Synopsis
Important: pacemaker security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for pacemaker is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures.
Security Fix(es):
- pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc (CVE-2018-16877)
- pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS (CVE-2018-16878)
- pacemaker: Information disclosure through use-after-free (CVE-2019-3885)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Interrupted live migration will get full start rather than completed migration (BZ#1695247)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Enterprise Linux for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux Resilient Storage for x86_64 8 x86_64
-
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux High Availability for x86_64 8 x86_64
-
Red Hat Enterprise Linux Resilient Storage for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux High Availability for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux Resilient Storage for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux High Availability for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux for x86_64 8 x86_64
-
Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1652646 - CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
- BZ - 1657962 - CVE-2018-16878 pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
- BZ - 1694554 - CVE-2019-3885 pacemaker: Information disclosure through use-after-free
- BZ - 1695247 - Interrupted live migration will get full start rather than completed migration [RHEL-8.0.0.z]
CVEs
References