Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM21A1BC6D7D713E6CE9DF12FE20FCCBEEA022A2168817B130C71F42DDB0F24BEE
HistoryDec 17, 2018 - 2:30 p.m.

Security Bulletin: Vulnerabilities in glusterfs affect PowerKVM

2018-12-1714:30:02
www.ibm.com
15

EPSS

0.017

Percentile

87.8%

JSON

Summary

PowerKVM is affected by vulnerabilities in glusterfs. IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-10913 DESCRIPTION: glusterfs could allow a remote attacker to obtain sensitive information, caused by improper handling of xattr request. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to determine the existence of arbitrary files on the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149299&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-10911 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of negative key length values in the dict.c:dict_unserialize function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to read memory from other locations into the stored dict value.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149298&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-10907 DESCRIPTION: glusterfs is vulnerable to a denial of service, caused by multiple stack-based buffer overflow in unctions in server-rpc-fopc.c. By mounting a gluster volume and sending specially-crafted data, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition or execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149297&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10928 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of RPC request using gfs3_symlink_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create arbitrary symlinks and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149305&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10927 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by improper validation of RPC request in gfs3_lookup_req function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information and cause a denial of service condition.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149304&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

CVEID: CVE-2018-10926 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in RPC request using gfs3_mknod_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149303&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10923 DESCRIPTION: glusterfs could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the mknod call derived from mknod(2). By creating arbitrary devices on a glusterfs server node, an attacker could exploit this vulnerability to read arbitrary data from the attached device.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149301&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-10914 DESCRIPTION: glusterfs is vulnerable to a denial of service, caused by improper validation of xattr request. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to crash multiple bricks and gluster volumes.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149300&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10930 DESCRIPTION: glusterfs ould allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of RPC request using gfs3_rename_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to write to a destination outside the gluster volume.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149307&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-10929 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of RPC request using gfs2_create_req function. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149306&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10904 DESCRIPTION: glusterfs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper validation of file paths in the trusted.io-stats-dump extended attribute. By sending a specially-crafted request, an attacker could exploit this vulnerability to create files and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149295&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 16.

Workarounds and Mitigations

none

Related

debian 3
openvas 21
nessus 38
fedora 3
centos 2
redhat 5
osv 15
suse 1
prion 12
cve 12
veracode 15
debiancve 12
cvelist 12
nvd 12
redhatcve 12
ubuntucve 12
gentoo 1
ubuntu 1
ibm 7
amazon 1
oraclelinux 2
debian
debian
[SECURITY] [DLA 1510-1] glusterfs security update
2018-09-20 10:16:27
[SECURITY] [DLA 2806-1] glusterfs security update
2021-11-01 23:25:14
[SECURITY] [DLA 1565-1] glusterfs security update
2018-11-05 18:02:25
openvas
openvas
Fedora Update for glusterfs FEDORA-2018-4e660226e7
2018-09-12 00:00:00
Huawei EulerOS: Security Advisory for glusterfs (EulerOS-SA-2020-1720)
2020-07-03 00:00:00
Huawei EulerOS: Security Advisory for glusterfs (EulerOS-SA-2020-2347)
2020-11-04 00:00:00
nessus
nessus
Fedora 29 : glusterfs (2018-a54270a213)
2019-01-03 00:00:00
Fedora 28 : glusterfs (2018-4e660226e7)
2019-01-03 00:00:00
RHEL 7 : Red Hat Gluster Storage (RHSA-2018:2607)
2018-09-06 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: glusterfs-4.1.4-1.fc28
2018-09-11 17:04:27
[SECURITY] Fedora 27 Update: glusterfs-3.12.14-1.fc27
2018-09-28 17:14:10
[SECURITY] Fedora 29 Update: glusterfs-4.1.5-1.fc29
2018-10-02 19:35:20
centos
centos
glusterfs, python2 security update
2018-11-15 18:45:47
glusterfs, python2 security update
2018-10-09 20:21:55
redhat
redhat
(RHSA-2018:2608) Important: Red Hat Gluster Storage security, bug fix, and enhancement update
2018-09-04 06:13:58
(RHSA-2018:2607) Important: Red Hat Gluster Storage security, bug fix, and enhancement update
2018-09-04 06:13:53
(RHSA-2018:3470) Moderate: Red Hat Virtualization security and bug fix update
2018-11-05 13:52:45
osv
osv
glusterfs - security update
2018-09-20 00:00:00
CVE-2018-14651
2018-10-31 22:29:00
glusterfs - security update
2021-11-01 00:00:00
suse
suse
Security update for glusterfs (moderate)
2020-01-20 00:00:00
prion
prion
Code injection
2018-10-31 22:29:00
Code injection
2018-09-04 13:29:00
Design/Logic Flaw
2018-09-04 15:29:00
cve
cve
CVE-2018-14651
2018-10-31 22:29:00
CVE-2018-10930
2018-09-04 16:29:00
CVE-2018-10926
2018-09-04 15:29:00
veracode
veracode
Symlink Attack
2019-01-15 09:25:31
Symlink Attack
2018-11-01 08:59:27
Arbitrary Code Execution
2018-09-06 08:27:32
debiancve
debiancve
CVE-2018-14651
2018-10-31 22:29:00
CVE-2018-10907
2018-09-04 13:29:11
CVE-2018-10927
2018-09-04 15:29:00
cvelist
cvelist
CVE-2018-14651
2018-10-31 21:00:00
CVE-2018-10926
2018-09-04 15:00:00
CVE-2018-10907
2018-09-04 13:00:00
nvd
nvd
CVE-2018-14651
2018-10-31 22:29:00
CVE-2018-10926
2018-09-04 15:29:00
CVE-2018-10929
2018-09-04 16:29:00
redhatcve
redhatcve
CVE-2018-14651
2018-10-31 08:19:46
CVE-2018-10926
2018-09-04 05:50:33
CVE-2018-10907
2018-09-04 05:51:34
ubuntucve
ubuntucve
CVE-2018-14651
2018-10-31 00:00:00
CVE-2018-10907
2018-09-04 00:00:00
CVE-2018-10923
2018-09-04 00:00:00
gentoo
gentoo
GlusterFS: Multiple Vulnerabilities
2019-04-02 00:00:00
ubuntu
ubuntu
GlusterFS vulnerabilities
2021-03-15 00:00:00
ibm
ibm
Security Bulletin: A Security Vulnerability affects IBM Cloud Private Metering
2019-03-09 16:00:02
Security Bulletin: A Security Vulnerability affects IBM Cloud Private Service Catalog
2019-03-11 13:35:01
Security Bulletin: A Security Vulnerability affects IBM Cloud Private Certificate Manager
2019-03-11 20:30:01
amazon
amazon
Medium: glusterfs
2018-12-13 20:16:00
oraclelinux
oraclelinux
glusterfs security, bug fix, and enhancement update
2018-11-05 00:00:00
glusterfs security, bug fix, and enhancement update
2018-10-09 00:00:00

EPSS

0.017

Percentile

87.8%

JSON
Related for 21A1BC6D7D713E6CE9DF12FE20FCCBEEA022A2168817B130C71F42DDB0F24BEE
debian3openvas21nessus38fedora3centos2redhat5osv15suse1prion12cve12veracode15debiancve12cvelist12nvd12redhatcve12ubuntucve12gentoo1ubuntu1ibm7amazon1oraclelinux2