Salt security advisory release - 2022-JUNE-21

The Salt Project released a security update to Salt to address 1 vulnerability with severity rating High. If you are using PAM authentication from within Salt, we strongly recommend prioritizing this update. This is a security advisory release. This release includes fixes to the vulnerability and bug fixes from the previous CVE release.

The following CVE was fixed as part of this release:

CVE Details

CVE-2022-22967

• Description: PAM auth fails to reject locked accounts.
• Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
• Solution: PAM account status is now correctly checked, rejecting locked accounts.

How to Mitigate

• Upgrade to 3002.9, 3003.5, or 3004.2.
• Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality.
• Or, change to a different eauth module.
• Attribution: https://github.com/ysf
• Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Packages

• Updated packages for the following versions can be found at https://repo.saltproject.io for these supported versions of Salt.
  • 3004.2
  • 3003.5
  • 3002.9