Thursday 05 November 2020
The impact of this issue announcement is critical. Please act accordingly to rectify the issue, as stated below.
What you need to know:
Saltstack by VMware found three critical vulnerabilities that need a security update for Salt.
- This CVE affects any users running the Salt API
- This CVE affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module.
- Affects users running the Salt API. Salt-netapi improperly validates eauth credentials and tokens.
What is the impact of not doing the action?
A user could use shell injections with the Salt API using the SSH Client.
The functions create_ca, create_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions
When using the SSH client, an unauthenticated user can gain access to run commands against targets set in an Salt-SSH roster