Login Sign Up

CVE-2023-2319

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-2319 is a security regression in Red Hat Enterprise Linux 9.2 where a previously fixed Webpack vulnerability (CVE-2023-28154) was reintroduced in the PCS package. This allows potential remote code execution through the Pacemaker/Corosync Configuration System web interface. Only Red Hat Enterprise Linux 9.2 systems with the PCS package from the RHBA-2023:2151 erratum are affected.

💻 Affected Systems

Products:
  • Red Hat Enterprise Linux
Versions: 9.2 only (specifically systems updated with RHBA-2023:2151 erratum)
Operating Systems: Red Hat Enterprise Linux 9.2
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects RHEL 9.2 systems that received the RHBA-2023:2151 update. RHEL 9.1 and earlier versions are not vulnerable as they contain the proper fix from RHSA-2023:1591.

📦 What is this software?

Enterprise Linux High Availability by Redhat

View all CVEs affecting Enterprise Linux High Availability →

Enterprise Linux High Availability Eus by Redhat

View all CVEs affecting Enterprise Linux High Availability Eus →

Pcs by Clusterlabs

View all CVEs affecting Pcs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root privileges on affected systems through the PCS web interface, leading to complete system compromise.

🟠

Likely Case

Authenticated attacker with PCS web interface access escalates privileges to execute arbitrary code with elevated permissions.

🟢

If Mitigated

Systems without PCS web interface exposed or with proper network segmentation experience minimal impact.

🌐 Internet-Facing: HIGH if PCS web interface is exposed to internet without authentication or proper controls.
🏢 Internal Only: MEDIUM for internal systems with PCS web interface accessible to authenticated users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation leverages the reintroduced CVE-2023-28154 vulnerability in Webpack. Attack path depends on PCS web interface accessibility.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RHSA-2023:2652 erratum

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:2652

Restart Required: Yes

Instructions:

1. Update system: sudo dnf update pcs 2. Verify update: sudo dnf info pcs 3. Restart PCS services: sudo systemctl restart pcsd 4. Verify fix: Check that pcs package version includes RHSA-2023:2652

🔧 Temporary Workarounds

Disable PCS Web Interface

linux

Temporarily disable the PCS web interface to prevent exploitation while patching.

sudo systemctl stop pcsd
sudo systemctl disable pcsd

Network Restriction

linux

Restrict network access to PCS web interface using firewall rules.

sudo firewall-cmd --permanent --remove-service=high-availability
sudo firewall-cmd --reload

🧯 If You Can't Patch

  • Isolate affected systems from untrusted networks using firewall rules
  • Implement strict access controls and authentication for PCS web interface

🔍 How to Verify

Check if Vulnerable:

Check if system is RHEL 9.2 and has pcs package from RHBA-2023:2151: rpm -q pcs --changelog | grep 'RHBA-2023:2151'

Check Version:

rpm -q pcs

Verify Fix Applied:

Verify pcs package includes RHSA-2023:2652 fix: rpm -q pcs --changelog | grep 'RHSA-2023:2652'

📡 Detection & Monitoring

Log Indicators:

  • Unusual PCS web interface access patterns
  • Unauthenticated access attempts to pcsd service
  • Unexpected process execution from pcsd context

Network Indicators:

  • Unusual traffic to port 2224 (default pcsd port)
  • Suspicious HTTP requests to PCS web interface

SIEM Query:

source="pcsd" AND (event="authentication_failure" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2023-2319
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 17, 2023
Last Updated: January 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON