RHEL 7 : Gluster Storage (RHSA-2017:0486)

high Nessus Plugin ID 97929

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update is now available for Red Hat Gluster Storage 3.2 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Gluster Storage is a software only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges.

The following packages have been upgraded to a later upstream version:
glusterfs (3.8.4), redhat-storage-server (3.2.0.2), vdsm (4.17.33).
(BZ# 1362376)

Security Fix(es) :

* It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package. (CVE-2015-1795)

This issue was discovered by Florian Weimer of Red Hat Product Security.

Bug Fix(es) :

* Bricks remain stopped if server quorum is no longer met, or if server quorum is disabled, to ensure that bricks in maintenance are not started incorrectly. (BZ#1340995)

* The metadata cache translator has been updated to improve Red Hat Gluster Storage performance when reading small files. (BZ#1427783)

* The 'gluster volume add-brick' command is no longer allowed when the replica count has increased and any replica bricks are unavailable.
(BZ# 1404989)

* Split-brain resolution commands work regardless of whether client-side heal or the self-heal daemon are enabled. (BZ#1403840)

Enhancement(s) :

* Red Hat Gluster Storage now provides Transport Layer Security support for Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)

* A new reset-sync-time option enables resetting the sync time attribute to zero when required. (BZ#1205162)

* Tiering demotions are now triggered at most 5 seconds after a hi-watermark breach event. Administrators can use the cluster.tier-query-limit volume parameter to specify the number of records extracted from the heat database during demotion. (BZ#1361759)

* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named / var/log/glusterfs/glusterd.log. (BZ#1306120)

* The 'gluster volume attach-tier/detach-tier' commands are considered deprecated in favor of the new commands, 'gluster volume tier VOLNAME attach/detach'. (BZ#1388464)

* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used by Red Hat Gluster Storage. (BZ#1348954)

* The volfile server role can now be passed to another server when a server is unavailable. (BZ#1351949)

* Ports can now be reused when they stop being used by another service. (BZ# 1263090)

* The thread pool limit for the rebalance process is now dynamic, and is determined based on the number of available cores. (BZ#1352805)

* Brick verification at reboot now uses UUID instead of brick path.
(BZ# 1336267)

* LOGIN_NAME_MAX is now used as the maximum length for the slave user instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters including the NULL byte. (BZ#1400365)

* The client identifier is now included in the log message to make it easier to determine which client failed to connect. (BZ#1333885)

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?3a106d44

https://access.redhat.com/errata/RHSA-2017:0486

https://access.redhat.com/security/cve/cve-2015-1795

Plugin Details

Severity: High

ID: 97929

File Name: redhat-RHSA-2017-0486.nasl

Version: 3.13

Type: local

Agent: unix

Published: 3/24/2017

Updated: 10/24/2019

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:glusterfs, p-cpe:/a:redhat:enterprise_linux:glusterfs-api, p-cpe:/a:redhat:enterprise_linux:glusterfs-api-devel, p-cpe:/a:redhat:enterprise_linux:glusterfs-cli, p-cpe:/a:redhat:enterprise_linux:glusterfs-client-xlators, p-cpe:/a:redhat:enterprise_linux:glusterfs-debuginfo, p-cpe:/a:redhat:enterprise_linux:glusterfs-devel, p-cpe:/a:redhat:enterprise_linux:glusterfs-events, p-cpe:/a:redhat:enterprise_linux:glusterfs-fuse, p-cpe:/a:redhat:enterprise_linux:glusterfs-ganesha, p-cpe:/a:redhat:enterprise_linux:glusterfs-geo-replication, p-cpe:/a:redhat:enterprise_linux:glusterfs-libs, p-cpe:/a:redhat:enterprise_linux:glusterfs-rdma, p-cpe:/a:redhat:enterprise_linux:glusterfs-server, p-cpe:/a:redhat:enterprise_linux:python-gluster, p-cpe:/a:redhat:enterprise_linux:redhat-storage-server, p-cpe:/a:redhat:enterprise_linux:vdsm, p-cpe:/a:redhat:enterprise_linux:vdsm-cli, p-cpe:/a:redhat:enterprise_linux:vdsm-debug-plugin, p-cpe:/a:redhat:enterprise_linux:vdsm-gluster, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-ethtool-options, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-faqemu, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-openstacknet, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-qemucmdline, p-cpe:/a:redhat:enterprise_linux:vdsm-infra, p-cpe:/a:redhat:enterprise_linux:vdsm-jsonrpc, p-cpe:/a:redhat:enterprise_linux:vdsm-python, p-cpe:/a:redhat:enterprise_linux:vdsm-tests, p-cpe:/a:redhat:enterprise_linux:vdsm-xmlrpc, p-cpe:/a:redhat:enterprise_linux:vdsm-yajsonrpc, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2017

Vulnerability Publication Date: 6/27/2017

Reference Information

CVE: CVE-2015-1795

RHSA: 2017:0486