An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gluster-block | Redhat | * | 0.5.1 (excluding) |
| Native Client for RHEL 7 for Red Hat Storage | RedHat | heketi-0:9.0.0-9.5.el7rhgs | * |
| Red Hat Gluster Storage 3.5 for RHEL 7 | RedHat | gluster-block-0:0.2.1-36.2.el7rhgs | * |
| Red Hat Gluster Storage 3.5 for RHEL 7 | RedHat | heketi-0:9.0.0-9.5.el7rhgs | * |
| Red Hat Gluster Storage 3.5 for RHEL 7 | RedHat | tcmu-runner-0:1.2.0-32.2.el7rhgs | * |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: