Bug 1888191 (CVE-2020-25654)
| Summary: | CVE-2020-25654 pacemaker: ACL restrictions bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | andrew, anprice, clumens, cluster-maint, dbecker, fedora, huzaifas, hvyas, jjoyce, jschluet, kgaillot, kwenning, lhh, lpeer, mburns, puebele, sclewis, security-response-team, slinaber |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An ACL bypass flaw was found in Pacemaker. This flaw allows an attacker with a local account on the cluster and in the haclient group to use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-15 12:47:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1889582, 1891528, 1891529, 1891718, 1891719, 1892140 | ||
| Bug Blocks: | 1887376 | ||
| Attachments: | |||
|
Description
Michael Kaplan
2020-10-14 10:49:00 UTC
Created attachment 1722698 [details] Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18) Created attachment 1722699 [details] Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release) Created attachment 1722700 [details] Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release) Created attachment 1722701 [details] Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release) Patches attached. Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23). Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1891718] Affects: openstack-rdo [bug 1891719] Acknowledgments: Name: Ken Gaillot (Red Hat) Upstream announcements: * https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html * https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html Upstream releases that include the fix: * https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.0.5-rc2 * https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.24-rc1 External References: https://seclists.org/oss-sec/2020/q4/83 https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5423 https://access.redhat.com/errata/RHSA-2020:5423 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5453 https://access.redhat.com/errata/RHSA-2020:5453 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25654 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5487 https://access.redhat.com/errata/RHSA-2020:5487 Statement: Red Hat Gluster Storage 3 no longer maintains its own version of Pacemaker. The prerequisite is to enable Red Hat Enterprise Linux High Availability (for RHEL X Server)" repository. The fix will be consumed from RHEL High Availability repository. |