1. CVE-Search
  2. CVE-2018-10907
ID CVE-2018-10907
Summary It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using 'alloca(3)'. An authenticated attacker could exploit this by mounting a gluster volume and sending a string longer that the fixed buffer size to cause crash or potential code execution.
References
Vulnerable Configurations
  • cpe:2.3:a:gluster:glusterfs:3.12.0:-:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.3:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.4:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.5:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.6:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.7:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.8:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.8:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.9:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.9:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.10:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.10:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.11:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.11:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.12:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.12:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:3.12.13:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:3.12.13:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gluster:glusterfs:4.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:gluster:glusterfs:4.1.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 16-12-2021 - 18:49)
Impact:
Exploitability:
CWE CWE-121
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2018:2607
  • rhsa
    id RHSA-2018:2608
  • rhsa
    id RHSA-2018:3470
rpms
  • glusterfs-0:3.12.2-18.el7
  • glusterfs-0:3.12.2-18.el7rhgs
  • glusterfs-api-0:3.12.2-18.el7
  • glusterfs-api-0:3.12.2-18.el7rhgs
  • glusterfs-api-devel-0:3.12.2-18.el7
  • glusterfs-api-devel-0:3.12.2-18.el7rhgs
  • glusterfs-cli-0:3.12.2-18.el7
  • glusterfs-cli-0:3.12.2-18.el7rhgs
  • glusterfs-client-xlators-0:3.12.2-18.el7
  • glusterfs-client-xlators-0:3.12.2-18.el7rhgs
  • glusterfs-debuginfo-0:3.12.2-18.el7
  • glusterfs-debuginfo-0:3.12.2-18.el7rhgs
  • glusterfs-devel-0:3.12.2-18.el7
  • glusterfs-devel-0:3.12.2-18.el7rhgs
  • glusterfs-events-0:3.12.2-18.el7rhgs
  • glusterfs-fuse-0:3.12.2-18.el7
  • glusterfs-fuse-0:3.12.2-18.el7rhgs
  • glusterfs-ganesha-0:3.12.2-18.el7rhgs
  • glusterfs-geo-replication-0:3.12.2-18.el7rhgs
  • glusterfs-libs-0:3.12.2-18.el7
  • glusterfs-libs-0:3.12.2-18.el7rhgs
  • glusterfs-rdma-0:3.12.2-18.el7
  • glusterfs-rdma-0:3.12.2-18.el7rhgs
  • glusterfs-resource-agents-0:3.12.2-18.el7rhgs
  • glusterfs-server-0:3.12.2-18.el7rhgs
  • python2-gluster-0:3.12.2-18.el7
  • python2-gluster-0:3.12.2-18.el7rhgs
  • redhat-release-server-0:7.5-11.el7rhgs
  • redhat-storage-server-0:3.4.0.0-1.el7rhgs
  • glusterfs-0:3.12.2-18.el6
  • glusterfs-0:3.12.2-18.el6rhs
  • glusterfs-api-0:3.12.2-18.el6
  • glusterfs-api-0:3.12.2-18.el6rhs
  • glusterfs-api-devel-0:3.12.2-18.el6
  • glusterfs-api-devel-0:3.12.2-18.el6rhs
  • glusterfs-cli-0:3.12.2-18.el6
  • glusterfs-cli-0:3.12.2-18.el6rhs
  • glusterfs-client-xlators-0:3.12.2-18.el6
  • glusterfs-client-xlators-0:3.12.2-18.el6rhs
  • glusterfs-debuginfo-0:3.12.2-18.el6
  • glusterfs-debuginfo-0:3.12.2-18.el6rhs
  • glusterfs-devel-0:3.12.2-18.el6
  • glusterfs-devel-0:3.12.2-18.el6rhs
  • glusterfs-events-0:3.12.2-18.el6rhs
  • glusterfs-fuse-0:3.12.2-18.el6
  • glusterfs-fuse-0:3.12.2-18.el6rhs
  • glusterfs-ganesha-0:3.12.2-18.el6rhs
  • glusterfs-geo-replication-0:3.12.2-18.el6rhs
  • glusterfs-libs-0:3.12.2-18.el6
  • glusterfs-libs-0:3.12.2-18.el6rhs
  • glusterfs-rdma-0:3.12.2-18.el6
  • glusterfs-rdma-0:3.12.2-18.el6rhs
  • glusterfs-server-0:3.12.2-18.el6rhs
  • python2-gluster-0:3.12.2-18.el6
  • python2-gluster-0:3.12.2-18.el6rhs
  • redhat-release-server-0:6Server-6.10.0.24.el6rhs
  • redhat-storage-server-0:3.4.0.0-1.el6rhs
  • imgbased-0:1.0.29-1.el7ev
  • python-imgbased-0:1.0.29-1.el7ev
  • redhat-release-virtualization-host-0:4.2-7.3.el7
  • redhat-virtualization-host-image-update-0:4.2-20181026.0.el7_6
  • redhat-virtualization-host-image-update-placeholder-0:4.2-7.3.el7
refmap via4
confirm
gentoo GLSA-201904-06
mlist [debian-lts-announce] 20180920 [SECURITY] [DLA 1510-1] glusterfs security update
suse openSUSE-SU-2020:0079
Last major update 16-12-2021 - 18:49
Published 04-09-2018 - 13:29
Last modified 16-12-2021 - 18:49
Back to Top