335c
tendrl-node-agent-1.6.3-20.el7rhgs.noarch.rpm	SHA-256: 8a2bdbac1529e8fe4f17ea50000859ba1c0402ec363359ea093978bdce136a6d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation