USN-4770-1: GlusterFS vulnerabilities

15 March 2021

Several security issues were fixed in GlusterFS.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

It was discovered that GlusterFS incorrectly handled network requests. An
attacker could possibly use this issue to cause a denial of service. This issue
only affected Ubuntu 14.04 ESM. (CVE-2014-3619)

It was discovered that GlusterFS incorrectly handled user permissions. An
authenticated attacker could possibly use this to add himself to a trusted
storage pool and perform privileged operations on volumes. This issue only
affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2018-10841)

It was discovered that GlusterFS incorrectly handled mounting gluster
volumes. An attacker could possibly use this issue to also mount shared
gluster volumes and escalate privileges through malicious cronjobs. This
issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2018-1088)

It was discovered that GlusterFS incorrectly handled file paths. An
attacker could possibly use this issue to create arbitrary files and
execute arbitrary code. (CVE-2018-10904)

It was discovered that GlusterFS incorrectly handled mounting volumes. An
attacker could possibly use this issue to cause a denial of service or run
arbitrary code. (CVE-2018-10907)

It was discovered that GlusterFS incorrectly handled negative key length
values. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2018-10911)

It was discovered that GlusterFS incorrectly handled FUSE requests. An
attacker could use this issue to obtain sensitive information.
(CVE-2018-10913, CVE-2018-10914)

It was discovered that GlusterFS incorrectly handled the file creation
process. An authenticated attacker could possibly use this issue to create
arbitrary files and obtain sensitive information. (CVE-2018-10923)

It was discovered that GlusterFS incorrectly handled certain inputs. An
authenticated attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-10924)

It was discovered that GlusterFS incorrectly handled RPC requests. An
attacker could possibly use this issue to write files to an arbitrary
location and execute arbitrary code. (CVE-2018-10926, CVE-2018-10927,
CVE-2018-10928, CVE-2018-10929, CVE-2018-10930)

It was discovered that the fix for CVE-2018-10926, CVE-2018-10927,
CVE-2018-10928, CVE-2018-10929, CVE-2018-10930 was incomplete. A remote
authenticated attacker could possibly use this issue to execute arbitrary
code or cause a denial of service. (CVE-2018-14651)

It was discovered that GlusterFS incorrectly handled certain files. A
remote authenticated attacker could possibly use this issue to cause a
denial of service. (CVE-2018-14652)

It was discovered that GlusterFS incorrectly handled RPC requests. A remote
authenticated attacker could possibly use this issue to cause a denial of
service or other unspecified impact. (CVE-2018-14653)

It was discovered that GlusterFS incorrectly handled mount volumes
operation. A remote attacker could possibly use this issue to create
arbitrary files. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-14654)

It was discovered that GlusterFS incorrectly handled certain files. A
remote authenticated attacker could possibly use this issue to create
arbitrary files. (CVE-2018-14659)

It was discovered that GlusterFS incorrectly handled certain inputs. A
remote authenticated attacker could possibly use this is issue to cause a
denial of service. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-14660)

It was discovered that GlusterFS incorrectly handled strings. A remote
authenticated attacker could possibly use this issue to cause a denial of
service. (CVE-2018-14661)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04

In general, a standard system update will make all the necessary changes.