Security News > 2020 > November > SaltStack reveals new critical vulnerabilities, patch now
SaltStack, a VMware-owned company, has revealed critical vulnerabilities impacting Salt versions 3002 and prior, with patches available as of today.
While the vulnerabilities were disclosed today, it is worth noting that fixes for all three vulnerabilities were committed and disclosed to GitHub much earlier.
The advance partial disclosure on these critical vulnerabilities is a cautious move on SaltStack's part given the widespread attacks that had hit vulnerable Salt instances earlier this year.
"Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System. Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them," stated the October 30th advisory.
The company has also made patches available for older versions, such as 2019.x. SaltStack has provided some tips on how to harden your Salt instances, in addition to patching for new vulnerabilities that may be discovered from time to time.
News URL
Related news
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)