A Local Privilege Escalation vulnerability (from any user to root) was found in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
OSD clusters are affected with low severity, just because some clusters are making use of packages which have dependencies on polkit (e.g. timedatex). Also as affecting by OCP, polkit package was shipped in OCP 4.7 only.
There's an issue on pkexec where it doesn’t validate the argument count, assuming it will always be at least 1 and that the second value is either NULL or the command to be executed by pkexec as a privileged user. If an attacker successfully forces the argument array to be empty, this means pkexec will interpret content from the environment array as the application to be executed. An attacker can leverage this by manipulating these variables to contain specific values and payloads, allowing it to be executed as a privileged user without any authentication to be requested.
Created polkit tracking bugs for this issue: Affects: fedora-all [bug 2045563]
Upstream commit for this issue: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0265 https://access.redhat.com/errata/RHSA-2022:0265
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0268 https://access.redhat.com/errata/RHSA-2022:0268
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0266 https://access.redhat.com/errata/RHSA-2022:0266
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0267 https://access.redhat.com/errata/RHSA-2022:0267
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:0269 https://access.redhat.com/errata/RHSA-2022:0269
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2022:0270 https://access.redhat.com/errata/RHSA-2022:0270
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Via RHSA-2022:0272 https://access.redhat.com/errata/RHSA-2022:0272
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2022:0271 https://access.redhat.com/errata/RHSA-2022:0271
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2022:0273 https://access.redhat.com/errata/RHSA-2022:0273
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0274 https://access.redhat.com/errata/RHSA-2022:0274
Qualys advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Created oVirt tracking bug for this issue: Affects: oVirt Node 4.4 [ bug 2046038 ]
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2022:0443 https://access.redhat.com/errata/RHSA-2022:0443
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:0540 https://access.redhat.com/errata/RHSA-2022:0540
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4034
@907949961
For C#59 The impact on Services is Low, since to use polkit, the user should use a graphical or a CLI to authenticate to get a service with polkit acting as the authentication agent. In OSD, the graphical usage is not relevant; in CLI usage, the user will use the OC command to authenticate to the OSD cluster. Also, OSD does not make any special use of polkit in production clusters. In OSD, on one of the test OSD cluster's master, timedatex has a dependency on polkit. Therefore, for OSD/ARO, the impact is Low. Your OSD clusters are in the production group and therefore do not make any special use of polkit. If you have any additional questions, please let me know.