Vulnerability CVE-2010-2496

Vulnerability Name:

CVE-2010-2496 (CCN-211842)

Assigned:

2010-06-28

Published:

2021-06-21

Updated:

2021-10-21

Summary:

stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-287

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2010-2496

Source: CCN
Type: Bugzilla - Bug 620781
(CVE-2010-2496) VUL-0: CVE-2010-2496: STONITH passwords visible in ps output

Source: XF
Type: UNKNOWN
clusterlabs-cve20102496-info-disc(211842)

Source: CCN
Type: cluster-glue GIT Repository
Medium: stonith: add -E option to get the configuration from the environment

Source: CCN
Type: pacemaker GIT Repository
High: Build: Require cluster-glue 1.0.6 for STONITH security fix (CVE-2010-2496)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:clusterlabs:pacemaker:1.1.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20102496	V	CVE-2010-2496	2022-09-02
oval:org.opensuse.security:def:6346	P	Security update for libEMF (Moderate) (in QA)	2022-08-29
oval:org.opensuse.security:def:6	P	apparmor-abstractions-2.13.6-1.31 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:6335	P	Security update for ImageMagick (Important)	2022-05-31
oval:org.opensuse.security:def:6324	P	Security update for libreoffice (Moderate)	2022-04-04
oval:org.opensuse.security:def:6360	P	Security update for cyrus-sasl (Important)	2022-03-03
oval:org.opensuse.security:def:6292	P	Security update for python2-numpy (Moderate) (in QA)	2022-01-17
oval:org.opensuse.security:def:112752	P	libpacemaker-devel-1.1.15+git20161104.b6f251a-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:6305	P	Security update for apache2 (Important)	2022-01-17
oval:org.opensuse.security:def:6302	P	Security update for libmspack (Low)	2022-01-13
oval:org.opensuse.security:def:10443	P	Security update for SDL2 (Important) (in QA)	2022-01-12
oval:org.opensuse.security:def:6294	P	Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container (Important)	2022-01-10
oval:org.opensuse.security:def:9635	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:7297	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)	2021-12-15
oval:org.opensuse.security:def:10381	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10375	P	Security update for mariadb (Moderate)	2021-12-06
oval:org.opensuse.security:def:6462	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:10183	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:9622	P	Security update for aaa_base (Moderate)	2021-12-03
oval:org.opensuse.security:def:10368	P	Security update for ruby2.5 (Important)	2021-12-01
oval:org.opensuse.security:def:9819	P	Security update for poppler (Important)	2021-12-01
oval:org.opensuse.security:def:10367	P	Security update for java-1_8_0-openjdk (Important)	2021-11-23
oval:org.opensuse.security:def:7286	P	Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:10666	P	Security update for the Linux Kernel (Important)	2021-11-19
oval:org.opensuse.security:def:10359	P	Security update for qemu (Important)	2021-11-04
oval:org.opensuse.security:def:9803	P	Security update for dnsmasq (Moderate)	2021-10-27
oval:org.opensuse.security:def:9408	P	Security update for glibc (Moderate)	2021-10-12
oval:org.opensuse.security:def:9797	P	Security update for apache2 (Important)	2021-10-12
oval:org.opensuse.security:def:7275	P	Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)	2021-10-12
oval:org.opensuse.security:def:106224	P	libpacemaker-devel-1.1.15+git20161104.b6f251a-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:9593	P	Security update for ffmpeg (Important)	2021-09-23
oval:org.opensuse.security:def:7264	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)	2021-09-16
oval:org.opensuse.security:def:7265	P	Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)	2021-09-16
oval:org.opensuse.security:def:9789	P	Security update for openssl-1_0_0 (Low)	2021-09-09
oval:org.opensuse.security:def:6454	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:9778	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:10136	P	Security update for libass (Important)	2021-08-20
oval:org.opensuse.security:def:9383	P	Security update for openexr (Important)	2021-08-20
oval:org.opensuse.security:def:9568	P	Security update for go1.15 (Moderate)	2021-08-20
oval:org.opensuse.security:def:9576	P	Security update for krb5 (Important)	2021-08-20
oval:org.opensuse.security:def:10317	P	Security update for libsndfile (Critical)	2021-08-17
oval:org.opensuse.security:def:10688	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:9366	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:6451	P	Security update for the Linux Kernel (Important)	2021-07-21
oval:org.opensuse.security:def:7253	P	Security update for the Linux Kernel (Important)	2021-07-20
oval:org.opensuse.security:def:9554	P	Security update for nodejs10 (Important)	2021-07-15
oval:org.opensuse.security:def:9546	P	Security update for go1.15 (Important)	2021-06-30
oval:org.opensuse.security:def:6473	P	Security update for the Linux Kernel (Important)	2021-06-28
oval:org.opensuse.security:def:10295	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:10292	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:10110	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:6284	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:10097	P	Security update for spice-gtk (Important)	2021-06-09
oval:org.opensuse.security:def:9344	P	Security update for MozillaFirefox (Important)	2021-06-09
oval:org.opensuse.security:def:16554	P	libpacemaker-devel-1.1.19+20180928.0d2680780-1.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12783	P	libpacemaker3-1.1.16-4.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:124560	P	libpacemaker-devel-1.1.19+20180928.0d2680780-1.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15829	P	libpacemaker-devel-1.1.13-10.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12794	P	libpacemaker3-1.1.19+20180928.0d2680780-1.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16039	P	libpacemaker-devel-1.1.15-19.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11326	P	java-1_7_0-openjdk-plugin-1.5.1-1.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16283	P	libpacemaker-devel-1.1.16-4.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12773	P	libpacemaker3-1.1.15-19.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:123989	P	libpacemaker3-1.1.19+20180928.0d2680780-1.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15644	P	libpacemaker-devel-1.1.12-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11348	P	libXvMC1-1.0.8-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10088	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:9703	P	Security update for java-11-openjdk (Important)	2021-05-11
oval:org.opensuse.security:def:10068	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:9493	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:9308	P	Security update for xen (Important)	2021-04-19
oval:org.opensuse.security:def:10060	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:6443	P	Security update for open-iscsi (Important)	2021-04-13
oval:org.opensuse.security:def:9684	P	Security update for fwupdate (Important)	2021-04-08
oval:org.opensuse.security:def:9472	P	Security update for ruby2.5 (Important)	2021-03-24
oval:org.opensuse.security:def:9669	P	Security update for ruby2.5 (Important)	2021-03-24
oval:org.opensuse.security:def:9867	P	Security update for nghttp2 (Important)	2021-03-24
oval:org.opensuse.security:def:9474	P	Security update for libass (Important)	2021-03-24
oval:org.opensuse.security:def:10675	P	Security update for evolution-data-server (Moderate)	2021-03-24
oval:org.opensuse.security:def:7243	P	Security update for the Linux Kernel (Live Patch 3 for SLE 15 SP2) (Important)	2021-03-17
oval:org.opensuse.security:def:9865	P	Security update for openssl-1_0_0 (Moderate)	2021-03-11
oval:org.opensuse.security:def:10217	P	Security update for openldap2 (Important)	2021-03-08
oval:org.opensuse.security:def:9657	P	Security update for kernel-firmware (Important)	2021-03-03
oval:org.opensuse.security:def:9459	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:9854	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:6316	P	Security update for ImageMagick (Moderate)	2021-02-25
oval:org.opensuse.security:def:9845	P	Security update for php7 (Important)	2021-02-24
oval:org.opensuse.security:def:9450	P	Security update for webkit2gtk3 (Important)	2021-02-24
oval:org.opensuse.security:def:6314	P	Security update for ImageMagick (Moderate)	2021-02-19
oval:org.opensuse.security:def:9644	P	Security update for the Linux Kernel (Important)	2021-02-19
oval:org.opensuse.security:def:6313	P	Security update for python (Important)	2021-02-11
oval:org.opensuse.security:def:10198	P	Security update for the Linux Kernel (Important)	2021-02-11
oval:org.opensuse.security:def:9412	P	Security update for java-11-openjdk (Important)	2021-02-09
oval:org.opensuse.security:def:10132	P	Security update for openvswitch (Important)	2021-02-02
oval:org.opensuse.security:def:10599	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:10090	P	Security update for wavpack (Moderate)	2021-01-21
oval:org.opensuse.security:def:9336	P	Security update for wavpack (Moderate)	2021-01-21
oval:org.opensuse.security:def:6422	P	Security update for the Linux Kernel (Important)	2021-01-14
oval:org.opensuse.security:def:6417	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-23
oval:org.opensuse.security:def:6441	P	Security update for openssl-1_0_0 (Important)	2020-12-11
oval:org.opensuse.security:def:11019	P	Security update for neomutt (Moderate)	2020-12-04
oval:org.opensuse.security:def:16862	P	libpacemaker-devel-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4026	P	libpacemaker-devel-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12805	P	libpacemaker3-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:6439	P	Security update for java-1_8_0-openjdk (Important)	2020-12-02
oval:org.opensuse.security:def:10021	P	xorg-x11 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6516	P	tar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10527	P	libpacemaker-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6370	P	libecpg6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6593	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10748	P	libjasper-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9181	P	libxerces-c-3_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10490	P	libcurl-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6551	P	accountsservice on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6605	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6428	P	libreoffice on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6613	P	glib2-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9946	P	mozilla-nspr on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6595	P	eog on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6526	P	w3m on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10770	P	libpacemaker-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6381	P	libgraphite2-3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6604	P	ft2demos on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9927	P	libthai-data on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10624	P	ant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6562	P	binutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6626	P	gstreamer-0_10-plugins-base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6624	P	gstreamer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9151	P	libsndfile1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6606	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9289	P	xen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9159	P	libssh4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9912	P	libqt4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6407	P	libndp0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6537	P	xlockmore on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6592	P	elfutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11041	P	libpacemaker-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6392	P	libjpeg-turbo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6615	P	gnome-keyring on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6574	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6432	P	libsndfile1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6573	P	cracklib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6637	P	hyper-v on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9274	P	tpm2.0-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10524	P	libnettle-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6583	P	dbus-1-glib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10046	P	cups-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6541	P	xscreensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6548	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6602	P	fontconfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9227	P	ppc64-diag on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10505	P	libid3tag-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6584	P	dhcp on GA media (Moderate)	2020-12-01

BACK