Platform
linux
Component
pacemaker
Fixed in
2.0.2
CVE-2019-3885 describes a use-after-free vulnerability discovered in Pacemaker, a cluster resource manager. This flaw allows for the potential leakage of sensitive information through system logs, potentially exposing critical configuration details or operational data. The vulnerability affects Pacemaker versions up to and including 2.0.1, and a fix is available in version 2.0.2.
The primary impact of CVE-2019-3885 is the potential for sensitive information leakage. While a use-after-free vulnerability can, in some cases, lead to denial-of-service or remote code execution, the description specifically highlights information leakage via system logs. This could include details about cluster configuration, resource dependencies, or even credentials used by Pacemaker. An attacker exploiting this vulnerability could gain valuable insights into the cluster's architecture and operation, potentially facilitating further attacks. The blast radius is limited to systems running Pacemaker and accessible to the attacker.
CVE-2019-3885 was publicly disclosed on April 18, 2019. There is no indication of active exploitation or KEV listing at this time. Public proof-of-concept exploits are not widely available, suggesting a relatively low probability of near-term exploitation. The vulnerability's impact is primarily information disclosure, which may make it less attractive to attackers compared to vulnerabilities with more severe consequences.
Exploit Status
EPSS
0.14% (35% percentile)
CVSS Vector
The recommended mitigation for CVE-2019-3885 is to upgrade Pacemaker to version 2.0.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls to the system logs to limit the visibility of sensitive information. Monitoring system logs for unusual activity or errors related to Pacemaker can also help detect potential exploitation attempts. While a WAF is unlikely to directly mitigate this vulnerability, it can help protect against related attacks that leverage the leaked information.
Update pacemaker to a version later than 2.0.1. This will resolve the use-after-free vulnerability that could leak sensitive information through system logs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3885 is a use-after-free vulnerability affecting Pacemaker versions up to 2.0.1, potentially leading to sensitive information leakage through system logs.
You are affected if you are running Pacemaker version 2.0.1 or earlier. Upgrade to version 2.0.2 or later to mitigate the vulnerability.
Upgrade Pacemaker to version 2.0.2 or later. If immediate upgrade is not possible, restrict access to system logs and monitor for unusual activity.
There is currently no evidence of active exploitation of CVE-2019-3885.
Refer to the Pacemaker project website and relevant security mailing lists for official advisories and updates related to CVE-2019-3885.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.