SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2 (1st May 2020)

Product background: If you have one hundred servers, so it makes sense to use Puppet(open source DevOps systems management tool)for centralizing and automating the configuration management process. SaltStack itself is an open source infrastructure centralized management platform. Compared with other commercial products, its deployment and configuration are slightly more complicated.

Vulnerability details: SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. A remote attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to attached diagram. The official announcement can be found here. https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

Recommendation:

1. Upgrade SaltStack to a recommended version. It is recommended to take a snapshot backup before upgrading.

2. Set the Salt Master’s default listening ports (default 4505 and 4506) to prohibit opening to the public network, or only to trusted objects.

Take care, data center administrators.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.