Red hat has released important security update and bug fix for pacemaker package.
The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures.
pacemaker: Insufficient local IPC client-server authentication on the client’s side can lead to local privesc (CVE-2018-16877)
pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS (CVE-2018-16878)
pacemaker: Information disclosure through use-after-free (CVE-2019-3885)
For more details about the security issues, and other related information, refer to the CVE page.
Date Reported: 17-April-2019
Fix Released On: 28-May-2019
Severity Level: Medium
Affected Packages: pacemaker
Affected Operating System & Version:
- Red Hat Enterprise Linux 6 – Will not fix
- Red Hat Enterprise Linux 7 – fixed
- Red Hat Enterprise Linux 8 – fixed
Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.
CVE-2018-16877: A flaw was found in the way pacemaker’s client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
CVE-2018-16878: A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS
CVE-2019-3885: A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs.
Red Hat Security Advisory References:
Security Database References (CVE):
- This issue is fixed for RHEL 7 in pacemaker-1.1.19-8.
- This issue is fixed for RHEL 8 in pacemaker-2.0.1-4.
Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.
This issue has been fixed and update is available in red hat distributions repository.
The installed security fixes can be verified in the package change log using the following command.
# rpm -q --changelog pacemaker | grep -i "CVE-2018-16877\|CVE-2018-16878\|CVE-2019-3885"