Login
Newsletter
Werbung

Sicherheit: Mangelnde Rechteprüfung in tendrl-api
Aktuelle Meldungen Distributionen
Name: Mangelnde Rechteprüfung in tendrl-api
ID: RHSA-2018:2616-01
Distribution: Red Hat
Plattformen: Red Hat Gluster Storage
Datum: Di, 4. September 2018, 14:42
Referenzen: https://access.redhat.com/security/cve/CVE-2018-1127
https://access.redhat.com/site/documentation/en-US/red_hat_gluster_storage/
Applikationen: tendrl-api

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: RHGS WA security, bug fix, and enhancement update
Advisory ID: RHSA-2018:2616-01
Product: Red Hat Gluster Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2616
Issue date: 2018-09-04
CVE Names: CVE-2018-1127
=====================================================================

1. Summary:

Updated Red Hat Gluster Storage Wed Administration packages that fix one
security issue, several bugs, and add various enhancements are now
available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7 - noarch
Red Hat Gluster 3.4 Web Administration on RHEL-7 - noarch

3. Description:

Red Hat Gluster Storage Web Administration includes a fully automated setup
based on Ansible and provides deep metrics and insights into active Gluster
storage pools by using the Grafana platform. Red Hat Gluster Storage Web
Administration provides a dashboard view which allows an administrator to
get a view of overall gluster health in terms of hosts, volumes, bricks,
and other components of GlusterFS.

Security Fix(es):

* tendrl-api: Improper cleanup of session token can allow attackers to
hijack user sessions (CVE-2018-1127)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

This issue was discovered by Filip Balák (Red Hat).

Additional Changes:

These updated Red Hat Gluster Storage Wed Administration packages include
numerous bug fixes and enhancements. Space precludes documenting all of
these changes in this advisory. Users are directed to the Red Hat Gluster
Storage 3.4 Release Notes for information on the most significant of these
changes:

https://access.redhat.com/site/documentation/en-US/red_hat_gluster_storage/
3.4/html/3.4_release_notes/

