Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2619 Low: RHGS WA security, bug fix, and enhancement update 5 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Gluster Storage Web Administration Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1127 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2616 - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Low: RHGS WA security, bug fix, and enhancement update Advisory ID: RHSA-2018:2616-01 Product: Red Hat Gluster Storage Advisory URL: https://access.redhat.com/errata/RHSA-2018:2616 Issue date: 2018-09-04 CVE Names: CVE-2018-1127 ===================================================================== 1. Summary: Updated Red Hat Gluster Storage Wed Administration packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7 - noarch Red Hat Gluster 3.4 Web Administration on RHEL-7 - noarch 3. Description: Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage Web Administration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS. Security Fix(es): * tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions (CVE-2018-1127) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Filip Balák (Red Hat). Additional Changes: These updated Red Hat Gluster Storage Wed Administration packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Gluster Storage 3.4 Release Notes for information on the most significant of these changes: https://access.redhat.com/site/documentation/en-US/red_hat_gluster_storage/ 3.4/html/3.4_release_notes/ All users of Red Hat Gluster Storage are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1502012 - gluster related stats are not pushed to graphite from collectd 1506123 - [RFE] UI controls to use context switcher 1511993 - Full alert message not visible to user without hovering on the message 1512091 - Event messages are getting truncated 1512696 - Tendrl UI reporting brick is stopped when it's up and running 1512937 - [RFE] Duplicated hosts in Grafana (listed by FQDN and IP) 1513361 - Not working users page filters 1513993 - tendrl services reports too long error lines in system log 1514171 - Data provided by api are not fully encoded in json format, lists are formatted in an escaped strings 1514442 - Successive attempts to import the same cluster on the same webadmin server fail 1515213 - Send password in API function for new user just once 1515252 - API calls with invalid job id return wrong response 1515660 - Tasks filter not showing tasks correctly based on date 1516135 - When import fails, the import button should be accessible only after unmanage 1516417 - Expanding an existing RHGS cluster managed by RHGS WA by adding nodes and monitoring 1517077 - [RFE] Grafana dashboard not showing all the volume in UP mode when brick path has "short names" 1517132 - Time stamp inconsistency for repeated alerts 1517215 - 'Disable' Volume Profiling during cluster import behavior 1517246 - Alerts icon (bell icon) on Web Admin home page needs to show/indicate if there are unread events/alerts 1517270 - missing brick alert when there are sub-volume and quorum alerts 1517422 - [WA] : Volume Overview shows brick count,geo rep sessions as "Invalid Number". 1518276 - Incorrect format of host reported when geo replication status changed 1518516 - Errors in /var/log/messages for non-georep volumes 1518525 - Tendrl-ansible setup script fails if the server has 2 IP addresses 1518610 - Under Tendrl-Gluster-Volumes, deleted vols still present in the list under Volume Name. 1518678 - bricks are marked as down in UI 1518736 - decbytes and bytes on dashboards 1519158 - [Web-Admin] Sorting in RHGSWA is not working with firefox browser 1519178 - Brick Kill followed by Replace brick,shows incorrect brick status on RHGS WA 1519188 - Un-necessary Filter "Brick Status" in Brick Details 1519201 - WA doesn't reflect that all gluster nodes are down 1519218 - After performing volume stop,Tendrl web GUI shows mismatch status for few brick in "brick status" layout 1519724 - [RFE] firewall configuration should be automated in tendrl-ansible 1519750 - [Web-Admin] Healing and rebalance cards are empty for all volume 1520886 - internal server