Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
centosCentOS ProjectCESA-2018:1060
HistoryMay 30, 2018 - 6:24 p.m.

pcs security update

2018-05-3018:24:25
CentOS Project
lists.centos.org
87

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

0.006 Low

EPSS

Percentile

78.2%

JSON

CentOS Errata and Security Advisory CESA-2018:1060

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

  • pcs: Privilege escalation via authorized user malicious REST call (CVE-2018-1079)

  • pcs: Debug parameter removal bypass, allowing information disclosure (CVE-2018-1086)

  • rack-protection: Timing attack in authenticity_token.rb (CVE-2018-1000119)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

The CVE-2018-1079 issue was discovered by Ondrej Mular (Red Hat) and the CVE-2018-1086 issue was discovered by Cedric Buissart (Red Hat).

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2018-May/085055.html

Affected packages:
pcs
pcs-snmp

Upstream details at:
https://access.redhat.com/errata/RHSA-2018:1060

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64pcs< 0.9.162-5.el7.centos.1pcs-0.9.162-5.el7.centos.1.x86_64.rpm
CentOS7x86_64pcs-snmp< 0.9.162-5.el7.centos.1pcs-snmp-0.9.162-5.el7.centos.1.x86_64.rpm

Related

openvas 5
redhat 4
nessus 19
oraclelinux 1
amazon 1
fedora 3
debian 3
osv 6
nvd 3
debiancve 3
prion 3
veracode 4
cvelist 3
cve 3
github 1
ubuntucve 3
redhatcve 2
centos 1
openvas
openvas
CentOS Update for pcs CESA-2018:1060 centos7
2018-06-05 00:00:00
Fedora Update for pcs FEDORA-2018-ce5d7106d8
2018-04-19 00:00:00
Fedora Update for pcs FEDORA-2018-57bbe74c6c
2018-04-19 00:00:00
redhat
redhat
(RHSA-2018:1060) Important: pcs security update
2018-04-10 08:05:05
(RHSA-2018:1927) Moderate: pcs security update
2018-06-19 02:12:38
(RHSA-2021:1313) Moderate: Satellite 6.9 Release
2021-04-21 12:43:38
nessus
nessus
Amazon Linux 2 : pcs (ALAS-2018-1005)
2018-04-27 00:00:00
NewStart CGSL CORE 5.04 / MAIN 5.04 : pcs Multiple Vulnerabilities (NS-SA-2019-0042)
2019-08-12 00:00:00
Scientific Linux Security Update : pcs on SL7.x x86_64 (20180410)
2018-05-01 00:00:00
oraclelinux
oraclelinux
pcs security update
2018-04-30 00:00:00
amazon
amazon
Important: pcs
2018-04-26 17:41:00
fedora
fedora
[SECURITY] Fedora 26 Update: pcs-0.9.160-2.fc26
2018-04-19 00:07:28
[SECURITY] Fedora 28 Update: pcs-0.9.164-1.fc28
2018-04-15 02:44:28
[SECURITY] Fedora 27 Update: pcs-0.9.164-1.fc27
2018-04-19 00:32:14
debian
debian
[SECURITY] [DSA 4247-1] ruby-rack-protection security update
2018-07-16 21:02:05
[SECURITY] [DSA 4169-1] pcs security update
2018-04-11 08:26:59
[SECURITY] [DSA 4339-1] ceph security update
2018-11-13 21:48:36
osv
osv
CVE-2018-1000119
2018-03-07 14:29:00
ruby-rack-protection - security update
2018-07-16 00:00:00
rack-protection gem timing attack vulnerability when validating CSRF token
2018-03-07 22:22:22
nvd
nvd
CVE-2018-1000119
2018-03-07 14:29:00
CVE-2018-1079
2018-04-12 17:29:00
CVE-2018-1086
2018-04-12 16:29:00
debiancve
debiancve
CVE-2018-1000119
2018-03-07 14:29:00
CVE-2018-1079
2018-04-12 17:29:00
CVE-2018-1086
2018-04-12 16:29:00
prion
prion
Cross site request forgery (csrf)
2018-03-07 14:29:00
Privilege escalation
2018-04-12 17:29:00
Privilege escalation
2018-04-12 16:29:00
veracode
veracode
Timing Attack
2019-01-15 09:21:58
Timing Attack
2016-12-22 07:10:29
Arbitrary File Write
2019-05-16 02:52:22
cvelist
cvelist
CVE-2018-1000119
2018-03-07 14:00:00
CVE-2018-1079
2018-04-12 17:00:00
CVE-2018-1086
2018-04-12 16:00:00
cve
cve
CVE-2018-1000119
2018-03-07 14:29:00
CVE-2018-1079
2018-04-12 17:29:00
CVE-2018-1086
2018-04-12 16:29:00
github
github
rack-protection gem timing attack vulnerability when validating CSRF token
2018-03-07 22:22:22
ubuntucve
ubuntucve
CVE-2018-1000119
2018-03-07 00:00:00
CVE-2018-1079
2018-04-12 00:00:00
CVE-2018-1086
2018-04-12 00:00:00
redhatcve
redhatcve
CVE-2018-1079
2018-04-09 11:49:00
CVE-2018-1086
2018-04-09 11:48:48
centos
centos
pcs security update
2018-06-21 11:55:57

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

0.006 Low

EPSS

Percentile

78.2%

JSON
Related for CESA-2018:1060
openvas5redhat4nessus19oraclelinux1amazon1fedora3debian3osv6nvd3debiancve3prion3veracode4cvelist3cve3github1ubuntucve3redhatcve2centos1