keepalived: Multiple vulnerabilities (CVE-2018-19044, CVE-2018-19045, CVE-2018-19046)
CVE-2018-19044: kkeepalived before version 2.0.9 didn’t check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
Fixed In Version:
keepalived 2.0.9
References:
https://github.com/acassen/keepalived/issues/1048
http://www.keepalived.org/changelog.html
Patch:
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
CVE-2018-19045: keepalived 2.0.8 used mode 0666 when creating new
temporary files upon a call to PrintData
or PrintStats, potentially leaking sensitive information.
Fixed In Version:
keepalived 2.0.9
References:
https://github.com/acassen/keepalived/issues/1048
https://nvd.nist.gov/vuln/detail/CVE-2018-19045
Patches:
https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6
https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067
CVE-2018-19046: keepalived before version 2.0.10 didn’t check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. If a local attacker had previously created a file with the expected name (e.g., /tmp/keepalived.data or /tmp/keepalived.stats), with read access for the attacker and write access for the keepalived process, then this potentially leaked sensitive information.
Fixed In Version:
keepalived 2.0.10
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-19046
https://github.com/acassen/keepalived/issues/1048
Patches:
https://github.com/acassen/keepalived/commit/ac8e2ef053de273ce7a0cf0cb611e599dca4b298
https://github.com/acassen/keepalived/commit/26c8d6374db33bcfcdcd758b1282f12ceef4b94f
https://github.com/acassen/keepalived/commit/17f944144b3d9c5131569b1cc988cc90fd676671
(from redmine: issue id 9822, created on 2019-01-02, closed on 2019-01-09)
- Relations:
- child #9823 (closed)
- child #9824 (closed)