An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root.
When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs.
The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Created attachment 1722698 [details]
Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18)
Created attachment 1722699 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release)
Created attachment 1722700 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release)
Created attachment 1722701 [details]
Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release)
Patches attached. Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).
Created pacemaker tracking bugs for this issue:
Affects: fedora-all [bug 1891718]
Affects: openstack-rdo [bug 1891719]
Name: Ken Gaillot (Red Hat)
Upstream releases that include the fix:
Red Hat Gluster Storage 3 no longer maintains its own version of pacemaker, prerequisite is to enable Red Hat Enterprise Linux High Availability (for RHEL X Server)" repository. The fix will be consumed from RHEL High Availability repository.