Multiple High Severity Vulnerabilities in SaltStack

Published on 26 Feb 2021

Updated on 14 Apr 2021

The Salt Project has released security updates to address multiple vulnerabilities. 7 out of 10 of them were rated as high severity.

  • CVE-2021-3197: The Salt-API’s SSH client is vulnerable to a shell injection
  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client
  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks
  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default
  • CVE-2021-3144: Tokens can be used once after expiration
  • CVE-2020-28972: Missing validation on SSL certificate
  • CVE-2020-28243: Local privilege escalation in the Minion

Administrators and users of SaltStack are advised to upgrade to the latest versions immediately.

 

The official updated packages for these supported versions of Salt can be found at: https://repo.saltstack.com

 

These versions have been updated for this security release:

  • 3002.5
  • 3001.6
  • 3000.8

Security patch files can be found at: https://gitlab.com/saltstack/open/salt-patches

 

Patches are available for the following versions:

  • 3002.2
  • 3001.4
  • 3000.6
  • 2019.2.8
  • 2019.2.5
  • 2018.3.5
  • 2017.7.8
  • 2016.11.10
  • 2016.11.6
  • 2016.11.5
  • 2016.11.3
  • 2016.3.8
  • 2016.3.6
  • 2016.3.4
  • 2015.8.13
  • 2015.8.10

NOTE: If you are running an older version of Salt not listed on either of these sites, please update to a listed version before applying an available patch.

 

More information is available here:

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/