Bug 1796636 (CVE-2019-17361)

Summary: CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: david-dm.murphy, hvyas, itamar, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-31 08:09:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1796640    
Bug Blocks: 1796638    

Description Guilherme de Almeida Suckevicz 2020-01-30 20:00:26 UTC 
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Reference:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
Comment 1 Guilherme de Almeida Suckevicz 2020-01-30 20:03:34 UTC 
Created salt tracking bugs for this issue:

Affects: epel-all [bug 1796640]
Comment 2 Siddharth Sharma 2020-01-31 07:25:16 UTC 
Statement:

salt-api is not used and not shipped with Red Hat Ceph Storage 2.
Comment 3 Product Security DevOps Team 2020-01-31 08:09:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17361