Ken Gaillot discovered a vulnerability in the Pacemaker cluster
resource manager: If ACLs were configured for users in the "haclient"
group, the ACL restrictions could be bypassed via unrestricted IPC communication, resulting in cluster-wide arbitrary code execution with
If the "enable-acl" cluster option isn't enabled, members of the
"haclient" group can modify Pacemaker's Cluster Information Base
restriction, which already gives them these capabilities, so there is
no additional exposure in such a setup.
For the stable distribution (buster), this problem has been fixed in
We recommend that you upgrade your pacemaker packages.