[Debian-ha-maintainers] Bug#1078970: fence-agents: CVE-2024-5651
Michael Prokop
mika at debian.org
Fri Sep 13 15:01:48 BST 2024
* Salvatore Bonaccorso [Sun Aug 18, 2024 at 02:19:09PM +0200]:
> The following vulnerability was published for fence-agents.
>
> CVE-2024-5651[0]:
> | A flaw was found in fence agents that rely on SSH/Telnet. This
> | vulnerability can allow a Remote Code Execution (RCE) primitive by
> | supplying an arbitrary command to execute in the --ssh-
> | path/--telnet-path arguments. A low-privilege user, for example, a
> | user with developer access, can create a specially crafted
> | FenceAgentsRemediation for a fence agent supporting --ssh-
> | path/--telnet-path arguments to execute arbitrary commands on the
> | operator's pod. This RCE leads to a privilege escalation, first as
> | the service account running the operator, then to another service
> | account with cluster-admin privileges.
>
> Unfortunately, at time of writing this bugreport, the only reference I
> have found for this CVE is the one linked in the CVE entry is [1].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-5651
> https://www.cve.org/CVERecord?id=CVE-2024-5651
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540
>
> Please adjust the affected versions in the BTS as needed.
Quoting Marc Deslauriers from https://ubuntu.com/security/CVE-2024-5651:
| I don't believe this affects the fence-agents package in Ubuntu
| as the Red Hat advisory states "This vulnerability is specific
| to the Fence Agents Remediation operator and does not affect
| fence-agents itself." and the string "FenceAgentsRemediation"
| isn't in the fence-agents package. Marking as deferred for now.
Also upstream doesn't seem to have anything about it at
https://github.com/ClusterLabs/fence-agents, so feels really like
being a RedHat specific issue and we should downgrade the severity
of this RC bug, which currently prevents fence-agents being
available in trixie?
regards
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-ha-maintainers/attachments/20240913/17d40c5f/attachment.sig>
More information about the Debian-ha-maintainers
mailing list