Jan Pokorný

**Name of the Vulnerable Software and Affected Versions** Pacemaker versions up to and including 2.0.1 **Description** The issue is related to an uncontrolled resource consumption in the Pacemaker cluster resource management software, which can be exploited to cause a denial of service (DoS). This could allow an attacker to disrupt service operations. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Pacemaker versions up to and including 2.0.1, update to a version later than 2.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the cluster resource management functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Pacemaker versions up to and including 2.0.0 Description: A flaw was found in the way Pacemaker's client-server authentication was implemented, allowing a local attacker to achieve local privilege escalation by combining this flaw with other IPC weaknesses. The issue is related to insufficient authentication in the cluster resource management tool, which can be exploited to elevate privileges. Recommendations: For Pacemaker versions up to and including 2.0.0, update to a version later than 2.0.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pacemaker versions prior to 1.1.16 **Description** An authorization flaw was found where Pacemaker did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to gain root access on the machine, for example, by forcing the Local Resource Manager daemon to execute a script as root. **Recommendations** For versions prior to 1.1.16, update to version 1.1.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the IPC interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Luci version 0.26.0 **Description** A race condition exists that creates the /var/lib/luci/etc/luci.ini file with world-readable permissions before the permissions are restricted. This allows local users to read the file and obtain sensitive information, including authentication secrets. **Recommendations** For Luci version 0.26.0, consider restricting access to the /var/lib/luci/etc/luci.ini file until a patch is available. As a temporary workaround, manually change the permissions of the luci.ini file to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Luci version 0.26.0 **Description** The issue allows local users to gain privileges via a Trojan horse .egg-info file in the current working directory or its parent directories, due to an untrusted search path vulnerability in python-paste-script (aka paster) when started using the initscript. **Recommendations** For Luci version 0.26.0, consider restricting access to the `python-paste-script` module until a patch is available, and avoid using the initscript to start Luci to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.