[Pkg-salt-team] Bug#1008945: salt: CVE-2022-22934 CVE-2022-22935 CVE-2022-22936 CVE-2022-22941

Salvatore Bonaccorso carnil at debian.org
Mon Apr 4 20:41:34 BST 2022 

Source: salt
Version: 3004+dfsg1-10
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for salt.

CVE-2022-22934[0]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. Salt Masters do not sign pillar data with the
| minion&#8217;s public key, which can result in attackers
| substituting arbitrary pillar data.


CVE-2022-22935[1]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. A minion authentication denial of service can cause a
| MiTM attacker to force a minion process to stop by impersonating a
| master.


CVE-2022-22936[2]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. Job publishes and file server replies are susceptible
| to replay attacks, which can result in an attacker replaying job
| publishes causing minions to run old jobs. File server replies can
| also be re-played. A sufficient craft attacker could gain root access
| on minion under certain scenarios.


CVE-2022-22941[3]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. When configured as a Master-of-Masters, with a
| publisher_acl, if a user configured in the publisher_acl targets any
| minion connected to the Syndic, the Salt Master incorrectly
| interpreted no valid targets as valid, allowing configured users to
| target any of the minions connected to the syndic with their
| configured commands. This requires a syndic master combined with
| publisher_acl configured on the Master-of-Masters, allowing users
| specified in the publisher_acl to bypass permissions, publishing
| authorized commands to any configured minion.

See [4] for the announce.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-22934
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22934
[1] https://security-tracker.debian.org/tracker/CVE-2022-22935
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22935
[2] https://security-tracker.debian.org/tracker/CVE-2022-22936
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22936
[3] https://security-tracker.debian.org/tracker/CVE-2022-22941
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22941
[4] https://saltproject.io/security_announcements/salt-security-advisory-release/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-salt-team mailing list