All users of Red Hat Gluster Storage are advised to upgrade to these
updated packages, which provide numerous bug fixes and enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1502012 - gluster related stats are not pushed to graphite from collectd
1506123 - [RFE] UI controls to use context switcher
1511993 - Full alert message not visible to user without hovering on the
message
1512091 - Event messages are getting truncated
1512696 - Tendrl UI reporting brick is stopped when it's up and running
1512937 - [RFE] Duplicated hosts in Grafana (listed by FQDN and IP)
1513361 - Not working users page filters
1513993 - tendrl services reports too long error lines in system log
1514171 - Data provided by api are not fully encoded in json format, lists are
formatted in an escaped strings
1514442 - Successive attempts to import the same cluster on the same webadmin
server fail
1515213 - Send password in API function for new user just once
1515252 - API calls with invalid job id return wrong response
1515660 - Tasks filter not showing tasks correctly based on date
1516135 - When import fails, the import button should be accessible only after
unmanage
1516417 - Expanding an existing RHGS cluster managed by RHGS WA by adding nodes
and monitoring
1517077 - [RFE] Grafana dashboard not showing all the volume in UP mode when
brick path has "short names"
1517132 - Time stamp inconsistency for repeated alerts
1517215 - 'Disable' Volume Profiling during cluster import behavior
1517246 - Alerts icon (bell icon) on Web Admin home page needs to show/indicate
if there are unread events/alerts
1517270 - missing brick alert when there are sub-volume and quorum alerts
1517422 - [WA] : Volume Overview shows brick count,geo rep sessions as
"Invalid Number".
1518276 - Incorrect format of host reported when geo replication status changed
1518516 - Errors in /var/log/messages for non-georep volumes
1518525 - Tendrl-ansible setup script fails if the server has 2 IP addresses
1518610 - Under Tendrl-Gluster-Volumes, deleted vols still present in the list
under Volume Name.
1518678 - bricks are marked as down in UI
1518736 - decbytes and bytes on dashboards
1519158 - [Web-Admin] Sorting in RHGSWA is not working with firefox browser
1519178 - Brick Kill followed by Replace brick,shows incorrect brick status on
RHGS WA
1519188 - Un-necessary Filter "Brick Status" in Brick Details
1519201 - WA doesn't reflect that all gluster nodes are down
1519218 - After performing volume stop,Tendrl web GUI shows mismatch status for
few brick in "brick status" layout
1519724 - [RFE] firewall configuration should be automated in tendrl-ansible
1519750 - [Web-Admin] Healing and rebalance cards are empty for all volume
1520886 - internal server error when user would like to see details of cluster
1525376 - /var/log/tendrl/node-agent directory is created only after host
reboot
1526338 - [RFE] Enhance unmanage cluster workflow to remove only specified
(affected) cluster
1526375 - tendrl-api rpm %post, %preun, %postun scripts should correctly handle
systemd service
1531133 - Brick Utilization: threshold breached Alert needs to reference
gluster volume name
1531139 - [RFE] Brick Utilization: threshold breached Alert needs to be
generated for brick usage above 90%
1536354 - [GSS] [RFE] Cluster-id should be user-friendly
1538248 - [RFE] Performance Improvements
1542914 - rebase RHGS WA 3.4.0 to upstream tendrl 1.6.3
1546957 - Get profiling status during the sync
1549146 - Some huge numbers reported by grafana are hard to read and understand
1555455 - Job status for import with invalid cluster id remains as new
1558431 - Sorting button not working
1559362 - The import cluster job should be marked finished in import cluster
flow
1559364 - The flow ExpandClusterWithDetectedPeers should be targeted to
provisioner node in cluster
1559365 - If import cluster fails due to time out, the current job is not
marked properly
1559368 - The expand cluster flow for cluster should be user initiated and not
automatic
1559373 - User should be able to enable/disable profiling at volume level
1559379 - The cluster level profiling setting for volumes of the cluster should
be a async task
1559387 - Back to back import and unmanage cluster multiple time resuts in a
situation where import is complete but not marked correctly in UI
1559390 - No filters in 'brick detail' view
1559396 - Host Detail view not matching design by UX
1559399 - Alert count is not incremented for utilization alerts
1559401 - Cluster detail link
1559402 - Data not required for start/stop profiling
1559405 - Alerts which is raised from node-agent is not displayed in UI
1559415 - Provisioner node re-election happens almost continuously
1559416 - node_sync disks sync failed for multi-path devices
1559417 - Remove the provisioning namespace safely
1559421 - Sometimes delete flag for the deleted volumes is changed to False
1559426 - Sometimes monitoring-integration is not creating panels for a
particular resource in alert dashbaord
1559432 - Before import cluster monitoring integration consumes lot of CPU and
memory
1559433 - Non participating nodes should not send rebalance data for a volume
to graphite
1559436 - Add REST end points for getting details of individual cluster
1559486 - Branding should not be in grafana dashboard listbox selection
1559507 - [RFE] Show downstream Gluster version in list of clusters
1559690 - If import cluster failed, the cluster global details status should be
set as unhealthy
1559792 - Ansible group names contains dashes, which could cause problems
1559901 - Use "integration_id" instead of "cluster_id"
1560492 - Expand action not getting disabled on cluster list, when no expansion
required
1560879 - UI should disable the button when button or link is clicked for
profiling
1561374 - Enable/Disable Profiling button should not be visible on volume list
page for ready only user
1561428 - User filter not working
1561468 - tendrl-node-agent CPU consumption
1563519 - When gluster-integration goes down or glusterd goes down for few
minutes then alert_count for a volumes are initialized by zero
1563648 - Marshal / Un-marshal objects while saving / reading to / from etcd
1564107 - un-manage task managed cluster check
1564175 - False alerts when brick utilization breached 90%
1564423 - Improve messages for tasks/jobs
1564510 - Grafana dashboards with new nodes are created before user initiates
cluster expansion
1565479 - no time for updated-at field
