SaltStack Response Policy for Common Vulnerabilities and Exposures (CVE)
**ATTENTION: Active CVE2020-11651 and CVE-2020-11652.**
Click here for information and patching instructions.
SaltStack and its award-winning products are the first enterprise security operations solutions to deliver automated and orchestrated continuous compliance and vulnerability remediation for production infrastructure at scale from a single platform. SaltStack software is trusted by the world’s largest businesses to automate the work of digital infrastructure operations and security. Platform security is critical to SaltStack and our customers.
A full accounting of SaltStack software security architecture and protocol can be found in this white paper.
SaltStack encourages the submission of security concerns through proper channels and is dedicated to issuing an immediate response. SaltStack will always engage in open dialog with customers and users. This article outlines our rapid and focused response policy for identifying and resolving CVEs and openly communicating these incidents to our customers, users, and community.
Common Vulnerabilities and Exposures or CVEs is a catalog of known security threats. The database is maintained by MITRE, a nonprofit organization that manages federally funded research and development centers supporting several U.S. government agencies. You can read more here:
Article Table of Contents:
- How CVEs are Discovered
- How SaltStack Addresses CVEs
- How SaltStack Communicates and ReportsCVEs
- What you should do if you hear about a CVE
- Additional Resources
How CVE’s are Discovered
CVEs can be identified by SaltStack engineers, customers, contributors and community members, and third-parties, including SaltStack partners and consultants, and independent researchers. We ask that these issues be reported directly to SaltStack security at security@saltstack.com.
We request that disclosures of security-related bugs or issues be reported non-publicly until such time as the issue can be resolved and a security-fix release can be prepared.
Once a security-fix release is prepared, we will make a public announcement with upgrade instructions and download locations. Read more at Security Disclosure Policy.
How SaltStack Addresses CVEs
If a CVE is discovered, SaltStack will create a new release that only contains the tests and patch for the CVE. This method improves the upgrade process by reducing the chances of breaking something else. Read more in Salt Open Documentation.
The SaltStack security team can be contacted at security@saltstack.com. Again, we request that disclosures of any security-related bugs or issues be reported non-publicly until such time as the issue can be resolved and a security-fix release can be prepared. At that time, we will release the fix and make a public announcement with download locations and upgrade instructions. Read more at Security Disclosure Policy.
You can also view SaltStack related CVEs on MITRE’s site here.
How SaltStack Communicates and Reports CVEs
SaltStack takes the security of its software and the trust of its customers and community seriously. Our disclosure policy is intended to increase transparency, security, and trust.
SaltStack customers and community can find information related to CVEs in the following locations:
- Slack https://saltstackcommunity.slack.com/
- Google Group https://groups.google.com/forum/#!forum/salt-users
- IRC https://webchat.freenode.net/#salt
- Community site https://community.saltstack.com/
- SaltStack Help Center https://help.saltstack.com/
To read more about SaltStack’s security reporting and communication policies, please see Security Disclosure Policy.
To stay up to date on SaltStack security announcements, please join the salt-announce mailing list. This list is low traffic.
What you should do if you hear about a CVE
If you learn of a CVE, you should install the latest update of Salt or the latest patches, where appropriate. You can find the latest information at http://repo.saltstack.com/.
Additional Resources
- CVE Database query on keyword for “SaltStack”: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SaltStack
- Our Platform Support Page lists the details of which supported versions of Salt receive security patches
- Active CVE Releases
- CVE-2020-11651 and CVE-2020-11652 for Salt versions 2019.2.4 (source code and release documentation) and 3000 (source code and release documentation) before 3000.2.
- CVE-2019-17361 for Salt version 2019.2.3 source code and release documentation
- Active CVE Releases