{
  "threat_severity" : "Moderate",
  "public_date" : "2018-10-31T08:00:00Z",
  "bugzilla" : {
    "description" : "glusterfs: Repeat use of \"GF_META_LOCK_KEY\" xattr allows for memory exhaustion",
    "id" : "1635926",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1635926"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.", "A flaw was found in glusterfs server which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node." ],
  "statement" : "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network.",
  "acknowledgement" : "Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Native Client for RHEL 6 for Red Hat Storage",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3431",
    "cpe" : "cpe:/a:redhat:storage:3:client:el6",
    "package" : "glusterfs-0:3.12.2-25.el6"
  }, {
    "product_name" : "Native Client for RHEL 7 for Red Hat Storage",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3432",
    "cpe" : "cpe:/a:redhat:storage:3:client:el7",
    "package" : "glusterfs-0:3.12.2-25.el7"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 6",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3431",
    "cpe" : "cpe:/a:redhat:storage:3.4:server:el6",
    "package" : "glusterfs-0:3.12.2-25.el6rhs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 6",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3431",
    "cpe" : "cpe:/a:redhat:storage:3.4:server:el6",
    "package" : "redhat-storage-server-0:3.4.1.0-1.el6rhs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 7",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3432",
    "cpe" : "cpe:/a:redhat:storage:3.4:server:el7",
    "package" : "glusterfs-0:3.12.2-25.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 7",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3432",
    "cpe" : "cpe:/a:redhat:storage:3.4:server:el7",
    "package" : "redhat-storage-server-0:3.4.1.0-1.el7rhgs"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-10-31T00:00:00Z",
    "advisory" : "RHSA-2018:3432",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "glusterfs-0:3.12.2-25.el7"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-05T00:00:00Z",
    "advisory" : "RHSA-2018:3470",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "imgbased-0:1.0.29-1.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-05T00:00:00Z",
    "advisory" : "RHSA-2018:3470",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-release-virtualization-host-0:4.2-7.3.el7"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-05T00:00:00Z",
    "advisory" : "RHSA-2018:3470",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-virtualization-host-0:4.2-20181026.0.el7_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "glusterfs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "glusterfs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "glusterfs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-14660\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14660" ],
  "name" : "CVE-2018-14660",
  "csaw" : false
}