Release Date: | 2024-03-27 |
A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.
See more information about CVE-2024-3019 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
Base Score: | 8.8 | Base Metrics: | AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Access Vector: | Adjacent network | Attack Complexity: | Low |
Privileges Required: | None | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | High |
Integrity Impact: | High | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 8 (pcp) | ELSA-2024-3264 | 2024-05-29 |
Oracle Linux version 9 (pcp) | ELSA-2024-2566 | 2024-05-08 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team