ID CVE-2010-3389
Summary The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents (aka resource-agents or cluster-agents) 1.0.3 in Linux-HA place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
References
Vulnerable Configurations
  • cpe:2.3:a:linux-ha:ocf_resource_agents:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:linux-ha:ocf_resource_agents:1.0.3:*:*:*:*:*:*:*
CVSS
Base: 6.9 (as of 02-02-2012 - 03:58)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:L/AC:M/Au:N/C:C/I:C/A:C
redhat via4
advisories
  • bugzilla
    id 711521
    title Dependencies in independent_tree resources does not work as expected
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment rgmanager is earlier than 0:2.0.52-21.el5
      oval oval:com.redhat.rhsa:tst:20111000002
    • comment rgmanager is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20091339003
    rhsa
    id RHSA-2011:1000
    released 2011-07-21
    severity Low
    title RHSA-2011:1000: rgmanager security, bug fix, and enhancement update (Low)
  • bugzilla
    id 727643
    title Modify major resource-agent agents to provide proper return codes to pacemaker
    oval
    AND
    • comment resource-agents is earlier than 0:3.9.2-7.el6
      oval oval:com.redhat.rhsa:tst:20111580005
    • comment resource-agents is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20111580006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    rhsa
    id RHSA-2011:1580
    released 2011-12-06
    severity Low
    title RHSA-2011:1580: resource-agents security, bug fix, and enhancement update (Low)
  • rhsa
    id RHSA-2011:0264
rpms
  • rgmanager-0:2.0.52-21.el5
  • resource-agents-0:3.9.2-7.el6
refmap via4
confirm
gentoo GLSA-201110-18
secunia 43372
vupen ADV-2011-0416
Last major update 02-02-2012 - 03:58
Published 20-10-2010 - 18:00
Back to Top