Pickle Security Flaw in Object Store

Solution Verified - Updated -

Issue

  • Note that only users of Object Store (also known as gluster-swift or swiftonfile) are affected by the Pickle security flaw. Other Red Hat Gluster Storage users are unaffected.

  • In older versions of gluster-swift (also known as swiftonfile), the metadata stored as xattrs of directories or files was serialized using PICKLE format. The PICKLE format is vulnerable to exploits in deployments where a user has access to the backend file system over FUSE or SMB. Deserializing pickled metadata can result in malicious code being executed if an attacker has stored malicious code as xattr from the file system interface.

Environment

  • Red Hat Gluster Storage Version 3.0
  • Red Hat Gluster Storage Version 3.1
  • Red Hat Gluster Storage Version 3.1 Update 1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In