CVE-2018-10924 — Uncontrolled Resource Consumption in Glusterfs

CWE-400 — Uncontrolled Resource Consumption CWE-772 — Missing Release of Resource after Effective Lifetime9 documents8 sources

Severity

6.5MEDIUMNVD

CNA5.3

EPSS

0.7%

top 27.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gluster Glusterfs RED HAT Glusterfs

Timeline

PublishedSep 4

Latest updateMay 13

Description

It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgluster/glusterfs3.12.11 — 3.12.14+1

▶Debiangluster/glusterfs< 4.0.1-1+3

▶CVEListV5red_hat/glusterfsn/a

Patches

Patch: review.gluster.org ↗Patch: review.gluster.org ↗

🔴Vulnerability Details

GHSA

GHSA-cjxq-5pxf-g82j: It was discovered that fsync(2) system call in glusterfs client code leaks memory↗2022-05-13

▶

CVEList

CVE-2018-10924: It was discovered that fsync(2) system call in glusterfs client code leaks memory↗2018-09-04

▶

OSV

CVE-2018-10924: It was discovered that fsync(2) system call in glusterfs client code leaks memory↗2018-09-04

▶

📋Vendor Advisories

Ubuntu

GlusterFS vulnerabilities↗2021-03-15

▶

Red Hat

glusterfs: Denial-of-service via fsync(2) in Gluster FUSE client↗2018-09-04

▶

Debian

CVE-2018-10924: glusterfs - It was discovered that fsync(2) system call in glusterfs client code leaks memor...↗2018

▶

💬Community

Bugzilla

CVE-2018-10924 glusterfs: Denial-of-service via fsync(2) in Gluster FUSE client [fedora-all]↗2018-09-04

▶

Bugzilla

CVE-2018-10924 glusterfs: Denial-of-service via fsync(2) in Gluster FUSE client↗2018-08-02

▶