In response to the CVE we announced April 23, 2020 (CVE-2020-11651 and CVE-2020-11652), packages are available to resolve the issue. We consider this CVE to be critical. Please prioritize this update using one of the update paths provided below.
If you are running the latest supported versions of Salt (3000.x and 2019.x):
Visit https://repo.saltstack.com to download and install the new CVE release package. Instructions are provided to configure your operating system’s package manager for the latest Salt version, or you have the option to download the latest package directly.
- Download Salt as Python Module: https://pypi.python.org/pypi/salt/3000.2 and https://pypi.python.org/pypi/salt/2019.2.4
- Article about securing your environment: Hardening your Salt Environment
If you are running an earlier version of Salt:
We strongly recommend you update your Salt Masters to a supported version (2019.2.4 or 3000.2), however, if you are not able to upgrade to the latest supported version of Salt immediately, patches for a limited selection of unsupported versions are available here: Applying the CVE-2020-11651 and CVE-2020-11652 patches.
If you are unable to access the SaltStack Enterprise knowledge base, please use this form to request the patches for the same list of patches: https://www.saltstack.com/lp/request-patch-april-2020
Additional Instructions to update the Salt Master: Upgrading Your Salt Infrastructure
What are the details about this CVE?
This vulnerability has been rated as critical with a Common Vulnerability Scoring System (CVSS) score of 10.0. Resolving the vulnerability only requires updating and restarting the Salt Master with the CVE Release Package.