The LocalClient.cmd_batch() method client does not accept external_auth credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-api as the root user. References: https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html
Created salt tracking bugs for this issue: Affects: epel-all [bug 1418350]
Mitigation: Disable salt-api for mitigation.
Statement: This issue did not affect the versions of the salt as shipped with Red Hat Ceph Storage 1.3, Red Hat Ceph Storage 2, and Red Hat Storage Console 2 as salt-api and salt-ssh are not shipped with these products.
Upstream Fixes: https://github.com/saltstack/salt/pull/38743 https://github.com/saltstack/salt/pull/38759