RHEL 7 : Storage Server (RHSA-2017:0486)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update is now available for Red Hat Gluster Storage 3.2 on Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Red Hat Gluster Storage is a software only scale-out storage solution
that provides flexible and affordable unstructured data storage. It
unifies data storage and infrastructure, increases performance, and
improves availability and manageability to meet enterprise-level
storage challenges.

The following packages have been upgraded to a later upstream version:
glusterfs (3.8.4), redhat-storage-server (3.2.0.2), vdsm (4.17.33).
(BZ#1362376)

Security Fix(es) :

* It was found that glusterfs-server RPM package would write file with
predictable name into world readable /tmp directory. A local attacker
could potentially use this flaw to escalate their privileges to root
by modifying the shell script during the installation of the
glusterfs-server package. (CVE-2015-1795)

This issue was discovered by Florian Weimer of Red Hat Product
Security.

Bug Fix(es) :

* Bricks remain stopped if server quorum is no longer met, or if
server quorum is disabled, to ensure that bricks in maintenance are
not started incorrectly. (BZ#1340995)

* The metadata cache translator has been updated to improve Red Hat
Gluster Storage performance when reading small files. (BZ#1427783)

* The 'gluster volume add-brick' command is no longer allowed when the
replica count has increased and any replica bricks are unavailable.
(BZ#1404989)

* Split-brain resolution commands work regardless of whether
client-side heal or the self-heal daemon are enabled. (BZ#1403840)

Enhancement(s) :

* Red Hat Gluster Storage now provides Transport Layer Security
support for Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)

* A new reset-sync-time option enables resetting the sync time
attribute to zero when required. (BZ#1205162)

* Tiering demotions are now triggered at most 5 seconds after a
hi-watermark breach event. Administrators can use the
cluster.tier-query-limit volume parameter to specify the number of
records extracted from the heat database during demotion. (BZ#1361759)

* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now
named /var/log/glusterfs/glusterd.log. (BZ#1306120)

* The 'gluster volume attach-tier/detach-tier' commands are considered
deprecated in favor of the new commands, 'gluster volume tier VOLNAME
attach/detach'. (BZ#1388464)

* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer
used by Red Hat Gluster Storage. (BZ#1348954)

* The volfile server role can now be passed to another server when a
server is unavailable. (BZ#1351949)

* Ports can now be reused when they stop being used by another
service. (BZ#1263090)

* The thread pool limit for the rebalance process is now dynamic, and
is determined based on the number of available cores. (BZ#1352805)

* Brick verification at reboot now uses UUID instead of brick path.
(BZ# 1336267)

* LOGIN_NAME_MAX is now used as the maximum length for the slave user
instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters
including the NULL byte. (BZ#1400365)

* The client identifier is now included in the log message to make it
easier to determine which client failed to connect. (BZ#1333885)

See also :

https://www.redhat.com/security/data/cve/CVE-2015-1795.html
http://www.nessus.org/u?6e691231
http://rhn.redhat.com/errata/RHSA-2017-0486.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 97929 ()

Bugtraq ID:

CVE ID: CVE-2015-1795

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now