CVE-2018-10913
An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file.
Find out more about CVE-2018-10913 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.
This flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.
CVSS v3 metrics
| CVSS3 Base Score | 3.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Storage Native Client for Red Hat Enterprise Linux 7 (glusterfs) | RHSA-2018:2607 | 2018-09-04 |
| Red Hat Gluster Storage 3.4 for RHEL 6 (glusterfs) | RHSA-2018:2608 | 2018-09-04 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 6 (glusterfs) | RHSA-2018:2608 | 2018-09-04 |
| Red Hat Gluster Storage 3.4 for RHEL 7 (glusterfs) | RHSA-2018:2607 | 2018-09-04 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | glusterfs | Affected |
| Red Hat Enterprise Linux 7 | glusterfs | Not affected |
| Red Hat Enterprise Linux 6 | glusterfs | Not affected |
Acknowledgements
Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.Mitigation
SELinux mitigates this issue on Red Hat Gluster Storage 3. SELinux should be in enforcing mode only as permissive mode does not block attacks.