Bugzilla – Bug 1222121
VUL-0: CVE-2024-3019: pcp: exposure of the redis server backend allows remote command execution via pmproxy
Last modified: 2024-07-17 10:24:27 UTC
A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This issue affects PCP versions 4.3.4 and newer. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3019 https://bugzilla.redhat.com/show_bug.cgi?id=2271898
This affects: - SUSE:SLE-15-SP3:Update/pcp 5.2.2 - SUSE:SLE-15-SP4:Update/pcp 5.2.5 - SUSE:SLE-15-SP6:GA/pcp 5.3.7 - SUSE:ALP:Source:Standard:1.0/pcp 5.3.7 - openSUSE:Factory/pcp 5.3.7 The fix is: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e
On it!
Fix submitted to the devel project: https://build.opensuse.org/request/show/1164379
Request for SUSE:SLE-15-SP4:Update/pcp: https://build.suse.de/request/show/325726
I've merged the request to the devel project myself, after 5 days without reviews. This fix has since been submitted to openSUSE:Factory as part of the 6.2.0 upgrade: https://build.opensuse.org/request/show/1166221
Request for SUSE:SLE-15-SP3:Update/pcp: https://build.suse.de/request/show/325728
SUSE:SLE-15-SP6:GA/pcp has been frozen, so I think we'll have to wait for SUSE:SLE-15-SP6:Update until it starts accepting requests. ALP will be submitted as soon as the request for openSUSE:Factory has been accepted.
SUSE-RU-2024:1327-1: An update that has one fix can now be installed. Category: recommended (important) Bug References: 1222121 Maintenance Incident: [SUSE:Maintenance:33306](https://smelt.suse.de/incident/33306/) Sources used: openSUSE Leap 15.4 (src): pcp-5.2.5-150400.5.6.3 openSUSE Leap 15.5 (src): pcp-5.2.5-150400.5.6.3 Development Tools Module 15-SP5 (src): pcp-5.2.5-150400.5.6.3 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): pcp-5.2.5-150400.5.6.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): pcp-5.2.5-150400.5.6.3 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): pcp-5.2.5-150400.5.6.3 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): pcp-5.2.5-150400.5.6.3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): pcp-5.2.5-150400.5.6.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This bug will be fix as part of these SRs, which also solve bsc#1217826. The 6.2.0 version upgrade contains the patch required to solve this problem, named disable-redis-proxying-by-default.patch. As soon as that bug is fixed, so is this one. https://build.suse.de/request/show/331400 SLE-15-SP1 / pcp https://build.suse.de/request/show/331401 SLE-15-SP3 / pcp https://build.suse.de/request/show/331402 SLE-15-SP4 / pcp https://build.suse.de/request/show/331460 SLE-15 / pcp https://build.suse.de/request/show/331657 SLE-12 / pcp
I'm reassigning this bug to security, as the appropriate SRs have already been submitted. Feel free to reassign to me if need be, or get in touch directly.