RHEL 7 : Red Hat Gluster Storage 3.2.0 (RHSA-2017:0486)

high Nessus Plugin ID 97929

Language:

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2017:0486 advisory.

Red Hat Gluster Storage is a software only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges.

The following packages have been upgraded to a later upstream version: glusterfs (3.8.4), redhat-storage- server (3.2.0.2), vdsm (4.17.33). (BZ#1362376)

Security Fix(es):

* It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package.
(CVE-2015-1795)

This issue was discovered by Florian Weimer of Red Hat Product Security.

Bug Fix(es):

* Bricks remain stopped if server quorum is no longer met, or if server quorum is disabled, to ensure that bricks in maintenance are not started incorrectly. (BZ#1340995)

* The metadata cache translator has been updated to improve Red Hat Gluster Storage performance when reading small files. (BZ#1427783)

* The 'gluster volume add-brick' command is no longer allowed when the replica count has increased and any replica bricks are unavailable. (BZ#1404989)

* Split-brain resolution commands work regardless of whether client-side heal or the self-heal daemon are enabled. (BZ#1403840)

Enhancement(s):

* Red Hat Gluster Storage now provides Transport Layer Security support for Samba and NFS-Ganesha.
(BZ#1340608, BZ#1371475)

* A new reset-sync-time option enables resetting the sync time attribute to zero when required.
(BZ#1205162)

* Tiering demotions are now triggered at most 5 seconds after a hi-watermark breach event. Administrators can use the cluster.tier-query-limit volume parameter to specify the number of records extracted from the heat database during demotion. (BZ#1361759)

* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named /var/log/glusterfs/glusterd.log.
(BZ#1306120)

* The 'gluster volume attach-tier/detach-tier' commands are considered deprecated in favor of the new commands, 'gluster volume tier VOLNAME attach/detach'. (BZ#1388464)

* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used by Red Hat Gluster Storage.
(BZ#1348954)

* The volfile server role can now be passed to another server when a server is unavailable. (BZ#1351949)

* Ports can now be reused when they stop being used by another service. (BZ#1263090)

* The thread pool limit for the rebalance process is now dynamic, and is determined based on the number of available cores. (BZ#1352805)

* Brick verification at reboot now uses UUID instead of brick path. (BZ#1336267)

* LOGIN_NAME_MAX is now used as the maximum length for the slave user instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters including the NULL byte. (BZ#1400365)

* The client identifier is now included in the log message to make it easier to determine which client failed to connect. (BZ#1333885)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 97929

File Name: redhat-RHSA-2017-0486.nasl

Version: 3.14

Type: local

Agent: unix

Family: Red Hat Local Security Checks

Published: 3/24/2017

Updated: 3/20/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-1795

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:glusterfs-cli, p-cpe:/a:redhat:enterprise_linux:glusterfs-ganesha, p-cpe:/a:redhat:enterprise_linux:glusterfs-devel, p-cpe:/a:redhat:enterprise_linux:vdsm-infra, p-cpe:/a:redhat:enterprise_linux:vdsm-tests, p-cpe:/a:redhat:enterprise_linux:glusterfs-api, p-cpe:/a:redhat:enterprise_linux:glusterfs, p-cpe:/a:redhat:enterprise_linux:glusterfs-client-xlators, p-cpe:/a:redhat:enterprise_linux:vdsm-python, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-openstacknet, p-cpe:/a:redhat:enterprise_linux:vdsm-jsonrpc, p-cpe:/a:redhat:enterprise_linux:glusterfs-rdma, p-cpe:/a:redhat:enterprise_linux:glusterfs-server, p-cpe:/a:redhat:enterprise_linux:glusterfs-events, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-qemucmdline, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-ethtool-options, p-cpe:/a:redhat:enterprise_linux:vdsm-xmlrpc, p-cpe:/a:redhat:enterprise_linux:glusterfs-api-devel, p-cpe:/a:redhat:enterprise_linux:glusterfs-fuse, p-cpe:/a:redhat:enterprise_linux:vdsm-gluster, p-cpe:/a:redhat:enterprise_linux:redhat-storage-server, p-cpe:/a:redhat:enterprise_linux:glusterfs-geo-replication, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-faqemu, p-cpe:/a:redhat:enterprise_linux:vdsm, p-cpe:/a:redhat:enterprise_linux:vdsm-debug-plugin, p-cpe:/a:redhat:enterprise_linux:vdsm-yajsonrpc, p-cpe:/a:redhat:enterprise_linux:python-gluster, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:glusterfs-libs, p-cpe:/a:redhat:enterprise_linux:vdsm-cli

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2017

Vulnerability Publication Date: 6/27/2017

Reference Information

CVE: CVE-2015-1795

CWE: 377

RHSA: 2017:0486

Detections

Analytics