First published: Tue Mar 29 2022(Updated: )
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.
Credit: security@vmware.com security@vmware.com security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
SaltStack Salt | >=3002<3002.8 | |
SaltStack Salt | >=3003<3003.4 | |
SaltStack Salt | >=3004<3004.1 | |
SaltStack Salt | <3004.1<3003.4<3002.8 | 3004.1 3003.4 3002.8 |
pip/salt | >=3004<3004.1 | 3004.1 |
pip/salt | >=3003<3003.4 | 3003.4 |
pip/salt | <3002.8 | 3002.8 |
How to Mitigate: Upgrade to 3002.8, 3003.4, or 3004.1. Pre-seed the master’s public key on minions. NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-22935 is a vulnerability in SaltStack Salt that allows a minion authentication denial of service attack.
Versions before 3002.8, 3003.4, and 3004.1 of SaltStack Salt are affected by CVE-2022-22935.
A MiTM attacker can impersonate a master and force a minion process to stop, causing the denial of service.
CVE-2022-22935 has a severity level of medium (3.7).
More information about CVE-2022-22935 can be found in the SaltStack Salt releases, the Salt project's repository, and the Salt security advisory release.