date:20190417

Re: [ClusterLabs] Pacemaker security issues discovered and patched

2019-04-17 Thread Jan Pokorný

On 17/04/19 12:09 -0500, Ken Gaillot wrote:
> Without the patches, a mitigation is to prevent local user access to
> cluster nodes except for cluster administrators (which is the
> recommended and most common deployment model).

Not trying to artificially amplify the risk in response to the above,
but I think it's important to perceive threat models in the wider
context:

- mitigating factor: machines (and interconnects) usually isolated
  and controlled to a significant extent (for instance to make fencing
  feasible to start with) as mentioned

- provoking factor: cluster is usually predestined to deliver
  service(s) not necessarily bullet-proof themselves to a wide range
  of users, not necessarily to those with all-good intents
  (so the whole chain throughout may consist of many small steps,
  low hanging fruit is usually long harvested)

It would be hypocritical to close eyes from the latter, mileage
for each deployment can vary, just as precautions taken etc.
Not being even a passive enabler shall be a general goal across
the industry (note that the most severe case was nothing that
the chosen implementation language could be blamed for -- with
the 2019-marked one, well, perhaps).

* * *

As an extra note, thanks in advance to whoever will put the effort
to keep an eye on the after-patch behaviour and report back any
shenanigans observed!  Let's restate the upstream issue tracker for
pacemaker, since it appears to be gone from the list footer since
around March 19: https://bugs.clusterlabs.org

And as far as dislosing the possibly sensitive problems with SW
some in this community happen to maintain and contribute to is
concerned, the recommended and most vendor-neutral (these are the
main drivers, let's admit) option at this time is this list per
its rules: https://oss-security.openwall.org/wiki/mailing-lists/distros
(That is, unless there's an active interest to build something
unified collectively for what can be associated with ClusterLabs.)

Private issues would also do where possible, but at the end of
the day, any report is preferred to no report when at least
semi-reasonably routed.

Thanks!

-- 
Jan (Poki)

pgp7Z0i3Gtqjy.pgp
Description: PGP signature
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] Question about fencing

2019-04-17 Thread JCA

Thanks. I most assuredly will, but first I have to run some experiments, to
get a feeling for it.

On Wed, Apr 17, 2019 at 3:56 PM digimer  wrote:

