[Debian-ha-maintainers] Bug#1078970: fence-agents: CVE-2024-5651
wferi at debian.org
wferi at debian.org
Fri Sep 13 15:35:12 BST 2024
At 2024-08-18 21:19 Salvatore Bonaccorso wrote:
> The following vulnerability was published for fence-agents.
>
> CVE-2024-5651[0]:
> | A flaw was found in fence agents that rely on SSH/Telnet. This
> | vulnerability can allow a Remote Code Execution (RCE) primitive by
> | supplying an arbitrary command to execute in the --ssh-
> | path/--telnet-path arguments. A low-privilege user, for example, a
> | user with developer access, can create a specially crafted
> | FenceAgentsRemediation for a fence agent supporting --ssh-
> | path/--telnet-path arguments to execute arbitrary commands on the
> | operator's pod. This RCE leads to a privilege escalation, first as
> | the service account running the operator, then to another service
> | account with cluster-admin privileges.
>
> Unfortunately, at time of writing this bugreport, the only reference I
> have found for this CVE is the one linked in the CVE entry is [1].
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540
That Bugzilla entry references
https://access.redhat.com/errata/RHSA-2024:5453, which further
references
https://access.redhat.com/security/cve/CVE-2024-5651, which states:
"This vulnerability is specific to the Fence Agents Remediation operator
and does not affect fence-agents itself."
So I don't think this issue affects Debian.
--
Regards,
Feri.
More information about the Debian-ha-maintainers
mailing list