CVE-2021-22004

Advisory

Salt versions 3002.7 and 3003.3 include a fix for CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

========================

Fixed
-----

- Verify the owner of an existing config before trusting it during install. If the owner cannot be verified, back it up and use defaults. (CVE-2021-22004)


Security
--------

- Fix the CVE-2021-31607 vulnerability
Additionally, an audit and a tool was put in place, ``bandit``, to address similar issues througout the code base, and prevent them. (CVE-2021-31607)
- Ensure that sourced file is cached using its hash name (cve-2021-21996)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22004
• https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/