> Happy to help you understand, just keep asking questions. :)
>
> The point can be explained this way;
>
> * If two nodes can work without coordination, you don't need a cluster,
> just run your services everywhere. If that is not the case, then you
> require coordination. Fencing ensures that a node that has entered an
> unknown state can be forced into a known state (off). In this way, no
> action will be taken by a node unless the peer can be informed, or the peer
> is gone.
>
> The method that a node is forced into a known state depends on the
> hardware (or infrastructure) you have in your particular setup. So perhaps,
> explain what you're nodes are built on and we can assist with more specific
> details.
>
> digimer
> On 2019-04-17 5:46 p.m., JCA wrote:
>
> Thanks. This implies that I officially do not understand what it is that
> fencing can do for me, in my simple cluster. Back to the drawing board.
>
> On Wed, Apr 17, 2019 at 3:33 PM digimer  wrote:
>
>> Fencing requires some mechanism, outside the nodes themselves, that can
>> terminate the nodes. Typically, IPMI (iLO, iRMC, RSA, DRAC, etc) is used
>> for this. Alternatively, switched PDUs are common. If you don't have these
>> but do have a watchdog timer on your nodes, SBD (storage-based death) can
>> work.
>>
>> You can use 'fence_  -o status' at the command line to
>> figure out the what will work with your hardware. Once you can called
>> 'fence_foo ... -o status' and get the status of each node, then translating
>> that into a pacemaker configuration is pretty simple. That's when you
>> enable stonith.
>>
>> Once stonith is setup and working in pacemaker (ie: you can crash a node
>> and the peer reboots it), then you will go to DRBD and set 'fencing:
>> resource-and-stonith;' (tells DRBD to block on communication failure with
>> the peer and request a fence), and then setup the 'fence-handler
>> /path/to/crm-fence-peer.sh' and 'unfence-handler
>> /path/to/crm-unfence-handler.sh' (I am going from memory, check the man
>> page to verify syntax).
>>
>> With all this done; if either pacemaker/corosync or DRBD lose contact
>> with the peer, they will block and fence. Only after the peer has been
>> confirmed terminated will IO resume. This way, split-nodes become
>> effectively impossible.
>>
>> digimer
>> On 2019-04-17 5:17 p.m., JCA wrote:
>>
>> Here is what I did:
>>
>> # pcs stonith create disk_fencing fence_scsi pcmk_host_list="one two"
>> pcmk_monitor_action="metadata" pcmk_reboot_action="off"
>> devices="/dev/disk/by-id/ata-VBOX_HARDDISK_VBaaa429e4-514e8ecb" meta
>> provides="unfencing"
>>
>> where ata-VBOX-... corresponds to the device where I have the partition
>> that is shared between both nodes in my cluster. The command completes
>> without any errors (that I can see) and after that I have
>>
>> # pcs status
>> Cluster name: ClusterOne
>> Stack: corosync
>> Current DC: one (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with
>> quorum
>> Last updated: Wed Apr 17 14:35:25 2019
>> Last change: Wed Apr 17 14:11:14 2019 by root via cibadmin on one
>>
>> 2 nodes configured
>> 5 resources configured
>>
>> Online: [ one two ]
>>
>> Full list of resources:
>>
>>  MyCluster (ocf::myapp:myapp-script): Stopped
>>  Master/Slave Set: DrbdDataClone [DrbdData]
>>  Stopped: [ one two ]
>>  DrbdFS (ocf::heartbeat:Filesystem): Stopped
>>  disk_fencing  (stonith:fence_scsi): Stopped
>>
>> Daemon Status:
>>   corosync: active/enabled
>>   pacemaker: active/enabled
>>   pcsd: active/enabled
>>
>> Things stay that way indefinitely, until I set stonith-enabled to false -
>> at which point all the resources above get started immediately.
>>
>> Obviously, I am missing something big here. But, what is it?
>>
>>
>> On Wed, Apr 17, 2019 at 2:59 PM Adam Budziński 
>> wrote:
>>
>>> You did not configure any fencing device.
>>>
>>> śr., 17.04.2019, 22:51 użytkownik JCA <1.41...@gmail.com> napisał:
>>>
 I am trying to get fencing working, as described in the "Cluster from
 Scratch" guide, and I am stymied at get-go :-(

 The document mentions a property named stonith-enabled. When I was
 trying to get my first cluster going, I noticed that my resources would
 start only when this property is set to false, by means of

 # pcs property set stonith-enabled=false

 Otherwise, all the resources remain stopped.

 I created a fencing resource for the partition that I am sharing across
 the the nodes, by means of DRBD. This works fine - but I still have the
 same problem as above - i.e. when stonith-enabled is set to true, all the
 resources get stopped, and remain in that state.

 I am very confused here. Can anybody point me in the right direction
 out of this conundrum?



 ___

Re: [ClusterLabs] Question about fencing

2019-04-17 Thread Ken Gaillot

On Wed, 2019-04-17 at 15:17 -0600, JCA wrote:
> Here is what I did:
> 
> # pcs stonith create disk_fencing fence_scsi pcmk_host_list="one two"
> pcmk_monitor_action="metadata" pcmk_reboot_action="off"
> devices="/dev/disk/by-id/ata-VBOX_HARDDISK_VBaaa429e4-514e8ecb" meta
> provides="unfencing"
> 
> where ata-VBOX-... corresponds to the device where I have the
> partition that is shared between both nodes in my cluster. The
> command completes without any errors (that I can see) and after that
> I have
> 
> # pcs status
> Cluster name: ClusterOne
> Stack: corosync
> Current DC: one (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition
> with quorum
> Last updated: Wed Apr 17 14:35:25 2019
> Last change: Wed Apr 17 14:11:14 2019 by root via cibadmin on one
> 
> 2 nodes configured
> 5 resources configured
> 
> Online: [ one two ]
> 
> Full list of resources:
> 
>  MyCluster(ocf::myapp:myapp-script):  Stopped
>  Master/Slave Set: DrbdDataClone [DrbdData]
>  Stopped: [ one two ]
>  DrbdFS   (ocf::heartbeat:Filesystem):Stopped
>  disk_fencing (stonith:fence_scsi):   Stopped

Your pcs command looks good to me. I'm perplexed why everything is
stopped.

