Default pmproxy configuration exposes Redis server backend to local network
CVE-2024-3019
Key Information:
Summary
A notable flaw has been identified in the Performance Co-Pilot (PCP) system, primarily affecting versions 4.3.4 and higher. The default configuration of the pmproxy service presents a security risk by exposing the underlying Redis server backend to the local network. This exposure enables the potential for remote command execution with the privileges of the Redis user. The vulnerability is particularly concerning since it can be exploited only when the pmproxy service is actively running. By default, pmproxy is not initiated automatically and requires manual activation, typically carried out through the 'Metrics settings' page of the Cockpit web interface. System administrators are advised to review and adjust configurations to mitigate the associated risks.
Affected Version(s)
Red Hat Enterprise Linux 8 0:5.3.7-20.el8_10
Red Hat Enterprise Linux 8.2 Advanced Update Support 0:5.0.2-8.el8_2
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 0:5.2.5-7.el8_4
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved