Rapid7 Vulnerability & Exploit Database

RHSA-2011:1580: resource-agents security, bug fix, and enhancement update

Back to Search

RHSA-2011:1580: resource-agents security, bug fix, and enhancement update

Severity
7
CVSS
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Published
10/20/2010
Created
07/25/2018
Added
12/16/2011
Modified
07/04/2017

Description

The resource-agents package contains a set of scripts to interface withseveral services to operate in a High Availability environment for bothPacemaker and rgmanager service managers.It was discovered that certain resource agent scripts set theLD_LIBRARY_PATH environment variable to an insecure value containing emptypath elements. A local user able to trick a user running those scripts torun them while working from an attacker-writable directory could use thisflaw to escalate their privileges via a specially-crafted dynamic library.(CVE-2010-3389)Red Hat would like to thank Raphael Geissert for reporting this issue.This update also fixes the following bugs:This update also adds the following enhancement:As well, this update upgrades the resource-agents package to upstreamversion 3.9.2, which provides a number of bug fixes and enhancements overthe previous version. (BZ#707127)All users of resource-agents are advised to upgrade to this updatedpackage, which corrects these issues and adds these enhancements.

Solution(s)

  • redhat-upgrade-resource-agents
  • redhat-upgrade-resource-agents-debuginfo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;