CVE number – CVE-2020-11651 AND CVE-2020-11652
SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2.
Salt is an open-source remote task and configuration management framework widely used in data centers and cloud servers. A remote attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities were detected in exploits in the wild.
If you are running the latest supported versions of Salt (3000.x and 2019.x):
Visit https://repo.saltstack.com to download and install the new CVE release package. Instructions are provided to configure your operating system’s package manager for the latest Salt version, or you have the option to download the latest Salt package directly as a Python Module here:
- Salt 3000 – https://pypi.python.org/pypi/salt/3000.2
- Salt 2019 – https://pypi.python.org/pypi/salt/2019.2.4
If you are running an earlier version of Salt:
If you are on an earlier, unsupported version of Salt we strongly recommend you update your Salt Masters to the 2019.2.4 release or the 3000.2 release.
If you are not able to upgrade to the latest supported version of Salt immediately, patches for Salt 2015.8.x, 2016.3.x, 2016.11.x, 2017.7.x and 2018.3.x are available via the SaltStack Enterprise Knowledge Base.
- CVE Patch for older Salt releases –
- Instructions to update the Salt Master –