CVE-2018-10923: Input Validation
First published: Wed Aug 01 2018(Updated: )
It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/glusterfs | <3.12.14 | 3.12.14 |
| redhat/glusterfs | <4.1.4 | 4.1.4 |
| Gluster GlusterFS | >=3.12.0<3.12.14 | |
| Gluster GlusterFS | >=4.1.0<4.1.8 | |
| Redhat Virtualization Host | =4.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| openSUSE Leap | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
- https://access.redhat.com/errata/RHSA-2018:2607
- https://access.redhat.com/errata/RHSA-2018:2608
- https://access.redhat.com/errata/RHSA-2018:3470
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10923
- https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
- https://security.gentoo.org/glsa/201904-06
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1625091
- https://review.gluster.org/21069
- https://bugzilla.redhat.com/show_bug.cgi?id=1610659
Frequently Asked Questions
What is CVE-2018-10923?
CVE-2018-10923 is a vulnerability that allows an authenticated attacker to create arbitrary devices and read data from any device attached to the glusterfs server node.
Who is affected by CVE-2018-10923?
Users of GlusterFS versions 3.12.0 to 3.12.14 and 4.1.0 to 4.1.8, Red Hat Virtualization Host 4.0, Debian Debian Linux 8.0 and 9.0, Red Hat Enterprise Linux Server 6.0 and 7.0, and openSUSE Leap 15.1 are affected by CVE-2018-10923.
What is the severity of CVE-2018-10923?
CVE-2018-10923 has a severity rating of 8.1 (high).
How can an attacker exploit CVE-2018-10923?
An attacker can exploit CVE-2018-10923 by using the 'mknod' call derived from mknod(2) to create files pointing to devices on a glusterfs server node.
How can I fix CVE-2018-10923?
To fix CVE-2018-10923, users should update their GlusterFS installation to versions 3.12.14 or 4.1.4, as recommended by Red Hat. For other affected software, users should follow the remediation steps provided by the respective vendors.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-10923
- agent/software-canonical-lookup
- vendor/gluster
- canonical/gluster glusterfs
- version/gluster glusterfs/3.12.0
- version/gluster glusterfs/4.1.0
- vendor/redhat
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/redhat