I. Overview

SaltStack has released a security update that disclosed two important vulnerabilities (CVE-2020-16846 and CVE-2020-25592), which affect all SaltStack API users. Unauthorized attackers can exploit these vulnerabilities to perform remote code execution.

If you are a SaltStack user, check your system and implement timely security hardening.

Reference:

https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

All users who run the Salt API are affected.

IV. Vulnerability Handling

Patches are officially released to fix these vulnerabilities. Download and install the patches for the following versions at:

https://gitlab.com/saltstack/open/salt-patches

3002

3001.1, 3001.2

3000.3, 3000.4

2019.2.5, 2019.2.6

2018.3.5

2017.7.4, 2017.7.8

2016.11.3, 2016.11.6, 2016.11.10

2016.3.4, 2016.3.6, 2016.3.8

2015.8.10, 2015.8.13

If you are using an earlier Salt version, upgrade it to one of the versions listed above, and then download and install the patch.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.