CVE-2024-3019

Name of the Vulnerable Software and Affected Versions Performance Co-Pilot (PCP) versions 4.3.4 and newer

Description The issue is related to the pmproxy component of the Performance Co-Pilot (PCP) software, which is used for monitoring and visualizing performance. It involves the exposure of information in an error data area, potentially allowing a remote attacker to execute arbitrary commands. The default pmproxy configuration exposes the Redis server backend to the local network, enabling remote command execution with the privileges of the Redis user. This can only be exploited when pmproxy is running, which is not the default state and requires manual startup, often from the 'Metrics settings' page of the Cockpit web interface.

Recommendations For PCP versions 4.3.4 and newer, consider disabling the pmproxy service until a patch is available to prevent exploitation. Restrict access to the Redis server backend to minimize the risk of remote command execution. As a temporary workaround, avoid starting the pmproxy service from the 'Metrics settings' page of the Cockpit web interface unless necessary. At the moment, there is no information about a newer version that contains a fix for this vulnerability.