Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.
Created salt tracking bugs for this issue:
Affects: epel-all [bug 1418350]
Disable salt-api for mitigation.
This issue did not affect the versions of the salt as shipped with Red Hat Ceph Storage 1.3, Red Hat Ceph Storage 2, and Red Hat Storage Console 2 as salt-api and salt-ssh are not shipped with these products.