1565898 - RHGS-WA should check for build no in addition to NVR while importing
a cluster
1570048 - unmanaged task always fails after import failure
1570564 - Tendrl-ansible precheck fails with minimum memory requirement
criteria on Tendrl Server
1570616 - Import fails after unmanage of cluster with specified Cluster Name
1571235 - Job thread in all tendrl components consumes lot of cpu and memory
utilization
1571244 - Import cluster job fails for a while but then finishes successfully
1571245 - Debug messages are added to the task details
1571280 - Unmanage doesn't start when more clusters are available
1571318 - Grafana dashboards use integration id and cluster short name at the
same time
1571325 - Cluster remains listed by its short cluster name after unmanage
1571755 - Expand cluster notifications use integration id instead of cluster
name
1571809 - Error: Import existing Gluster Cluster
1572052 - Utilization related alerts from monitoring-integration are displayed
in alert page and not in event page
1572090 - Import cluster fails with TypeError
1572118 - ERROR - node_sync SDS detection failed: need more than 0 values to
unpack - ValueError
1572151 - A storage node which is peer probe with IP is always showing deleted
bricks in UI
1572216 - tendrl-monitoring-integration.service fails to start
1573079 - Node alert count shows NoData in UI
1573110 - Un-managed cluster's alerts are displayed in UI
1573481 - Alert dashboard are not updated when more than one clusters are
managed by tendrl
1573928 - It takes time to update user information
1573950 - Email already taken message when changing only password
1574938 - Volume with name 'None' listed in grafana dashboard
1574942 - Expand cluster screen lists all nodes in the cluster
1575040 - Alert dashbaord is not raising alert when cluster is import with
shortname
1575835 - CVE-2018-1127 tendrl-api: Improper cleanup of session token can allow
attackers to hijack user sessions
1575891 - Load_all function in tendel-common sometimes gives object with wrong
info
1576794 - Gluster native event webhook fails sometimes
1576829 - Grafana alert callback webhook fails sometimes
1576848 - [GSS][Excessive number of 'gluster volume profile' commands
launched by collectd]
1578009 - brick status tooltiop differs with real values
1578329 - Brick details stops showing data
1578333 - RHGS-WA doesnt show the correct profiling state at cluster level if
get-state doesnt provide volume level information of profiling
1578885 - Import cluster error: Cluster with name: %s already exists
1579148 - No tooltip for 'Expanding Cluster'
1579150 - Volume name doesn't show ellipsis for long name
1579152 - Upgrade the version UI npm packages
1579516 - Graph headings are inconsistent. In some cases we are calling graphs
as trends which is not right.
1579937 - Duplicate Events are Processed and displayed in UI
1580385 - Node is DOWN alert not cleared properly
1580509 - vm.modalHeader.title tooltips for popup titles
1581212 - Links in Hosts page lead to Grafana dashboard without specified
Cluster Name
1581718 - Weekly growth rate and week remaining metrics are not accurate
1581736 - IOPS metric is not intuitive enough
1581789 - Connection trends panel information can be mis-understood by
customers.
1582465 - Incorrect infotip for "Ready to Use" text in the WA Clusters
interface
1583171 - Utilization notifications use integration id instead of cluster name
1584095 - Unmanage fails after failed import
1584660 - UI text improvement in import cluster workflow
1585116 - Grafana alert dashboard does not raise alerts when nodes have string
"tendrl" in hostname
1585715 - Brick Details page is not updated
1586074 - Brick Details brick counter divided to separate lines
1588357 - Sometimes import flow and unmanage flow is failing
1588440 - New volume record with no volume name and -5 alerts
1588650 - discovered host(s) section in import cluster screen is slightly
inconsistent/misleading
1590405 - [GSS] RHGSWA ansible playbook runs yum update
1592464 - WA UI - redundant UI text in the Unmanage cluster confirmation box
1592487 - Job sync thread fails when /queue directory becomes empty
1592991 - Connections Panel heading needs to say "Connections" or
"Client Connections"
1592992 - Throughput Panel in the overview dashboard needs to specify units
1593640 - After import job failed cluster is marked as managed and ready to use
1593852 - IOPS chart on Disk Load of Brick Dashboard shows no data during brick
read/write operation
1593912 - IOPS chart from At Glance section of Host Dashboard reports different
values compared to all other IOPS charts
1594762 - No tooltip for 'Unknown cluster'
1594862 - Thresholds for utilization bars and alerts differ
1594899 - Most IOPS charts in At a Glance section of Brick Dashboards shows no
data for short or light workloads
1594994 - Text boxes to enter the Web admin UI credentials are much longer than
necessary.
1595005 - Ping Latency metric requires clarification
1595013 - Provide the appropriate title for two IOPS panels in host dashboard
1595015 - Disk Load panel in host dashboard (Capacity And Disk Load section)
should be called Disk Throughput
1595016 - Provide the correct heading for Disk IO panel in host dashboard
(Capacity and Disk load section)
1595052 - Brick dashboard / Disk Load section - Throughput and Latency panel
units are confusing
1595295 - Volume:None is unknown alert
1596655 - Unable to fix (rerun) failed cluster expand task
1596820 - alerts "volume <volume name> is unknown" reported
during unmanage of cluster which failed to import
1596862 - Improve performance of tendrl components
1597235 - Too much space next to events messages
1599634 - Expand cluster imports only one node
1599985 - Volume details are vanished after sometime in tendrl-ui
1599987 - Growing memory utilization of tendrl-gluster-integration on one node
in cluster
1600092 - Importing bigger cluster failing: Timing out import job, Cluster data
still not fully updated
1600113 - Invalid volume record when expand cluster is available
1603175 - GET /clusters api call returns "Invalid JSON received." for
cluster with geo-replication
1610266 - Inconsistent password length requirements
1611601 - Alert Service: glustershd is disconnected in cluster is not cleared
1616208 - glustershd alerts should mention affected node
1616215 - All alerts Service: glustershd is disconnected in cluster are cleared
when service starts on one node

