CVE-2022-22936
First published: Tue Mar 29 2022(Updated: )
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
Credit: security@vmware.com security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SaltStack Salt | >=3002<3002.8 | |
| SaltStack Salt | >=3003<3003.4 | |
| SaltStack Salt | >=3004<3004.1 | |
| SaltStack Salt | <3004.1<3003.4<3002.8 | 3004.1 3003.4 3002.8 |
| pip/salt | >=3004<3004.1 | 3004.1 |
| pip/salt | >=3003<3003.4 | 3003.4 |
| pip/salt | <3002.8 | 3002.8 |
Remedy
How to Mitigate: Upgrade to 3002.8, 3003.4, or 3004.1 NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/saltstack/salt/releases,
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release/,
- https://github.com/saltstack/salt/releases%2C
- https://saltproject.io/security_announcements/salt-security-advisory-release/%2C
- https://security.gentoo.org/glsa/202310-22
- https://saltproject.io/security-announcements/2022-03-28-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22936
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.8.rst#L31
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3003.4.rst#L32
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3004.1.rst#L30
- https://github.com/saltstack/salt/releases
- https://repo.saltproject.io
- https://saltproject.io/security_announcements/salt-security-advisory-release
- https://github.com/advisories/GHSA-5r3f-3m3j-wcj2 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-173.yaml
Frequently Asked Questions
What is CVE-2022-22936?
CVE-2022-22936 is a vulnerability in SaltStack Salt where job publishes and file server replies are susceptible to replay attacks, potentially allowing an attacker to replay job publishes and execute old jobs on minions.
How severe is CVE-2022-22936?
CVE-2022-22936 is considered high severity with a CVSS score of 8.8.
Which versions of SaltStack Salt are affected by CVE-2022-22936?
SaltStack Salt versions before 3002.8, 3003.4, and 3004.1 are affected by CVE-2022-22936.
How can an attacker exploit CVE-2022-22936?
An attacker can exploit CVE-2022-22936 by performing replay attacks on job publishes and file server replies, potentially causing minions to run old jobs.
Are there any known fixes for CVE-2022-22936?
Yes, upgrading to SaltStack Salt version 3002.8, 3003.4, or 3004.1 addresses the vulnerability.
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/description
- collector/saltproject-advisory
- source/Salt Project
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/event
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- source/GitHub
- alias/GHSA-5r3f-3m3j-wcj2
- alias/CVE-2022-22936
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- collector/github-advisory-latest
- vendor/saltstack
- canonical/saltstack salt
- version/saltstack salt/3002
- version/saltstack salt/3003
- version/saltstack salt/3004
- package-manager/pip