Your message dated Fri, 13 Sep 2024 21:10:51 +0200
with message-id <zusoo3sa-ejr9...@eldamar.lan>
and subject line Re: Bug#1078970: fence-agents: CVE-2024-5651
has caused the Debian Bug report #1078970,
regarding fence-agents: CVE-2024-5651
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fence-agents
Version: 4.15.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for fence-agents.
CVE-2024-5651[0]:
| A flaw was found in fence agents that rely on SSH/Telnet. This
| vulnerability can allow a Remote Code Execution (RCE) primitive by
| supplying an arbitrary command to execute in the --ssh-
| path/--telnet-path arguments. A low-privilege user, for example, a
| user with developer access, can create a specially crafted
| FenceAgentsRemediation for a fence agent supportingĀ --ssh-
| path/--telnet-path arguments to execute arbitrary commands on the
| operator's pod. This RCE leads to a privilege escalation, first as
| the service account running the operator, then to another service
| account with cluster-admin privileges.
Unfortunately, at time of writing this bugreport, the only reference I
have found for this CVE is the one linked in the CVE entry is [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-5651
https://www.cve.org/CVERecord?id=CVE-2024-5651
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi,
On Fri, Sep 13, 2024 at 08:36:30PM +0200, Salvatore Bonaccorso wrote:
> On Fri, Sep 13, 2024 at 11:35:12PM +0900, wf...@debian.org wrote:
> > At 2024-08-18 21:19 Salvatore Bonaccorso wrote:
> >
> > > The following vulnerability was published for fence-agents.
> > >
> > > CVE-2024-5651[0]:
> > > | A flaw was found in fence agents that rely on SSH/Telnet. This
> > > | vulnerability can allow a Remote Code Execution (RCE) primitive by
> > > | supplying an arbitrary command to execute in the --ssh-
> > > | path/--telnet-path arguments. A low-privilege user, for example, a
> > > | user with developer access, can create a specially crafted
> > > | FenceAgentsRemediation for a fence agent supportingĀ --ssh-
> > > | path/--telnet-path arguments to execute arbitrary commands on the
> > > | operator's pod. This RCE leads to a privilege escalation, first as
> > > | the service account running the operator, then to another service
> > > | account with cluster-admin privileges.
> > >
> > > Unfortunately, at time of writing this bugreport, the only reference I
> > > have found for this CVE is the one linked in the CVE entry is [1].
> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=2290540
> >
> > That Bugzilla entry references
> > https://access.redhat.com/errata/RHSA-2024:5453, which further references
> > https://access.redhat.com/security/cve/CVE-2024-5651, which states:
> > "This vulnerability is specific to the Fence Agents Remediation operator
> > and does not affect fence-agents itself."
> > So I don't think this issue affects Debian.
>
> Thank you both for the analysis. I do not remember if that was written
> same when I filled the but, thus as well the explicit wording, but I
> think then we can go ahead and close this bug.
Indeed, it looks that it is Fence Agents Remediation operator specific
seems to have come in later to the party.
Let's close the bug.
Regards,
Salvatore
--- End Message ---
