Possible RCE via Heketi server API - CVE-2017-15103

Public Date: November 20, 2017, 15:28
Updated December 20, 2017, 23:25 - No translations currently exist.
Resolved Status
Important Impact

Red Hat Product Security has been made aware of two vulnerabilities affecting Heketi in Red Hat Gluster 3 Storage. These vulnerabilities have been assigned CVE-2017-15103 and CVE-2017-15104. These issues were publicly disclosed on December 18th, 2017 and are rated as Important and Low, respectively.

Background Information

Heketi is a RESTful management interface which provides an API to manage GlusterFS nodes and volumes. Heketi users and administrators can interact with this API to provision storage environments.

An OS command injection flaw was found in the Heketi API. As a result, an authenticated Heketi administrator or user could inject OS commands into requests like adding nodes or creating volumes. The Heketi API does not parse requests properly, potentially allowing remote code execution on nodes controlled by Heketi.  An attacker would require a Heketi user or administrator password to exploit this vulnerability if authentication is enabled in the /etc/heketi/heketi.json configuration file. The default configuration for authentication is set to false which means any user who can reach the Heketi API could trigger this flaw. 

Depending on the setup of OpenShift, the Heketi API may be accessible from public networks as the API is available from wherever OpenShift is available. This means public access to the Heketi server API cannot be ruled out.

Acknowledgments

Red Hat would like to thank Markus Krell (NTT Security) for reporting CVE-2017-15103 and Siddharth Sharma (Red Hat) for reporting CVE-2017-15104.

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Gluster Storage 3
  • Container-Native Storage 3.6

Take Action

All Red Hat customers running affected versions of Heketi are strongly recommended to update as soon as patches are available.

Updates for Affected Products

ProductPackageAdvisory/Update
Red Hat Gluster Storage 3heketiRHSA-2017:3481

Mitigation

Verify that authentication is enabled in the /etc/heketi/heketi.json configuration file.

Another possible mitigation is securing TCP port 8080 at the firewall to only accept connections from trusted IP addresses. This may not fully limit your exposure as IP addresses can be spoofed.

Comments