error when user would like to see details of cluster 1525376 - /var/log/tendrl/node-agent directory is created only after host reboot 1526338 - [RFE] Enhance unmanage cluster workflow to remove only specified (affected) cluster 1526375 - tendrl-api rpm %post, %preun, %postun scripts should correctly handle systemd service 1531133 - Brick Utilization: threshold breached Alert needs to reference gluster volume name 1531139 - [RFE] Brick Utilization: threshold breached Alert needs to be generated for brick usage above 90% 1536354 - [GSS] [RFE] Cluster-id should be user-friendly 1538248 - [RFE] Performance Improvements 1542914 - rebase RHGS WA 3.4.0 to upstream tendrl 1.6.3 1546957 - Get profiling status during the sync 1549146 - Some huge numbers reported by grafana are hard to read and understand 1555455 - Job status for import with invalid cluster id remains as new 1558431 - Sorting button not working 1559362 - The import cluster job should be marked finished in import cluster flow 1559364 - The flow ExpandClusterWithDetectedPeers should be targeted to provisioner node in cluster 1559365 - If import cluster fails due to time out, the current job is not marked properly 1559368 - The expand cluster flow for cluster should be user initiated and not automatic 1559373 - User should be able to enable/disable profiling at volume level 1559379 - The cluster level profiling setting for volumes of the cluster should be a async task 1559387 - Back to back import and unmanage cluster multiple time resuts in a situation where import is complete but not marked correctly in UI 1559390 - No filters in 'brick detail' view 1559396 - Host Detail view not matching design by UX 1559399 - Alert count is not incremented for utilization alerts 1559401 - Cluster detail link 1559402 - Data not required for start/stop profiling 1559405 - Alerts which is raised from node-agent is not displayed in UI 1559415 - Provisioner node re-election happens almost continuously 1559416 - node_sync disks sync failed for multi-path devices 1559417 - Remove the provisioning namespace safely 1559421 - Sometimes delete flag for the deleted volumes is changed to False 1559426 - Sometimes monitoring-integration is not creating panels for a particular resource in alert dashbaord 1559432 - Before import cluster monitoring integration consumes lot of CPU and memory 1559433 - Non participating nodes should not send rebalance data for a volume to graphite 1559436 - Add REST end points for getting details of individual cluster 1559486 - Branding should not be in grafana dashboard listbox selection 1559507 - [RFE] Show downstream Gluster version in list of clusters 1559690 - If import cluster failed, the cluster global details status should be set as unhealthy 1559792 - Ansible group names contains dashes, which could cause problems 1559901 - Use "integration_id" instead of "cluster_id" 1560492 - Expand action not getting disabled on cluster list, when no expansion required 1560879 - UI should disable the button when button or link is clicked for profiling 1561374 - Enable/Disable Profiling button should not be visible on volume list page for ready only user 1561428 - User filter not working 1561468 - tendrl-node-agent CPU consumption 1563519 - When gluster-integration goes down or glusterd goes down for few minutes then alert_count for a volumes are initialized by zero 1563648 - Marshal / Un-marshal objects while saving / reading to / from etcd 1564107 - un-manage task managed cluster check 1564175 - False alerts when brick utilization breached 90% 1564423 - Improve messages for tasks/jobs 1564510 - Grafana dashboards with new nodes are created before user initiates cluster expansion 1565479 - no time for updated-at field 1565898 - RHGS-WA should check for build no in addition to NVR while importing a cluster 1570048 - unmanaged task always fails after import failure 1570564 - Tendrl-ansible precheck fails with minimum memory requirement criteria on Tendrl Server 1570616 - Import fails after unmanage of cluster with specified Cluster Name 1571235 - Job thread in all tendrl components consumes lot of cpu and memory utilization 1571244 - Import cluster job fails for a while but then finishes successfully 1571245 - Debug messages are added to the task details 1571280 - Unmanage doesn't start when more clusters are available 1571318 - Grafana dashboards use integration id and cluster short name at the same time 1571325 - Cluster remains listed by its short cluster name after unmanage 1571755 - Expand cluster notifications use integration id instead of cluster name 1571809 - Error: Import existing Gluster Cluster 1572052 - Utilization related alerts from monitoring-integration are displayed in alert page and not in event page 1572090 - Import cluster fails with TypeError 1572118 - ERROR - node_sync SDS detection failed: need more than 0 values to unpack - ValueError 1572151 - A storage node which is peer probe with IP is always showing deleted bricks in UI 1572216 - tendrl-monitoring-integration.service fails to start 1573079 - Node alert count shows NoData in UI 1573110 - Un-managed cluster's alerts are displayed in UI 1573481 - Alert dashboard are not updated when more than one clusters are managed by tendrl 1573928 - It takes time to update user information 1573950 - Email already taken message when changing only password 1574938 - Volume with name 'None' listed in grafana dashboard 1574942 - Expand cluster screen lists all nodes in the cluster 1575040 - Alert dashbaord is not raising alert when cluster is import with shortname 1575835 - CVE-2018-1127 tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions 1575891 - Load_all function in tendel-common sometimes gives object with wrong info 1576794 - Gluster native event webhook fails sometimes 1576829 - Grafana alert callback webhook fails sometimes 1576848 - [GSS][Excessive number of 'gluster volume profile' commands launched by collectd] 1578009 - brick status tooltiop differs with real values 1578329 - Brick details stops showing data 1578333 - RHGS-WA doesnt show the correct profiling state at cluster level if get-state doesnt provide volume level information of profiling 1578885 - Import cluster error: Cluster with name: %s already exists 1579148 - No tooltip for 'Expanding Cluster' 1579150 - Volume name doesn't show ellipsis for long name 1579152 - Upgrade the version UI npm packages 1579516 - Graph headings are inconsistent. In some cases we are calling graphs as trends which is not right. 1579937 - Duplicate Events are Processed and displayed in UI 1580385 - Node is DOWN alert not cleared properly 1580509 - vm.modalHeader.title tooltips for popup titles 1581212 - Links in Hosts page lead to Grafana dashboard without specified Cluster Name 1581718 - Weekly growth rate and week remaining metrics are not accurate 1581736 - IOPS metric is not intuitive enough 1581789 - Connection trends panel information can be mis-understood by customers. 1582465 - Incorrect infotip for "Ready to Use" text in the WA Clusters interface 1583171 - Utilization notifications use integration id instead of cluster name 1584095 - Unmanage fails after failed import 1584660 - UI text improvement in import cluster workflow 1585116 - Grafana alert dashboard does not raise alerts when nodes have string "tendrl" in hostname 1585715 - Brick Details page is not updated 1586074 - Brick Details brick counter divided to separate lines 1588357 - Sometimes import flow and unmanage flow is failing 1588440 - New volume record with no volume name and -5 alerts 1588650 - discovered host(s) section in import cluster screen is slightly inconsistent/misleading 1590405 - [GSS] RHGSWA ansible playbook runs yum update 1592464 - WA UI - redundant UI text in the Unmanage cluster confirmation box 1592487 - Job sync thread fails when /queue directory becomes empty 1592991 - Connections Panel heading needs to say "Connections" or "Client Connections" 1592992 - Throughput Panel in the overview dashboard needs to specify units 1593640 - After import job failed cluster is marked as managed and ready to use 1593852 - IOPS chart on Disk Load of Brick Dashboard shows no data during brick read/write operation 1593912 - IOPS chart from At Glance section of Host Dashboard reports different values compared to all other IOPS charts 1594762 - No tooltip for 'Unknown cluster' 1594862 - Thresholds for utilization bars and alerts differ 1594899 - Most IOPS charts in At a Glance section of Brick Dashboards shows no data for short or light workloads 1594994 - Text boxes to enter the Web admin UI credentials are much longer than necessary. 