Check the logs on the DC (node one in the output above) for error or
warning messages around this time. /var/log/messages is usually
sufficient, but the detail log will have (obviously) more details
(usually /var/log/pacemaker.log or /var/log/cluster/corosync.log).

> Daemon Status:
>   corosync: active/enabled
>   pacemaker: active/enabled
>   pcsd: active/enabled
> 
> Things stay that way indefinitely, until I set stonith-enabled to
> false - at which point all the resources above get started
> immediately.
> 
> Obviously, I am missing something big here. But, what is it?
> 
> 
> On Wed, Apr 17, 2019 at 2:59 PM Adam Budziński <
> budzinski.a...@gmail.com> wrote:
> > You did not configure any fencing device.
> > 
> > śr., 17.04.2019, 22:51 użytkownik JCA <1.41...@gmail.com> napisał:
> > > I am trying to get fencing working, as described in the "Cluster
> > > from Scratch" guide, and I am stymied at get-go :-(
> > > 
> > > The document mentions a property named stonith-enabled. When I
> > > was trying to get my first cluster going, I noticed that my
> > > resources would start only when this property is set to false, by
> > > means of 
> > > 
> > > # pcs property set stonith-enabled=false
> > > 
> > > Otherwise, all the resources remain stopped.
> > > 
> > > I created a fencing resource for the partition that I am sharing
> > > across the the nodes, by means of DRBD. This works fine - but I
> > > still have the same problem as above - i.e. when stonith-enabled
> > > is set to true, all the resources get stopped, and remain in that
> > > state.
> > > 
> > > I am very confused here. Can anybody point me in the right
> > > direction out of this conundrum?
> > > 
> > > 
> > > 
> > > ___
> > > Manage your subscription:
> > > https://lists.clusterlabs.org/mailman/listinfo/users
> > > 
> > > ClusterLabs home: https://www.clusterlabs.org/
> > 
> > ___
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> > 
> > ClusterLabs home: https://www.clusterlabs.org/
> 
> ___
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
-- 
Ken Gaillot 

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] Question about fencing

2019-04-17 Thread digimer


Happy to help you understand, just keep asking questions. :)

The point can be explained this way;

* If two nodes can work without coordination, you don't need a cluster, 
just run your services everywhere. If that is not the case, then you 
require coordination. Fencing ensures that a node that has entered an 
unknown state can be forced into a known state (off). In this way, no 
action will be taken by a node unless the peer can be informed, or the 
peer is gone.


The method that a node is forced into a known state depends on the 
hardware (or infrastructure) you have in your particular setup. So 
perhaps, explain what you're nodes are built on and we can assist with 
more specific details.


digimer

On 2019-04-17 5:46 p.m., JCA wrote:
Thanks. This implies that I officially do not understand what it is 
that fencing can do for me, in my simple cluster. Back to the drawing 
board.


On Wed, Apr 17, 2019 at 3:33 PM digimer > wrote:


Fencing requires some mechanism, outside the nodes themselves,
that can terminate the nodes. Typically, IPMI (iLO, iRMC, RSA,
DRAC, etc) is used for this. Alternatively, switched PDUs are
common. If you don't have these but do have a watchdog timer on
your nodes, SBD (storage-based death) can work.

You can use 'fence_  -o status' at the command
line to figure out the what will work with your hardware. Once you
can called 'fence_foo ... -o status' and get the status of each
node, then translating that into a pacemaker configuration is
pretty simple. That's when you enable stonith.

Once stonith is setup and working in pacemaker (ie: you can crash
a node and the peer reboots it), then you will go to DRBD and set
'fencing: resource-and-stonith;' (tells DRBD to block on
communication failure with the peer and request a fence), and then
setup the 'fence-handler /path/to/crm-fence-peer.sh' and
'unfence-handler /path/to/crm-unfence-handler.sh' (I am going from
memory, check the man page to verify syntax).

