Bug 1974363 (CVE-2010-2496) - CVE-2010-2496 cluster-glue: passes the stonith parameters via the commandline which could result in password leaks
Summary: CVE-2010-2496 cluster-glue: passes the stonith parameters via the commandline...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2010-2496
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1974371
TreeView+ depends on / blocked
 
Reported: 2021-06-21 13:22 UTC by Michael Kaplan
Modified: 2021-06-22 15:37 UTC (History)
2 users (show)

Fixed In Version: cluster-glue 1.0.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cluster-glue, where the stonith-ng function in cluster-glue passed passwords as command line parameters. This flaw allows local attackers to gain access to passwords of the HA stack and potentially influence its operations. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-06-21 15:04:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-06-21 13:22:13 UTC 
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.

References:

https://bugzilla.suse.com/show_bug.cgi?id=620781
https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879
https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664
Comment 1 Product Security DevOps Team 2021-06-21 15:04:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2010-2496
Note You need to log in before you can comment on or make changes to this bug.