pcs-0.10.12-6.el8.2.ML.1

エラータID: AXSA:2022-3795:05

Release date: 
Tuesday, September 6, 2022 - 09:06
Subject: 
pcs-0.10.12-6.el8.2.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: obtaining an authentication token for hacluster user could lead to privilege escalation (CVE-2022-2735)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-2735
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2022-2735
A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.
Additional Info: 

N/A

Download: 

SRPMS
  1. pcs-0.10.12-6.el8.2.ML.1.src.rpm
    MD5: 02d3bf5b6e9e7d8dcc44397227444b7a
    SHA-256: 3c95a1015673482044f1f9b02b3e44448dc281de98cf79937ecd8cf89aab45ad
    Size: 73.42 MB

Asianux Server 8 for x86_64
  1. pcs-0.10.12-6.el8.2.ML.1.x86_64.rpm
    MD5: bc4e7e4fe8af1f23ab724d80f68f6bc4
    SHA-256: 5159dc11236855a7a11904f8c9a51b1632771217734360efa91dc0e1f473b01d
    Size: 9.65 MB
  2. pcs-snmp-0.10.12-6.el8.2.ML.1.x86_64.rpm
    MD5: 962a655f4348b945a5c4824a77d8fd9d
    SHA-256: a9bcc0cae5647c031d0ebfdd93c0a73a4d365f85d0544b097b634883d62f73c1
    Size: 73.43 kB