Salt security advisory release - 2023-AUG-10

The Salt Project released a security update to Salt to address 2 vulnerabilities with severity rating Medium. We recommend prioritizing this update. This is a security advisory release. This release includes fixes the following vulnerabilities:

CVE Details

CVE-2023-20897

  • Description: DOS in minion return.
  • Impact: After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.
  • Solution: Properly handle errors in decoded messages in request server.
  • How to Mitigate:
    • Upgrade Salt masters to 3005.2 or 3006.2
    • Alternatively, firewall port 4506 from access from untrusted sources and security scanning software.
  • Attribution: https://github.com/dwoz
  • Severity Rating: 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2023-20898

  • Description: Git Providers can read from the wrong environment because they get the same cache directory base name.
  • Impact: Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
  • Solution: Include environment and other information in the hash that generates cache directory base name. So, if the same repository is used with different environments, they all get their own cache directory. Also wrap Git Providers lock with a multiprocessing lock to help mitigate locking race conditions.
  • How to Mitigate:
    • Upgrade masters to 3005.2 or 3006.2.
  • Attribution: https://www.suse.com
  • Severity Rating: 4.2 CVSS v3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Packages

Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt.

  • 3005.2
  • 3006.2