SB2018041820 - Native Client for Red Hat Enterprise Linux 7 for Red Hat Storage and Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 7 update for glusterfs

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018041820

SB2018041820 - Native Client for Red Hat Enterprise Linux 7 for Red Hat Storage and Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 7 update for glusterfs

Published: April 18, 2018

Security Bulletin ID SB2018041820
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Symlink attack (CVE-ID: CVE-2018-1088)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows an adjacent unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists in the snapshot scheduler due to improper security restrictions during the mounting of gluster volumes. An adjacent attacker can access a gluster node, perform symbolic link attack that is designed to schedule malicious cronjobs and gain root privileges.

Remediation

Install update from vendor's website.

References