CVE-2018-14660

Name of the Vulnerable Software and Affected Versions glusterfs versions 3.1.2 through 4.1.4

Description A flaw in the glusterfs server allows repeated usage of the GF META LOCK KEY xattr, enabling a remote, authenticated attacker to create multiple locks for a single inode by using setxattr repetitively. This results in memory exhaustion of the glusterfs server node. The issue is related to an uncontrolled consumption of resources, which can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions 3.1.2 through 4.1.4, consider restricting the use of the setxattr function to prevent repetitive usage of the GF META LOCK KEY xattr until a patch is available. As a temporary workaround, limiting the number of locks that can be created for a single inode may help minimize the risk of memory exhaustion.