An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root. When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs. The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Created attachment 1722698 [details] Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18)
Created attachment 1722699 [details] Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release)
Created attachment 1722700 [details] Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release)
Created attachment 1722701 [details] Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release)
Patches attached. Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).
Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1891718] Affects: openstack-rdo [bug 1891719]
Acknowledgments: Name: Ken Gaillot (Red Hat)
Upstream announcements: * https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html * https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html Upstream releases that include the fix: * https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.0.5-rc2 * https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.24-rc1
External References: https://seclists.org/oss-sec/2020/q4/83 https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5423 https://access.redhat.com/errata/RHSA-2020:5423
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5453 https://access.redhat.com/errata/RHSA-2020:5453
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25654
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5487 https://access.redhat.com/errata/RHSA-2020:5487
Statement: Red Hat Gluster Storage 3 no longer maintains its own version of Pacemaker. The prerequisite is to enable Red Hat Enterprise Linux High Availability (for RHEL X Server)" repository. The fix will be consumed from RHEL High Availability repository.