[Debian-ha-maintainers] Bug#1078970: fence-agents: CVE-2024-5651

Salvatore Bonaccorso carnil at debian.org
Fri Sep 13 19:36:30 BST 2024


On Fri, Sep 13, 2024 at 11:35:12PM +0900, wferi at debian.org wrote:
> At 2024-08-18 21:19 Salvatore Bonaccorso wrote:
> 
> > The following vulnerability was published for fence-agents.
> > 
> > CVE-2024-5651[0]:
> > | A flaw was found in fence agents that rely on SSH/Telnet. This
> > | vulnerability can allow a Remote Code Execution (RCE) primitive by
> > | supplying an arbitrary command to execute in the --ssh-
> > | path/--telnet-path arguments. A low-privilege user, for example, a
> > | user with developer access, can create a specially crafted
> > | FenceAgentsRemediation for a fence agent supporting  --ssh-
> > | path/--telnet-path arguments to execute arbitrary commands on the
> > | operator's pod. This RCE leads to a privilege escalation, first as
> > | the service account running the operator, then to another service
> > | account with cluster-admin privileges.
> > 
> > Unfortunately, at time of writing this bugreport, the only reference I
> > have found for this CVE is the one linked in the CVE entry is [1].
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540
> 
> That Bugzilla entry references
> https://access.redhat.com/errata/RHSA-2024:5453, which further references
> https://access.redhat.com/security/cve/CVE-2024-5651, which states:
> "This vulnerability is specific to the Fence Agents Remediation operator
> and does not affect fence-agents itself."
> So I don't think this issue affects Debian.

Thank you both for the analysis. I do not remember if that was written
same when I filled the but, thus as well the explicit wording, but I
think then we can go ahead and close this bug.

Regards,
Salvatore



More information about the Debian-ha-maintainers mailing list