PT-2018-12649 · Red Hat+1 · Gluster+1

Michael Hanselmann

Published

2018-10-31

Updated

2023-02-13

CVE-2018-14659

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Gluster file system versions 3.1.2 through 4.1.4

Description The issue allows a remote, authenticated attacker to perform a denial of service attack by utilizing the GF XATTR IOSTATS DUMP KEY xattr. This can be exploited by mounting a Gluster volume and repeatedly calling setxattr(2) to trigger a state dump, resulting in the creation of an arbitrary number of files in the server's runtime directory.

Recommendations For versions 3.1.2 through 4.1.4, consider restricting access to the GF XATTR IOSTATS DUMP KEY xattr to prevent exploitation. As a temporary workaround, consider disabling the setxattr(2) function until a patch is available. Restrict access to the Gluster volume to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2018-14659

DLA-1565-1

DLA-2806-1

RHSA-2018:3431

RHSA-2018:3432

RHSA-2018:3470

USN-4770-1

Affected Products

Gluster

Ubuntu

PT-2018-12649 · Red Hat+1 · Gluster+1

CVE-2018-14659

Weakness Enumeration

Related Identifiers

Affected Products

References · 75