CVE-2021-3020 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-3020 Interim 1 36 2025-12-23T03:25:34Z current 2021-05-30T14:46:32Z 2025-12-23T03:25:34Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-3020 An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2021-March/008437.html E-Mail link for SUSE-SU-2021:0722-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008474.html E-Mail link for SUSE-SU-2021:0771-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008489.html E-Mail link for SUSE-SU-2021:0781-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008487.html E-Mail link for SUSE-SU-2021:0782-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008511.html E-Mail link for SUSE-SU-2021:0806-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BNDVFBI7G272LNZ2QQZ4MY56KX2J4C36/ E-Mail link for openSUSE-SU-2021:0410-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-OCI-BYOS-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP3-SAP-Azure-LI-BYOS-Production Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAP-BYOS-EC2-HVM Image SLES15-SP3-SAP-BYOS-GCE SUSE Linux Enterprise High Availability Extension 12 SP3 SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP5 SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Availability Extension 15 SP1 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Availability Extension 15 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 openSUSE Leap 15.2 crmsh-3.0.4+git.1614156978.4c1dc46d-13.62.1 crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 crmsh-4.3.0+20210219.5d1bf034-3.57.3 crmsh-4.3.0+20210219.5d1bf034-3.62.3 crmsh-4.3.0+20210305.9db5c9a8-5.42.1 crmsh-4.3.0+20210305.9db5c9a8-lp152.4.47.1 crmsh-scripts-3.0.4+git.1614156978.4c1dc46d-13.62.1 crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 crmsh-scripts-4.3.0+20210219.5d1bf034-3.57.3 crmsh-scripts-4.3.0+20210219.5d1bf034-3.62.3 crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 crmsh-scripts-4.3.0+20210305.9db5c9a8-lp152.4.47.1 crmsh-test-4.3.0+20210305.9db5c9a8-lp152.4.47.1 hawk2 crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-Azure-SAP-BYOS crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-Azure-SAP-BYOS crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-Azure-SAP-On-Demand crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-Azure-SAP-On-Demand crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-EC2-SAP-BYOS crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-EC2-SAP-BYOS crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-EC2-SAP-On-Demand crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-EC2-SAP-On-Demand crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-GCE-SAP-BYOS crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-GCE-SAP-BYOS crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-GCE-SAP-On-Demand crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-GCE-SAP-On-Demand crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-OCI-BYOS-SAP-BYOS crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-OCI-BYOS-SAP-BYOS crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-Azure-LI-BYOS-Production crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-Azure-LI-BYOS-Production crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-EC2-HVM crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-EC2-HVM crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-GCE crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of Image SLES15-SP3-SAP-BYOS-GCE crmsh-3.0.4+git.1614156978.4c1dc46d-13.62.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 crmsh-scripts-3.0.4+git.1614156978.4c1dc46d-13.62.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 crmsh-4.3.0+20210219.5d1bf034-3.62.3 as a component of SUSE Linux Enterprise High Availability Extension 15 crmsh-scripts-4.3.0+20210219.5d1bf034-3.62.3 as a component of SUSE Linux Enterprise High Availability Extension 15 crmsh-4.3.0+20210219.5d1bf034-3.57.3 as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 crmsh-scripts-4.3.0+20210219.5d1bf034-3.57.3 as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 crmsh-4.3.0+20210305.9db5c9a8-5.42.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 crmsh-4.3.0+20210305.9db5c9a8-lp152.4.47.1 as a component of openSUSE Leap 15.2 crmsh-scripts-4.3.0+20210305.9db5c9a8-lp152.4.47.1 as a component of openSUSE Leap 15.2 crmsh-test-4.3.0+20210305.9db5c9a8-lp152.4.47.1 as a component of openSUSE Leap 15.2 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP3 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 15 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 hawk2 as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 hawk2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 hawk2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 hawk2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root. CVE-2021-3020 Image SLES12-SP5-Azure-SAP-BYOS:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-Azure-SAP-BYOS:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-Azure-SAP-On-Demand:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-Azure-SAP-On-Demand:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-EC2-SAP-BYOS:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-EC2-SAP-BYOS:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-EC2-SAP-On-Demand:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-EC2-SAP-On-Demand:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-GCE-SAP-BYOS:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-GCE-SAP-BYOS:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-GCE-SAP-On-Demand:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-GCE-SAP-On-Demand:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-Azure:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-Azure:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-EC2-HVM:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-GCE:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 Image SLES15-SP3-SAP-BYOS-GCE:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 SUSE Linux Enterprise High Availability Extension 12 SP3:crmsh-3.0.4+git.1614156978.4c1dc46d-13.62.1 SUSE Linux Enterprise High Availability Extension 12 SP3:crmsh-scripts-3.0.4+git.1614156978.4c1dc46d-13.62.1 SUSE Linux Enterprise High Availability Extension 12 SP4:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 SUSE Linux Enterprise High Availability Extension 12 SP4:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 SUSE Linux Enterprise High Availability Extension 12 SP5:crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 SUSE Linux Enterprise High Availability Extension 12 SP5:crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 SUSE Linux Enterprise High Availability Extension 15:crmsh-4.3.0+20210219.5d1bf034-3.62.3 SUSE Linux Enterprise High Availability Extension 15:crmsh-scripts-4.3.0+20210219.5d1bf034-3.62.3 SUSE Linux Enterprise High Availability Extension 15 SP1:crmsh-4.3.0+20210219.5d1bf034-3.57.3 SUSE Linux Enterprise High Availability Extension 15 SP1:crmsh-scripts-4.3.0+20210219.5d1bf034-3.57.3 SUSE Linux Enterprise High Availability Extension 15 SP2:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 SUSE Linux Enterprise High Availability Extension 15 SP2:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 SUSE Linux Enterprise High Availability Extension 15 SP3:crmsh-4.3.0+20210305.9db5c9a8-5.42.1 SUSE Linux Enterprise High Availability Extension 15 SP3:crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP3:crmsh-test-4.3.0+20210305.9db5c9a8-5.42.1 openSUSE Leap 15.2:crmsh-4.3.0+20210305.9db5c9a8-lp152.4.47.1 openSUSE Leap 15.2:crmsh-scripts-4.3.0+20210305.9db5c9a8-lp152.4.47.1 openSUSE Leap 15.2:crmsh-test-4.3.0+20210305.9db5c9a8-lp152.4.47.1 SUSE Linux Enterprise High Availability Extension 12 SP3:hawk2 SUSE Linux Enterprise High Availability Extension 12 SP4:hawk2 SUSE Linux Enterprise High Availability Extension 12 SP5:hawk2 SUSE Linux Enterprise High Availability Extension 15 SP1:hawk2 SUSE Linux Enterprise High Availability Extension 15 SP2:hawk2 SUSE Linux Enterprise High Availability Extension 15:hawk2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:hawk2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:hawk2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:hawk2 important 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H