Bugzilla – Bug 957914
VUL-0: CVE-2015-8034: salt: Saving state.sls cache data to disk with insecure permissions
Last modified: 2016-09-09 15:06:02 UTC
https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. The permissions for this file are now being set correctly.
Upstream issue report: "highstate.cache is world readable, and contains secrets" https://github.com/saltstack/salt/issues/28455 Upstream commit: "Wrap all cache calls in state.sls in correct umask" https://github.com/saltstack/salt/pull/28461 https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741 Fixed in: > $ git tag --contains 097838ec0c52b1e96f7f761e5fb3cd7e79808741 > v2014.7.8 > v2015.5.7 > v2015.5.8 > v2015.8.2 (retracted release) > v2015.8.3 From https://docs.saltstack.com/en/latest/topics/releases/2015.8.2.html > A significant orchestrate issue #29110 was discovered during the release > process of 2015.8.2, so it has not been officially released.
Fixed with new upstream version release 2015.8.3 which are in systemsmanagement:saltstack https://build.opensuse.org/request/show/347030 and leap update: https://build.opensuse.org/request/show/347826
fixed in obs, but not yet in ibs for the SLE products. (Storage 1 and Storage 2 use salt)
bugbot adjusting priority
OK, I've backported 097838e to 2014.1.10 (included in SES 1.0, SES 2.0 and SES 2.1), and verified the fix works as follows. Before the fix: - On a minion: # rm /var/cache/salt/minion/highstate.cache.p - On the master: # salt '*' state.sls test - On a minion: # cd /var/cache/salt/minion # ls -l highstate.cache.p -rw-r--r-- 1 root root 75 Jun 23 21:41 highstate.cache.p After the fix, same steps as above, but the end result is: # ls -l highstate.cache.p -rw------- 1 root root 75 Jun 23 21:50 highstate.cache.p I've opened MRs 117020, 117021 and 117022 for each of those three codestreams. (Also I suspect the chance of any SES customer ever having hit this is slim-to-none, as it seems that when the salt-minion starts, it creates highstate.cache.p with the correct permissions. You'd actually have to delete that file then later run state.sls from the master to end up with the wrong umask, AFAICT)
SUSE-SU-2016:1895-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 957914 CVE References: CVE-2015-8034 Sources used: SUSE Enterprise Storage 2 (src): salt-2014.1.10-6.4
SUSE-SU-2016:1896-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 957914 CVE References: CVE-2015-8034 Sources used: SUSE Enterprise Storage 2.1 (src): salt-2014.1.10-8.4
SUSE-SU-2016:1897-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 957914 CVE References: CVE-2015-8034 Sources used: SUSE Enterprise Storage 1.0 (src): salt-2014.1.10-8.4
Fix released