Security Advisory- Polkit Privilege Escalation Vulnerability (CVE-2021-4034) - February 02, 2022
Overview
On January 25, 2022 a privilege escalation vulnerability (CVE-2021-4034) was found in Polkit's pkexec utility, part of a SUID-root program that is installed by default on all major Linux distributions, that allows unprivileged processes to communicate with privileged processes on Linux systems. The easily exploitable vulnerability allows a user with ordinary privileges to gain full root privileges on a vulnerable host in its default configuration. The vulnerability allows the user to bypass all authentication controls and policies due to incorrect handling of the process’ argument vector.
References
Effective Security Severity Level
High
Affected Systems
All Ex Libris systems/products running on Linux.
Tests and Certifications
Ex Libris has evaluated all Ex Libris products for potential vulnerability and performed certification testing with the available patches for all Ex Libris systems and products running on Linux. It was determined that the available patches can be safely deployed with no impact to Ex Libris systems and products.
The fix for this vulnerability has been developed, tested, installed and certified for the Ex Libris Linux servers.
Action Taken by Ex Libris for Cloud Systems
Ex Libris has deployed the fix that addresses the vulnerability described in this advisory and no action is required by our cloud customers.
Required Actions for On-Premise/Local Systems
Ex Libris strongly recommends following the vendor's instructions and installing the patch on all on-premises (local) Ex Libris products using Linux systems.
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
| Type of information | Document Data |
|
Document Title: |
Security Advisory – Polkit Privilege Escalation Vulnerability (CVE-2021-4034) - February 02, 2022 |
|
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Approved by: |
Barak Rozenblat – VP Cloud Services |
|
Issued: |
February 02, 2022 |
|
Reviewed & Revised: |
February 02, 2022 |
Revision Control
| Version Number | Nature of Change | Date Approved |
|
1.0 |
Initial version |
February 02, 2022 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.