Salt security advisory release - 2022-JUNE-21
The Salt Project released a security update to Salt to address 1 vulnerability with severity rating High. If you are using PAM authentication from within Salt, we strongly recommend prioritizing this update. This is a security advisory release. This release includes fixes to the vulnerability and bug fixes from the previous CVE release.
The following CVE was fixed as part of this release:
- Description: PAM auth fails to reject locked accounts.
- Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
- Solution: PAM account status is now correctly checked, rejecting locked accounts.
How to Mitigate
- Upgrade to 3002.9, 3003.5, or 3004.2.
- Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality.
- Or, change to a different eauth module.
- Attribution: https://github.com/ysf
- Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
- Updated packages for the following versions can be found at https://repo.saltproject.io for these supported versions of Salt.