With all this done; if either pacemaker/corosync or DRBD lose
contact with the peer, they will block and fence. Only after the
peer has been confirmed terminated will IO resume. This way,
split-nodes become effectively impossible.

digimer

On 2019-04-17 5:17 p.m., JCA wrote:

Here is what I did:

# pcs stonith create disk_fencing fence_scsi pcmk_host_list="one
two" pcmk_monitor_action="metadata" pcmk_reboot_action="off"
devices="/dev/disk/by-id/ata-VBOX_HARDDISK_VBaaa429e4-514e8ecb"
meta provides="unfencing"

where ata-VBOX-... corresponds to the device where I have the
partition that is shared between both nodes in my cluster. The
command completes without any errors (that I can see) and after
that I have

# pcs status
Cluster name: ClusterOne
Stack: corosync
Current DC: one (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition
with quorum
Last updated: Wed Apr 17 14:35:25 2019
Last change: Wed Apr 17 14:11:14 2019 by root via cibadmin on one

2 nodes configured
5 resources configured

Online: [ one two ]

Full list of resources:

 MyCluster(ocf::myapp:myapp-script):Stopped
 Master/Slave Set: DrbdDataClone [DrbdData]
     Stopped: [ one two ]
 DrbdFS(ocf::heartbeat:Filesystem):Stopped
 disk_fencing (stonith:fence_scsi):Stopped

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

Things stay that way indefinitely, until I set stonith-enabled to
false - at which point all the resources above get started
immediately.

Obviously, I am missing something big here. But, what is it?


On Wed, Apr 17, 2019 at 2:59 PM Adam Budziński
mailto:budzinski.a...@gmail.com>> wrote:

You did not configure any fencing device.

śr., 17.04.2019, 22:51 użytkownik JCA <1.41...@gmail.com
> napisał:

I am trying to get fencing working, as described in the
"Cluster from Scratch" guide, and I am stymied at get-go :-(

The document mentions a property named stonith-enabled.
When I was trying to get my first cluster going, I
noticed that my resources would start only when this
property is set to false, by means of

    # pcs property set stonith-enabled=false

Otherwise, all the resources remain stopped.

I created a fencing resource for the partition that I am
sharing across the the nodes, by means of DRBD. This
works fine - but I still have the same problem as above -
i.e. when stonith-enabled is set to true, all the
resources get stopped, and remain in that state.

I am very confused here. Can anybody point me in the
right direction out of this conundrum?

Re: [ClusterLabs] Question about fencing

2019-04-17 Thread JCA

Thanks. This implies that I officially do not understand what it is that
fencing can do for me, in my simple cluster. Back to the drawing board.

On Wed, Apr 17, 2019 at 3:33 PM digimer  wrote:

