====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN041
_____________________________________________________________________

DATE                : 25/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Salt versions 3002 and earlier.

=====================================================================
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
_____________________________________________________________________

 Active SaltStack CVE Announced 2021-JAN-21


Several critical vulnerabilities have been discovered in Salt. These
affect versions 3002 and earlier.

Most of these, we expect the Common Vulnerability Scoring System (CVSS)
rating to be high or critical. We quickly took actions to remediate once
made aware of the vulnerabilities.

We are preparing a CVE release to be generally available on Thursday,
February 4th around Noon MST. The CVE packages will be available for
3002.3, 3001.5, and 3000.7 and patches for older versions.

The release will only contain the patches available to resolve and
remediate the identified vulnerabilities. We recommend reviewing the
article Hardening Salt to ensure you are actively following SaltStack’s
best practices for securing your Salt Environment. These ensure you are
safeguarded.

We advise quickly applying the CVE release as soon as available. Please
contact us if you have any questions or comments at
security@saltstack.com.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================