SUSE update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3

Published: 2021-08-23

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2020-26137
CWE-ID	CWE-93
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SUSE Linux Enterprise Module for Public Cloud Operating systems & Components / Operating system SUSE Linux Enterprise Module for Python2 Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE CaaS Platform Operating systems & Components / Operating system SUSE MicroOS Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Module for Basesystem Operating systems & Components / Operating system SUSE Linux Enterprise Module for Packagehub Subpackages Operating systems & Components / Operating system package or component python3-cryptography-debuginfo Operating systems & Components / Operating system package or component python3-cffi-debuginfo Operating systems & Components / Operating system package or component python2-botocore Operating systems & Components / Operating system package or component python2-boto3 Operating systems & Components / Operating system package or component python3-trustme Operating systems & Components / Operating system package or component python3-service_identity Operating systems & Components / Operating system package or component aws-cli Operating systems & Components / Operating system package or component python2-pyOpenSSL Operating systems & Components / Operating system package or component python2-cryptography-debuginfo Operating systems & Components / Operating system package or component python2-cryptography Operating systems & Components / Operating system package or component python2-cffi-debuginfo Operating systems & Components / Operating system package or component python2-cffi Operating systems & Components / Operating system package or component python-cryptography-debugsource Operating systems & Components / Operating system package or component python-cryptography-debuginfo Operating systems & Components / Operating system package or component python-cffi-debugsource Operating systems & Components / Operating system package or component python-cffi-debuginfo Operating systems & Components / Operating system package or component python3-botocore Operating systems & Components / Operating system package or component python3-boto3 Operating systems & Components / Operating system package or component python2-urllib3 Operating systems & Components / Operating system package or component python2-pycparser Operating systems & Components / Operating system package or component python2-pyasn1 Operating systems & Components / Operating system package or component python2-asn1crypto Operating systems & Components / Operating system package or component python3-urllib3 Operating systems & Components / Operating system package or component python3-pycparser Operating systems & Components / Operating system package or component python3-pyasn1 Operating systems & Components / Operating system package or component python3-pyOpenSSL Operating systems & Components / Operating system package or component python3-asn1crypto Operating systems & Components / Operating system package or component python3-cryptography Operating systems & Components / Operating system package or component python3-cffi Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) CRLF injection

EUVDB-ID: #VU47403

Risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26137

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation

Update the affected package aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Public Cloud: 15-SP1 - 15-SP3

SUSE Linux Enterprise Module for Python2: 15-SP2 - 15-SP3

SUSE Manager Proxy: 4.0

SUSE Manager Retail Branch Server: 4.0

SUSE Manager Server: 4.0

SUSE Linux Enterprise Server for SAP: 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE MicroOS: 5.0

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP2 - 15-SP3

SUSE Linux Enterprise Server: 15-SP1-BCL - 15-SP1-LTSS

SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3

python3-cryptography-debuginfo: before 2.8-10.1

python3-cffi-debuginfo: before 1.13.2-3.2.5

python2-botocore: before 1.20.9-33.1

python2-boto3: before 1.17.9-19.1

python3-trustme: before 0.6.0-3.3.1

python3-service_identity: before 18.1.0-3.3.1

aws-cli: before 1.19.9-26.1

python2-pyOpenSSL: before 17.5.0-8.3.1

python2-cryptography-debuginfo: before 2.8-10.1

python2-cryptography: before 2.8-10.1

python2-cffi-debuginfo: before 1.13.2-3.2.5

python2-cffi: before 1.13.2-3.2.5

python-cryptography-debugsource: before 2.8-10.1

python-cryptography-debuginfo: before 2.8-10.1

python-cffi-debugsource: before 1.13.2-3.2.5

python-cffi-debuginfo: before 1.13.2-3.2.5

python3-botocore: before 1.20.9-33.1

python3-boto3: before 1.17.9-19.1

python2-urllib3: before 1.25.10-9.14.1

python2-pycparser: before 2.17-3.2.1

python2-pyasn1: before 0.4.2-3.2.1

python2-asn1crypto: before 0.24.0-3.2.1

python3-urllib3: before 1.25.10-9.14.1

python3-pycparser: before 2.17-3.2.1

python3-pyasn1: before 0.4.2-3.2.1

python3-pyOpenSSL: before 17.5.0-8.3.1

python3-asn1crypto: before 0.24.0-3.2.1

python3-cryptography: before 2.8-10.1

python3-cffi: before 1.13.2-3.2.5

External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212817-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.