Salt Security Advisory Release 2022-06-21

24 views

Skip to first unread message

mwilhite

unread,

Jun 21, 2022, 12:12:03 PM6/21/22

to Salt-users

Salt Security Advisory Release

The Salt Project released a security update to Salt to address 1 vulnerability with severity rating High. If you are using PAM authentication from within Salt, we strongly recommend prioritizing this update. This is a security advisory release. This release includes fixes to the vulnerability and bug fixes from the previous CVE release.

The following CVE was fixed as part of this release:

CVE Details

CVE-2022-22967

Description: PAM auth fails to reject locked accounts.

Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

Solution: PAM account status is now correctly checked, rejecting locked accounts.

How to Mitigate:

Upgrade to 3002.9, 3003.5, or 3004.2.
Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality.
Or, change to a different eauth module.

Attribution: https://github.com/ysf

Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Packages

Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt.

3004.2

3003.5

3002.9

Reply all

Reply to author

Forward

0 new messages