1895451 – (CVE-2020-17490) CVE-2020-17490 salt: creates certificates with weak file permissions

Bug 1895451 (CVE-2020-17490) - CVE-2020-17490 salt: creates certificates with weak file permissions

Summary: CVE-2020-17490 salt: creates certificates with weak file permissions

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-17490
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1895452
Blocks:	1895456
TreeView+	depends on / blocked

Reported:	2020-11-06 17:24 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-06-15 15:20 UTC (History)
CC List:	6 users (show)
Fixed In Version:	salt 3002.1, salt 3001.2, salt 3000.4, salt 2019.2.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Salt. The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2020-11-06 17:38:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-06 17:24:53 UTC

The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.

Reference:
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/

Comment 1 Guilherme de Almeida Suckevicz 2020-11-06 17:25:12 UTC

Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1895452]

Comment 2 Bryce Larson 2020-11-06 17:38:21 UTC

This was already fixed in salt 3001.3 and 3002.1 which have been released in fedora 31, 32, 33, and rawhide.

Comment 3 Hardik Vyas 2020-11-09 11:31:54 UTC

Statement:

Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console 2(RHSCON-2), which required salt to administrate ceph nodes. RHSCON-2 has reached End Of Life, hence salt is no longer used and supported. Therefore, the salt package provided by Red Hat Ceph Storage 2 has been marked as 'will not fix'.

Comment 5 Przemyslaw Roguski 2020-11-09 11:41:50 UTC

Upstream fix commit:
https://github.com/saltstack/salt/commit/86e18b91ae006de381f71b972f1daab9239bad3c

Comment 7 Hardik Vyas 2020-11-09 11:55:36 UTC

External References:

https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
https://docs.saltstack.com/en/latest/topics/releases/3001.2.html
https://docs.saltstack.com/en/latest/topics/releases/3000.4.html
https://docs.saltstack.com/en/latest/topics/releases/2019.2.6.html

Note You need to log in before you can comment on or make changes to this bug.