Red Hat Bugzilla – Bug 1135361
CVE-2014-3563 salt: insecure tmp file creation in seed.py, salt-ssh, and salt-cloud
Last modified: 2014-10-20 20:07:09 EDT
It was found that seed.py, salt-ssh and salt-cloud read files from predictable file names in /tmp. The contents of these files were then used as input to other processes, or directly executed. A local attacker could overwrite these files with malicious versions before they are read by salt, potentially leading to a variety of impacts, including code execution. If salt is running as root (which is the default), code execution as root may be possible.
Statement: Inktank Ceph Enterprise 1.2 only receives qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Inktank Ceph Enterprise Support Matrix: http://www.inktank.com/enterprise/support/
Upstream has released an updated version: Salt 2014.1.10 fixes security issues documented by CVE-2014-3563: "Insecure tmp-file creation in seed.py, salt-ssh, and salt-cloud." Upgrading is recommended. External References: http://docs.saltstack.com/en/latest/topics/releases/2014.1.10.html https://github.com/saltstack/salt/releases/tag/v2014.1.10