Operating System:

[RedHat]

Published:

17 December 2018

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3897
               Moderate: RHGS WA security and bug fix update
                             17 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Gluster Storage
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15727  

Reference:         ESB-2018.2608

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:3829

- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHGS WA security and bug fix update
Advisory ID:       RHSA-2018:3829-01
Product:           Red Hat Gluster Storage
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3829
Issue date:        2018-12-17
CVE Names:         CVE-2018-15727
=====================================================================

1. Summary:

Updated packages are now available for Red Hat Gluster Storage 3.4 Web
Administration on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7 - noarch
Red Hat Gluster 3.4 Web Administration on RHEL-7 - noarch, x86_64

3. Description:

Red Hat Gluster Storage Web Administration includes a fully automated setup
based on Ansible and provides deep metrics and insights into active Gluster
storage pools by using the Grafana platform. Red Hat Gluster Storage Web
Administration provides a dashboard view which allows an administrator to
get a view of overall gluster health in terms of hosts, volumes, bricks,
and other components of GlusterFS.

Security Fix(es):

* grafana: authentication bypass knowing only a username of an LDAP or
OAuth user (CVE-2018-15727)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

All users of Red Hat Gluster Storage Web Administration are advised to
upgrade to these updated packages, which provide numerous bug fixes.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1599291 - Strange behavior of closing functionality of list of hosts popup
          window
1610668 - Multiple popups are created when deleting user
1611991 - Unmanage information and confirmation popups are created multiple
          times
1624088 - CVE-2018-15727 grafana: authentication bypass  knowing only a
          username of an LDAP or OAuth user
1627651 - Upgrade patternfly version
1627988 - Tendrl Branding changes
1629520 - Fix context switcher CSS issue
1630344 - Somtimes node-agent message socket file "message.sock" is missing
1641413 - Volume utilization calculation not happening for all volumes when any
          one volume bricks are down
1642574 - don't open port 3000/tcp on WA server for grafana
1650557 - Grafana is not working after WA upgrade to BU2
1656057 - Utilization alerts are not working
1656064 - Capacity alerts are not working

6. Package List:

Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7:

Source:
tendrl-gluster-integration-1.6.3-13.el7rhgs.src.rpm
tendrl-node-agent-1.6.3-11.el7rhgs.src.rpm

noarch:
tendrl-gluster-integration-1.6.3-13.el7rhgs.noarch.rpm
tendrl-node-agent-1.6.3-11.el7rhgs.noarch.rpm

Red Hat Gluster 3.4 Web Administration on RHEL-7:

Source:
grafana-4.6.4-1.el7rhgs.src.rpm
tendrl-ansible-1.6.3-10.el7rhgs.src.rpm
tendrl-api-1.6.3-8.el7rhgs.src.rpm
tendrl-monitoring-integration-1.6.3-16.el7rhgs.src.rpm
tendrl-node-agent-1.6.3-11.el7rhgs.src.rpm
tendrl-ui-1.6.3-14.el7rhgs.src.rpm

noarch:
tendrl-ansible-1.6.3-10.el7rhgs.noarch.rpm
tendrl-api-1.6.3-8.el7rhgs.noarch.rpm
tendrl-api-httpd-1.6.3-8.el7rhgs.noarch.rpm
tendrl-grafana-plugins-1.6.3-16.el7rhgs.noarch.rpm
tendrl-monitoring-integration-1.6.3-16.el7rhgs.noarch.rpm
tendrl-node-agent-1.6.3-11.el7rhgs.noarch.rpm
tendrl-ui-1.6.3-14.el7rhgs.noarch.rpm

x86_64:
grafana-4.6.4-1.el7rhgs.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-15727
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXBdDa2aOgq3Tt24GAQinAw//XLBbyahgYemzIrfoHvlXMuAwhDcm7NeM
t6c7Gf5akUmWYygfGlLO5Q7iJVw7w9P8wKlB94PoHCeAxM3K65Avw+RdiTCQgXTp
NBgKTT9xw+XqFJadephrvReutlKV2C0hSKFpWdS2KqiaxPENYSeU/Yhjtb4C6Jpi
b2cB2XTPT9H+06auHybVRrRIMzvx56FNF3NvUYgzVSBiRz/aRcLTWqy7znnlVrGo
103FspsbIY9eTebYpP+rBEMez++7+9SwKSSHQAStTwCwfbolV8XcAILS3o4wG+aO
XnrrwIvamMXNdgdfgoB8fE5Cvw1hBJe2hM2xcqWRgyAcnYbFSabBD3cNaM4KN4wm
RQXO8X/Nd8TgIt0lBPA2cI9W9nBIZaoL42bjdL5B/As0qvWA3VwPe49zd6SRMV8p
ZP2zxJPZhUWqxhRpSXxfhz7MYOe8O+lmvqjyNqURnCC/QD/B9oPnlI/O9H6DkCEl
r0TUi+B4nZHl1LaWE0bNZE0OV1dr1TOzwupjGkcvIO7741Ve084sauAKMGzxaJWj
2SCtRf7L9SipTYhT4i4kFNv453mAADsmF0jBDYe8It8K5DAu6/LMMBNfDZxpv53Z
xwOo6R2rHYTrq0jFUxzBpw/spVLeXR5KdxHyiQDSsmhhwZs3j8PgrI+rUiYkDg3y
tnO7ejO9VX8=
=5tqV
-----END PGP SIGNATURE-----