NVD Vulnerability Detail

CVE-2018-14659

Summary	The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory.
Publication Date	Nov. 1, 2018, 4:29 a.m.
Registration Date	March 1, 2021, 6:57 p.m.
Last Update	Nov. 21, 2024, 12:49 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:gluster_file_system::::::::	4.1.0	4.1.4
cpe:2.3:a:redhat:gluster_file_system::::::::	3.0.0	3.1.2

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:redhat:virtualization:4.0:::::::*
cpe:2.3:a:redhat:virtualization_host:4.0:::::::*
execution environment
1	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://access.redhat.com/errata/RHSA-2018:3431	Vendor Advisory
2	https://access.redhat.com/errata/RHSA-2018:3432	Vendor Advisory
3	https://access.redhat.com/errata/RHSA-2018:3470	Vendor Advisory
4	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14659	Issue Tracking Vendor Advisory
5	https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html	Mailing List Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html	Mailing List Third Party Advisory
7	https://security.gentoo.org/glsa/201904-06	Third Party Advisory
8	https://access.redhat.com/errata/RHSA-2018:3431	Vendor Advisory
9	https://security.gentoo.org/glsa/201904-06	Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html	Mailing List Third Party Advisory
11	https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html	Mailing List Third Party Advisory
12	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14659	Issue Tracking Vendor Advisory
13	https://access.redhat.com/errata/RHSA-2018:3470	Vendor Advisory
14	https://access.redhat.com/errata/RHSA-2018:3432	Vendor Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Gluster におけるリソースの枯渇に関する脆弱性

Title	Gluster におけるリソースの枯渇に関する脆弱性
Summary	Gluster には、リソースの枯渇に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 31, 2018, midnight
Registration Date	Jan. 15, 2019, 5:17 p.m.
Last Update	Jan. 15, 2019, 5:17 p.m.

Affected System

レッドハット

Red Hat Enterprise Linux Server

Red Hat Gluster Storage Server

Red Hat Virtualization

Debian

Debian GNU/Linux

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-14659	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14659
National Vulnerability Database (NVD)
2	CVE-2018-14659	https://nvd.nist.gov/vuln/detail/CVE-2018-14659

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-400	https://cwe.mitre.org/data/definitions/400.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 1565-1] glusterfs security update	https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html
Red Hat Bugzilla
2	Bug 1635929	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14659
Red Hat Security Advisory
3	RHSA-2018:3431	https://access.redhat.com/errata/RHSA-2018:3431
4	RHSA-2018:3432	https://access.redhat.com/errata/RHSA-2018:3432
5	RHSA-2018:3470	https://access.redhat.com/errata/RHSA-2018:3470

Change Log

No	Changed Details	Date of change
1	[2019年01月15日] 掲載	Jan. 15, 2019, 5:17 p.m.