> Fencing requires some mechanism, outside the nodes themselves, that can
> terminate the nodes. Typically, IPMI (iLO, iRMC, RSA, DRAC, etc) is used
> for this. Alternatively, switched PDUs are common. If you don't have these
> but do have a watchdog timer on your nodes, SBD (storage-based death) can
> work.
>
> You can use 'fence_  -o status' at the command line to
> figure out the what will work with your hardware. Once you can called
> 'fence_foo ... -o status' and get the status of each node, then translating
> that into a pacemaker configuration is pretty simple. That's when you
> enable stonith.
>
> Once stonith is setup and working in pacemaker (ie: you can crash a node
> and the peer reboots it), then you will go to DRBD and set 'fencing:
> resource-and-stonith;' (tells DRBD to block on communication failure with
> the peer and request a fence), and then setup the 'fence-handler
> /path/to/crm-fence-peer.sh' and 'unfence-handler
> /path/to/crm-unfence-handler.sh' (I am going from memory, check the man
> page to verify syntax).
>
> With all this done; if either pacemaker/corosync or DRBD lose contact with
> the peer, they will block and fence. Only after the peer has been confirmed
> terminated will IO resume. This way, split-nodes become effectively
> impossible.
>
> digimer
> On 2019-04-17 5:17 p.m., JCA wrote:
>
> Here is what I did:
>
> # pcs stonith create disk_fencing fence_scsi pcmk_host_list="one two"
> pcmk_monitor_action="metadata" pcmk_reboot_action="off"
> devices="/dev/disk/by-id/ata-VBOX_HARDDISK_VBaaa429e4-514e8ecb" meta
> provides="unfencing"
>
> where ata-VBOX-... corresponds to the device where I have the partition
> that is shared between both nodes in my cluster. The command completes
> without any errors (that I can see) and after that I have
>
> # pcs status
> Cluster name: ClusterOne
> Stack: corosync
> Current DC: one (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with
> quorum
> Last updated: Wed Apr 17 14:35:25 2019
> Last change: Wed Apr 17 14:11:14 2019 by root via cibadmin on one
>
> 2 nodes configured
> 5 resources configured
>
> Online: [ one two ]
>
> Full list of resources:
>
>  MyCluster (ocf::myapp:myapp-script): Stopped
>  Master/Slave Set: DrbdDataClone [DrbdData]
>  Stopped: [ one two ]
>  DrbdFS (ocf::heartbeat:Filesystem): Stopped
>  disk_fencing  (stonith:fence_scsi): Stopped
>
> Daemon Status:
>   corosync: active/enabled
>   pacemaker: active/enabled
>   pcsd: active/enabled
>
> Things stay that way indefinitely, until I set stonith-enabled to false -
> at which point all the resources above get started immediately.
>
> Obviously, I am missing something big here. But, what is it?
>
>
> On Wed, Apr 17, 2019 at 2:59 PM Adam Budziński 
> wrote:
>
>> You did not configure any fencing device.
>>
>> śr., 17.04.2019, 22:51 użytkownik JCA <1.41...@gmail.com> napisał:
>>
>>> I am trying to get fencing working, as described in the "Cluster from
>>> Scratch" guide, and I am stymied at get-go :-(
>>>
>>> The document mentions a property named stonith-enabled. When I was
>>> trying to get my first cluster going, I noticed that my resources would
>>> start only when this property is set to false, by means of
>>>
>>> # pcs property set stonith-enabled=false
>>>
>>> Otherwise, all the resources remain stopped.
>>>
>>> I created a fencing resource for the partition that I am sharing across
>>> the the nodes, by means of DRBD. This works fine - but I still have the
>>> same problem as above - i.e. when stonith-enabled is set to true, all the
>>> resources get stopped, and remain in that state.
>>>
>>> I am very confused here. Can anybody point me in the right direction out
>>> of this conundrum?
>>>
>>>
>>>
>>> ___
>>> Manage your subscription:
>>> https://lists.clusterlabs.org/mailman/listinfo/users
>>>
>>> ClusterLabs home: https://www.clusterlabs.org/
>>
>> ___
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> ClusterLabs home: https://www.clusterlabs.org/
>
>
> ___
> Manage your subscription:https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
>
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] Question about fencing

2019-04-17 Thread digimer

Fencing requires some mechanism, outside the nodes themselves, that can 
terminate the nodes. Typically, IPMI (iLO, iRMC, RSA, DRAC, etc) is used 
for this. Alternatively, switched PDUs are common. If you don't have 
these but do have a watchdog timer on your nodes, SBD (storage-based 
death) can work.


You can use 'fence_  -o status' at the command line to 
figure out the what will work with your hardware. Once you can called 
'fence_foo ... -o status' and get the status of each node, then 
translating that into a pacemaker configuration is pretty simple. That's 
when you enable stonith.


Once stonith is setup and working in pacemaker (ie: you can crash a node 
and the peer reboots it), then you will go to DRBD and set 'fencing: 
resource-and-stonith;' (tells DRBD to block on communication failure 
with the peer and request a fence), and then setup the 'fence-handler 
/path/to/crm-fence-peer.sh' and 'unfence-handler 
/path/to/crm-unfence-handler.sh' (I am going from memory, check the man 
page to verify syntax).


