A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
To limit exposure of gluster server nodes :
1. gluster server should be on LAN and not reachable from public networks.
2. Use gluster auth.allow and auth.reject.
3. Use TLS certificates between gluster server nodes and clients.
Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.