6. Package List:

Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7:

Source:
tendrl-commons-1.6.3-12.el7rhgs.src.rpm
tendrl-gluster-integration-1.6.3-10.el7rhgs.src.rpm
tendrl-node-agent-1.6.3-10.el7rhgs.src.rpm

noarch:
tendrl-commons-1.6.3-12.el7rhgs.noarch.rpm
tendrl-gluster-integration-1.6.3-10.el7rhgs.noarch.rpm
tendrl-node-agent-1.6.3-10.el7rhgs.noarch.rpm

Red Hat Gluster 3.4 Web Administration on RHEL-7:

Source:
python-flask-0.10.1-5.el7rhgs.src.rpm
python-itsdangerous-0.23-2.el7.src.rpm
tendrl-ansible-1.6.3-7.el7rhgs.src.rpm
tendrl-api-1.6.3-5.el7rhgs.src.rpm
tendrl-commons-1.6.3-12.el7rhgs.src.rpm
tendrl-monitoring-integration-1.6.3-11.el7rhgs.src.rpm
tendrl-node-agent-1.6.3-10.el7rhgs.src.rpm
tendrl-notifier-1.6.3-4.el7rhgs.src.rpm
tendrl-ui-1.6.3-11.el7rhgs.src.rpm

noarch:
python-flask-0.10.1-5.el7rhgs.noarch.rpm
python-flask-doc-0.10.1-5.el7rhgs.noarch.rpm
python-itsdangerous-0.23-2.el7.noarch.rpm
tendrl-ansible-1.6.3-7.el7rhgs.noarch.rpm
tendrl-api-1.6.3-5.el7rhgs.noarch.rpm
tendrl-api-httpd-1.6.3-5.el7rhgs.noarch.rpm
tendrl-commons-1.6.3-12.el7rhgs.noarch.rpm
tendrl-grafana-plugins-1.6.3-11.el7rhgs.noarch.rpm
tendrl-monitoring-integration-1.6.3-11.el7rhgs.noarch.rpm
tendrl-node-agent-1.6.3-10.el7rhgs.noarch.rpm
tendrl-notifier-1.6.3-4.el7rhgs.noarch.rpm
tendrl-ui-1.6.3-11.el7rhgs.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1127
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/site/documentation/en-US/red_hat_gluster_storage/
3.4/html/3.4_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW44o1dzjgjWX9erEAQjGqQ/9Fgt3n/a1mbd8VwCNsU9/X46/KeNYG2RG
71W5+CM3IXCRodQjoJzN7YxxaVHJe3+tfuEoNupZrWvGQ6XDmYzN4PPzH33vEUk7
vrk1h3EW9Mc8dZwoXYxrp8V1MzTPMo+0Vjh44MCftiz+9SLCh6kRGh8osh91a75i
PQQdesSWMgQllCwmizRRuY1SfPQ6vGrixkNDOmm8cj+ONHPZ844le73y8+dP8oZx
VrNdVBAxbEBH3/FQBOE3WxfLnvFauHPNvUQjJTJrJvWOfueiytIj+b06n88lrvKq
GWsFCxuEc9cGPl/TI75hDruqCzNASabmT7EYllZAt5TNW50xiCaHdtZ8YLCRsF5z
Uz5hoMYYtHybtvrXKv79lrrf7qNcfna+p4hw8A2ebI6KPdQH/pHXkTWNdlI811yx
PDXWj5IL+b/VDQXpPLcFkAfvLnlSc8WfRYDrrGZrVC01f1p9W+7jIiYnBrq76mpp
iUZBDL87YnmL9jm/9PmMiG9MiJLFxiAhLTQ2LbKajRFK5l7zFt5DI7bH5yPgoZAV
ERmLNz+w5dR4NJ9Vs6WI+El7o7ALD7uqL5MvI9gKa7Fl8Kwn8Mw1cmjhJLiXNqc0
Wv+axA+8Gzcu/0eNYbfZFzIuESveI8bgNfTpo/gx4h3yGkJ8AkjjOKZk2yveMNAl
hm6O/fRDnmQ=
=Kby5
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung