Main Vulnerability Database SB2021062232

SB2021062232 - SUSE update for SUSE Manager Server 4.1

Published: June 22, 2021

Security Bulletin ID SB2021062232

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2021-28657)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within MP3Parser component. A remote attacker can suply a specially crafted file, consume all available system resources and cause denial of service conditions.

2) Command Injection (CVE-ID: CVE-2021-31607)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to command injection in the snapper module. A local user can escalate privileges on a minion.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2021/suse-su-20212098-1/

Vulnerable Software

SUSE Linux Enterprise Module for SUSE Manager Server: 4.1
grafana-formula: before 0.4.1-3.9.2
prometheus-exporters-formula: before 0.9.1-3.22.1
golang-github-prometheus-node_exporter: before 1.1.2-3.6.5
tika-core: before 1.26-3.5.2
patterns-suma_retail: before 4.1-6.9.2
patterns-suma_server: before 4.1-6.9.2
python3-uyuni-common-libs: before 4.1.8-3.9.1
spacewalk-admin: before 4.1.9-3.12.2
susemanager-docs_en-pdf: before 4.1-11.34.2
susemanager-docs_en: before 4.1-11.34.2
susemanager-doc-indexes: before 4.1-11.34.8
spacewalk-branding: before 4.1.12-3.12.2
susemanager-sync-data: before 4.1.14-3.23.2
spacewalk-utils-extras: before 4.1.16-3.18.2
spacewalk-utils: before 4.1.16-3.18.2
python3-spacewalk-certs-tools: before 4.1.17-3.17.2
spacewalk-certs-tools: before 4.1.17-3.17.2
susemanager-schema: before 4.1.21-3.30.6
spacewalk-backend-tools: before 4.1.25-4.32.6
spacewalk-backend-xmlrpc: before 4.1.25-4.32.6
spacewalk-backend-xml-export-libs: before 4.1.25-4.32.6
spacewalk-backend-sql-postgresql: before 4.1.25-4.32.6
spacewalk-backend-sql: before 4.1.25-4.32.6
spacewalk-backend-package-push-server: before 4.1.25-4.32.6
spacewalk-backend-app: before 4.1.25-4.32.6
spacewalk-backend: before 4.1.25-4.32.6
spacewalk-backend-applet: before 4.1.25-4.32.6
spacewalk-backend-config-files: before 4.1.25-4.32.6
spacewalk-backend-server: before 4.1.25-4.32.6
spacewalk-backend-config-files-common: before 4.1.25-4.32.6
spacewalk-backend-config-files-tool: before 4.1.25-4.32.6
spacewalk-backend-iss: before 4.1.25-4.32.6
spacewalk-backend-iss-export: before 4.1.25-4.32.6
spacewalk-base-minimal-config: before 4.1.26-3.24.8
spacewalk-base-minimal: before 4.1.26-3.24.8
spacewalk-html: before 4.1.26-3.24.8
spacewalk-base: before 4.1.26-3.24.8
susemanager-web-libs: before 4.1.26-3.24.8
susemanager: before 4.1.26-3.25.1
susemanager-tools: before 4.1.26-3.25.1
susemanager-sls: before 4.1.28-3.42.1
uyuni-config-modules: before 4.1.28-3.42.1
spacewalk-taskomatic: before 4.1.36-3.44.1
spacewalk-java-postgresql: before 4.1.36-3.44.1
spacewalk-java-lib: before 4.1.36-3.44.1
spacewalk-java-config: before 4.1.36-3.44.1
spacewalk-java: before 4.1.36-3.44.1
susemanager-build-keys-web: before 15.2.4-3.17.1
susemanager-build-keys: before 15.2.4-3.17.1
py26-compat-salt: before 2016.11.10-6.14.2
py27-compat-salt: before 3000.3-6.3.2

SB2021062232 - SUSE update for SUSE Manager Server 4.1

Breakdown by Severity

Description

Remediation

References

Please verify you're human