With all this done; if either pacemaker/corosync or DRBD lose contact 
with the peer, they will block and fence. Only after the peer has been 
confirmed terminated will IO resume. This way, split-nodes become 
effectively impossible.


digimer

On 2019-04-17 5:17 p.m., JCA wrote:

Here is what I did:

# pcs stonith create disk_fencing fence_scsi pcmk_host_list="one two" 
pcmk_monitor_action="metadata" pcmk_reboot_action="off" 
devices="/dev/disk/by-id/ata-VBOX_HARDDISK_VBaaa429e4-514e8ecb" meta 
provides="unfencing"


where ata-VBOX-... corresponds to the device where I have the 
partition that is shared between both nodes in my cluster. The command 
completes without any errors (that I can see) and after that I have


# pcs status
Cluster name: ClusterOne
Stack: corosync
Current DC: one (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with 
quorum

Last updated: Wed Apr 17 14:35:25 2019
Last change: Wed Apr 17 14:11:14 2019 by root via cibadmin on one

2 nodes configured
5 resources configured

Online: [ one two ]

Full list of resources:

 MyCluster(ocf::myapp:myapp-script):Stopped
 Master/Slave Set: DrbdDataClone [DrbdData]
     Stopped: [ one two ]
 DrbdFS(ocf::heartbeat:Filesystem):Stopped
 disk_fencing (stonith:fence_scsi):Stopped

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

Things stay that way indefinitely, until I set stonith-enabled to 
false - at which point all the resources above get started immediately.


Obviously, I am missing something big here. But, what is it?


On Wed, Apr 17, 2019 at 2:59 PM Adam Budziński 
mailto:budzinski.a...@gmail.com>> wrote:


You did not configure any fencing device.

śr., 17.04.2019, 22:51 użytkownik JCA <1.41...@gmail.com
> napisał:

I am trying to get fencing working, as described in the
"Cluster from Scratch" guide, and I am stymied at get-go :-(

The document mentions a property named stonith-enabled. When I
was trying to get my first cluster going, I noticed that my
resources would start only when this property is set to false,
by means of

    # pcs property set stonith-enabled=false

Otherwise, all the resources remain stopped.

I created a fencing resource for the partition that I am
sharing across the the nodes, by means of DRBD. This works
fine - but I still have the same problem as above - i.e. when
stonith-enabled is set to true, all the resources get stopped,
and remain in that state.

I am very confused here. Can anybody point me in the right
direction out of this conundrum?



___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/


___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

[ClusterLabs] Pacemaker security issues discovered and patched

2019-04-17 Thread Ken Gaillot

Hello all,

Jan Pokorný of Red Hat discovered three security-related issues in
Pacemaker that have been publicly disclosed today.

The most significant is a privilege escalation vulnerability (assigned
CVE-2018-16877). An unprivileged attacker with local access to a
pacemaker node when pacemaker is not running can create a process
pretending to be a pacemaker subdaemon. When pacemaker starts, it will
accept the impostor as valid, and the impostor can then craft messages
to manipulate other pacemaker subdaemons into performing commands as
root.

The other two are less significant. A local attacker can exploit the
same vulnerability for denial-of-service (assigned CVE-2018-16878). An
unrelated use-after-free bug in the alerts code (assigned CVE-2019-
3885) could expose environment variables in the pacemaker log,
resulting in information disclosure of sensitive information kept in
environment variables to local users with permissions to access the
pacemaker log but not wherever the environment variables are set.

Pull requests patching these vulnerabilities for the master and 1.1
branches of pacemaker will be merged shortly:

https://github.com/ClusterLabs/pacemaker/pull/1749

https://github.com/ClusterLabs/pacemaker/pull/1750

Without the patches, a mitigation is to prevent local user access to
cluster nodes except for cluster administrators (which is the
recommended and most common deployment model).

Due to the stricter authentication now imposed, a new requirement
(unlikely to be of interest to most users) is that the hacluster user
and haclient group must exist before running the executor and fencer
regression tests.
-- 
Ken Gaillot 

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] Pacemaker security issues discovered and patched

Re: [ClusterLabs] Question about fencing

Re: [ClusterLabs] Question about fencing

Re: [ClusterLabs] Question about fencing

Re: [ClusterLabs] Question about fencing

Re: [ClusterLabs] Question about fencing

[ClusterLabs] Pacemaker security issues discovered and patched

7 matches

Site Navigation

Mail list logo

Footer information