Security Notices

2022-01-26 Local privilege escalation vulnerability was found on polkit's pkexec utility (CVE-2021-4034)

CVE-2021-4034: Local privilege escalation vulnerability was found on polkit’s pkexec utility.

A memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

All Polkit versions from 2009 onwards are vulnerable.

Affected Platforms

Bitnami containers and Helm charts do not include the ‘pkexec’ binary and are, in turn, not affected by this CVE.

Bitnami Virtual Machines (OVA) based on CentOS include ‘pkexec’ so they are vulnerable to this CVE.

How To Patch It

A fixed version of ‘polkit’ package is already available in CentOS repositories. Run the following command to upgrade it:

$ sudo yum update

The fixed version of the package is ‘polkit-0.112-26.el7_9.1.x86_64’.

The Bitnami team continues releasing new versions of the applications for CentOS Virtual Machines (OVAs) with the fixed package.

If you have any questions about this security issue, you can visit this github repository in the case of cloud images, installers or VMs.

Last modification June 29, 2022