Default pmproxy configuration exposes Redis server backend to local network
CVE-2024-3019

8.8HIGH

Key Information:

Status
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.2 Advanced Update Support
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Vendor
CVE Published:
28 March 2024

What is CVE-2024-3019?

A notable flaw has been identified in the Performance Co-Pilot (PCP) system, primarily affecting versions 4.3.4 and higher. The default configuration of the pmproxy service presents a security risk by exposing the underlying Redis server backend to the local network. This exposure enables the potential for remote command execution with the privileges of the Redis user. The vulnerability is particularly concerning since it can be exploited only when the pmproxy service is actively running. By default, pmproxy is not initiated automatically and requires manual activation, typically carried out through the 'Metrics settings' page of the Cockpit web interface. System administrators are advised to review and adjust configurations to mitigate the associated risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:2566
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3264
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3321
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Jihwan Yoon (NAVER Cloud Security Analysis) for reporting this issue.
JSON
.