CVE-2021-4034 Polkit Privilege

Discussion in 'News' started by David, Jan 27, 2022.

  1. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    745
    Likes Received:
    24
    CVE-2021-4034 vulnerability is not risky for LF appliance because it does not use the non privileged accounts in the system for users. Standard LF appliances installed on-presmise even do not have installed the polkit package so these appliances are Not vulnerable at all.
    • Attention should be paid if you have LF appliance deployed in Azure, where polikit is used by management agents. The polkit in the these VMs is vulnerable.
    • Attention should be paid to LF appliances where you may have some customization like installed a 3rd party packages i.e. for monitoring or so on, which could install polkit and add a local system account. The polkit in the these VMs is vulnerable.
    The fixed polkit package is available now in the Centos repository. Recommended way is to update either to the LF version 3.5.16 or to version 3.6.7. If polkit had been installed on your LF machine then it will be updated with the fixed polkit-0.112-26.el7_9.1.x86_64 version.
     

Share This Page