[Debian-ha-maintainers] Bug#1078970: fence-agents: CVE-2024-5651

Salvatore Bonaccorso carnil at debian.org
Sun Aug 18 13:19:09 BST 2024


Source: fence-agents
Version: 4.15.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for fence-agents.

CVE-2024-5651[0]:
| A flaw was found in fence agents that rely on SSH/Telnet. This
| vulnerability can allow a Remote Code Execution (RCE) primitive by
| supplying an arbitrary command to execute in the --ssh-
| path/--telnet-path arguments. A low-privilege user, for example, a
| user with developer access, can create a specially crafted
| FenceAgentsRemediation for a fence agent supporting  --ssh-
| path/--telnet-path arguments to execute arbitrary commands on the
| operator's pod. This RCE leads to a privilege escalation, first as
| the service account running the operator, then to another service
| account with cluster-admin privileges.

Unfortunately, at time of writing this bugreport, the only reference I
have found for this CVE is the one linked in the CVE entry is [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-5651
    https://www.cve.org/CVERecord?id=CVE-2024-5651
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore


More information about the Debian-ha-maintainers mailing list