1595005 - Ping Latency metric requires clarification 1595013 - Provide the appropriate title for two IOPS panels in host dashboard 1595015 - Disk Load panel in host dashboard (Capacity And Disk Load section) should be called Disk Throughput 1595016 - Provide the correct heading for Disk IO panel in host dashboard (Capacity and Disk load section) 1595052 - Brick dashboard / Disk Load section - Throughput and Latency panel units are confusing 1595295 - Volume:None is unknown alert 1596655 - Unable to fix (rerun) failed cluster expand task 1596820 - alerts "volume <volume name> is unknown" reported during unmanage of cluster which failed to import 1596862 - Improve performance of tendrl components 1597235 - Too much space next to events messages 1599634 - Expand cluster imports only one node 1599985 - Volume details are vanished after sometime in tendrl-ui 1599987 - Growing memory utilization of tendrl-gluster-integration on one node in cluster 1600092 - Importing bigger cluster failing: Timing out import job, Cluster data still not fully updated 1600113 - Invalid volume record when expand cluster is available 1603175 - GET /clusters api call returns "Invalid JSON received." for cluster with geo-replication 1610266 - Inconsistent password length requirements 1611601 - Alert Service: glustershd is disconnected in cluster is not cleared 1616208 - glustershd alerts should mention affected node 1616215 - All alerts Service: glustershd is disconnected in cluster are cleared when service starts on one node 6. Package List: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7: Source: tendrl-commons-1.6.3-12.el7rhgs.src.rpm tendrl-gluster-integration-1.6.3-10.el7rhgs.src.rpm tendrl-node-agent-1.6.3-10.el7rhgs.src.rpm noarch: tendrl-commons-1.6.3-12.el7rhgs.noarch.rpm tendrl-gluster-integration-1.6.3-10.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-10.el7rhgs.noarch.rpm Red Hat Gluster 3.4 Web Administration on RHEL-7: Source: python-flask-0.10.1-5.el7rhgs.src.rpm python-itsdangerous-0.23-2.el7.src.rpm tendrl-ansible-1.6.3-7.el7rhgs.src.rpm tendrl-api-1.6.3-5.el7rhgs.src.rpm tendrl-commons-1.6.3-12.el7rhgs.src.rpm tendrl-monitoring-integration-1.6.3-11.el7rhgs.src.rpm tendrl-node-agent-1.6.3-10.el7rhgs.src.rpm tendrl-notifier-1.6.3-4.el7rhgs.src.rpm tendrl-ui-1.6.3-11.el7rhgs.src.rpm noarch: python-flask-0.10.1-5.el7rhgs.noarch.rpm python-flask-doc-0.10.1-5.el7rhgs.noarch.rpm python-itsdangerous-0.23-2.el7.noarch.rpm tendrl-ansible-1.6.3-7.el7rhgs.noarch.rpm tendrl-api-1.6.3-5.el7rhgs.noarch.rpm tendrl-api-httpd-1.6.3-5.el7rhgs.noarch.rpm tendrl-commons-1.6.3-12.el7rhgs.noarch.rpm tendrl-grafana-plugins-1.6.3-11.el7rhgs.noarch.rpm tendrl-monitoring-integration-1.6.3-11.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-10.el7rhgs.noarch.rpm tendrl-notifier-1.6.3-4.el7rhgs.noarch.rpm tendrl-ui-1.6.3-11.el7rhgs.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1127 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/documentation/en-US/red_hat_gluster_storage/ 3.4/html/3.4_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW49CiWaOgq3Tt24GAQiCCA/+Nh7Fpc1klzQLv499hX0EyoYeLtlC5+lj 1BoMnBrN3UcM4wNUToCx0jBBqcaOyNrSbsNt4zdJ79YRLnKabbCfFfndKP0b/9bo u+KAveHqylyRrzqjUbWGYG1qbE2hm7EXxynuKTt5CYdBRsgbJp0f1eW8lOV+vTPl xzekw/12O64kI6SP8pkULpIuUZ90bLiOnKvpsVAUBY3rdO8zG+nVQA8KwdNVdGmQ yDyc0LcBXxdMgIVcxX4AHW6ZrKTuCh7TbGIGse6JkLQo7YK8sq6aelaL1bhwe+uW UtfDuEEX5/Ieqgmw9EmrmjNsok9cP8s39C0IE+aRPQnqEGczxNW0zeo0pNLEqE2t P6SdSDEYET9IahALjRtHCwK8Ja734eKy6pKkoncCWatIETB/zqPXzjxIgZzNKcU/ pbxKzRueIVvm4HewsbNh1rduRbw9GVrS+uxpOFZ88O6xFH+TtgG/ZFmlxkIzyRWl nvb+7ruqgmVDB/P3HFzhLw1EvCIuW1AqoYWuepTbVm6EX6PeUedVqIvT/0cWDAVm 1uUnMcHw2qWnqaRGlC1ybX5KJdxUBc27WlH+zZgpHSChYoWn/0+N5NFQjh3azvtn aJaEvNSlXXXL3oE3Oj8lSKAa3ioQyBCrLrY9XrHExVWDozpCSDsb1dHIo4cbXEgM nJsVlQac+Rc= =LgxG -----END PGP SIGNATURE-----