Red Hat Released Security Updates and bug fixes for pacemaker

Red hat has released important security update and bug fix for pacemaker package.

The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures.

pacemaker: Insufficient local IPC client-server authentication on the client’s side can lead to local privesc (CVE-2018-16877)

pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS (CVE-2018-16878)

pacemaker: Information disclosure through use-after-free (CVE-2019-3885)

For more details about the security issues, and other related information, refer to the CVE page.

Date Reported: 17-April-2019

Fix Released On: 28-May-2019

Severity Level: Medium

Affected Packages: pacemaker

Affected Operating System & Version:

  • Red Hat Enterprise Linux 6 – Will not fix
  • Red Hat Enterprise Linux 7 – fixed
  • Red Hat Enterprise Linux 8 – fixed

Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.

Details:

CVE-2018-16877: A flaw was found in the way pacemaker’s client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.

For more details about this, refer to the MITRE CVE dictionary and NIST NVD.

CVE-2018-16878: A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS

For more details about this, refer to the MITRE CVE dictionary and NIST NVD.

CVE-2019-3885: A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs.

For more details about this, refer to the MITRE CVE dictionary and NIST NVD.

Red Hat Security Advisory References:

Security Database References (CVE):

Fix(es):

  • This issue is fixed for RHEL 7 in pacemaker-1.1.19-8.
  • This issue is fixed for RHEL 8 in pacemaker-2.0.1-4.

Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.

Solution:

This issue has been fixed and update is available in red hat distributions repository.

The installed security fixes can be verified in the package change log using the following command.

# rpm -q --changelog pacemaker | grep -i "CVE-2018-16877\|CVE-2018-16878\|CVE-2019-3885"

Leave a Reply

Your email address will not be published. Required fields are marked *