漏洞类别:RedHat
漏洞等级: 
漏洞信息
The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
The following packages have been upgraded to a newer upstream version: pcs (0.9.152). (BZ#1299847)
Security Fix(es):
* A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. (CVE-2016-0720)
* It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. (CVE-2016-0721)
These issues were discovered by Martin Prpic (Red Hat Product Security).
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
漏洞危害
On successful exploitation it could allow an attacker to perform session fixation attacks on pcsd.
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2016:2596 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论