CVE-2018-10911
Published: 4 September 2018
A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.
From the Ubuntu Security Team
It was discovered that GlusterFS incorrectly handled negative key length values. An attacker could possibly use this issue to obtain sensitive information.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
glusterfs Launchpad, Ubuntu, Debian |
bionic |
Released
(3.13.2-1ubuntu1+esm1)
Available with Ubuntu Pro |
| cosmic |
Ignored
(end of life)
|
|
| disco |
Not vulnerable
(4.1.4-1)
|
|
| eoan |
Not vulnerable
(4.1.4-1)
|
|
| focal |
Not vulnerable
(4.1.4-1)
|
|
| groovy |
Not vulnerable
(4.1.4-1)
|
|
| hirsute |
Not vulnerable
(4.1.4-1)
|
|
| impish |
Not vulnerable
(4.1.4-1)
|
|
| jammy |
Not vulnerable
(4.1.4-1)
|
|
| kinetic |
Not vulnerable
(4.1.4-1)
|
|
| lunar |
Not vulnerable
(4.1.4-1)
|
|
| trusty |
Released
(3.4.2-1ubuntu1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.7.6-1ubuntu1+esm1)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1601657
- https://review.gluster.org/21067
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10911
- https://review.gluster.org/#/c/glusterfs/+/21067/
- https://ubuntu.com/security/notices/USN-4770-1
- https://www.cve.org/CVERecord?id=CVE-2018-10911
- NVD
- Launchpad
- Debian