MCollective: Privilege escalation

MCollective: Privilege escalation Two vulnerabilities have been found in MCollective, the worst of which could lead to privilege escalation. mcollective 2014-12-13 2014-12-13 513292 517286 local 2.5.3 2.5.3

MCollective is a framework to build server orchestration or parallel job execution systems.

Two vulnerabilities have been found in MCollective:

An untrusted search path vulnerability exists in MCollective (CVE-2014-3248)
MCollective does not properly validate server certificates (CVE-2014-3251)

A local attacker can execute arbitrary a Trojan horse shared library, potentially resulting in arbitrary code execution and privilege escalation. Furthermore, a local attacker may be able to establish unauthorized MCollective connections.

There is no known workaround at this time.

All MCollective users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-admin/mcollective-2.5.3"

CVE-2014-3248 CVE-2014-3251 K_F ackle