Detections
Analytics

RHEL 7 : heketi (RHSA-2017:3481)

high Nessus Plugin ID 105407

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update for heketi is now available for Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Heketi provides a RESTful management interface which can be used to manage the life cycle of GlusterFS volumes. With Heketi, cloud services like OpenStack Manila, Kubernetes, and OpenShift can dynamically provision GlusterFS volumes with any of the supported durability types. Heketi will automatically determine the location for bricks across the cluster, making sure to place bricks and its replicas across different failure domains. Heketi also supports any number of GlusterFS clusters, allowing cloud services to provide network file storage without being limited to a single GlusterFS cluster.

Security Fix(es) :

* A security-check flaw was found in the way the Heketi server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation. (CVE-2017-15103)

* An access flaw was found in heketi, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file. (CVE-2017-15104)

Red Hat would like to thank Markus Krell (NTT Security) for reporting CVE-2017-15103. The CVE-2017-15104 issue was discovered by Siddharth Sharma (Red Hat).

Solution

Update the affected heketi, heketi-client and / or python-heketi packages.

See Also

https://access.redhat.com/errata/RHSA-2017:3481

https://access.redhat.com/security/cve/cve-2017-15103

https://access.redhat.com/security/cve/cve-2017-15104

Plugin Details

Severity: High

ID: 105407

File Name: redhat-RHSA-2017-3481.nasl

Version: 3.7

Type: local

Agent: unix

Published: 12/21/2017

Updated: 10/24/2019

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:heketi-client, p-cpe:/a:redhat:enterprise_linux:heketi, p-cpe:/a:redhat:enterprise_linux:python-heketi, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2017

Vulnerability Publication Date: 12/18/2017

Reference Information

CVE: CVE-2017-15103, CVE-2017-15104

RHSA: 2017:3481