Salt Security Advisory Release 2022-06-21

22 views
Skip to first unread message

mwilhite

unread,
Jun 21, 2022, 12:12:03 PMJun 21
to Salt-users

Salt Security Advisory Release 

The Salt Project released a security update to Salt to address 1 vulnerability with severity rating High. If you are using PAM authentication from within Salt, we strongly recommend prioritizing this update. This is a security advisory release. This release includes fixes to the vulnerability and bug fixes from the previous CVE release. 

The following CVE was fixed as part of this release: 

CVE Details 

CVE-2022-22967 

Description: PAM auth fails to reject locked accounts. 

Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth. 

Solution: PAM account status is now correctly checked, rejecting locked accounts. 

 

How to Mitigate 

  • Upgrade to 3002.9, 3003.5, or 3004.2. 

  • Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality. 

  • Or, change to a different eauth module. 

Attribution: https://github.com/ysf 

Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 

Packages 

Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt. 

3004.2 

3003.5 

3002.9 


Reply all
Reply to author
Forward
0 new messages