SUSE update for SUSE Manager Server 4.3

Published: 2022-09-08

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-31248
CWE-ID	CWE-209
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SUSE Manager Server Operating systems & Components / Operating system SUSE Linux Enterprise Module for SUSE Manager Server Operating systems & Components / Operating system xmlpull-api Operating systems & Components / Operating system package or component woodstox Operating systems & Components / Operating system package or component virtual-host-gatherer-libcloud Operating systems & Components / Operating system package or component virtual-host-gatherer-VMware Operating systems & Components / Operating system package or component virtual-host-gatherer-Nutanix Operating systems & Components / Operating system package or component virtual-host-gatherer-Kubernetes Operating systems & Components / Operating system package or component virtual-host-gatherer Operating systems & Components / Operating system package or component uyuni-config-modules Operating systems & Components / Operating system package or component susemanager-sls Operating systems & Components / Operating system package or component susemanager-schema-utility Operating systems & Components / Operating system package or component susemanager-schema Operating systems & Components / Operating system package or component susemanager-retail-tools Operating systems & Components / Operating system package or component susemanager-docs_en-pdf Operating systems & Components / Operating system package or component susemanager-docs_en Operating systems & Components / Operating system package or component susemanager-build-keys-web Operating systems & Components / Operating system package or component susemanager-build-keys Operating systems & Components / Operating system package or component subscription-matcher Operating systems & Components / Operating system package or component spacewalk-utils-extras Operating systems & Components / Operating system package or component spacewalk-utils Operating systems & Components / Operating system package or component spacewalk-taskomatic Operating systems & Components / Operating system package or component spacewalk-setup Operating systems & Components / Operating system package or component spacewalk-search Operating systems & Components / Operating system package or component spacewalk-postgresql Operating systems & Components / Operating system package or component spacewalk-java-postgresql Operating systems & Components / Operating system package or component spacewalk-java-lib Operating systems & Components / Operating system package or component spacewalk-java-config Operating systems & Components / Operating system package or component spacewalk-java Operating systems & Components / Operating system package or component spacewalk-html Operating systems & Components / Operating system package or component spacewalk-config Operating systems & Components / Operating system package or component spacewalk-common Operating systems & Components / Operating system package or component spacewalk-client-tools Operating systems & Components / Operating system package or component spacewalk-certs-tools Operating systems & Components / Operating system package or component spacewalk-base-minimal-config Operating systems & Components / Operating system package or component spacewalk-base-minimal Operating systems & Components / Operating system package or component spacewalk-base Operating systems & Components / Operating system package or component spacewalk-backend-xmlrpc Operating systems & Components / Operating system package or component spacewalk-backend-xml-export-libs Operating systems & Components / Operating system package or component spacewalk-backend-tools Operating systems & Components / Operating system package or component spacewalk-backend-sql-postgresql Operating systems & Components / Operating system package or component spacewalk-backend-sql Operating systems & Components / Operating system package or component spacewalk-backend-server Operating systems & Components / Operating system package or component spacewalk-backend-package-push-server Operating systems & Components / Operating system package or component spacewalk-backend-iss-export Operating systems & Components / Operating system package or component spacewalk-backend-iss Operating systems & Components / Operating system package or component spacewalk-backend-config-files-tool Operating systems & Components / Operating system package or component spacewalk-backend-config-files-common Operating systems & Components / Operating system package or component spacewalk-backend-config-files Operating systems & Components / Operating system package or component spacewalk-backend-applet Operating systems & Components / Operating system package or component spacewalk-backend-app Operating systems & Components / Operating system package or component spacewalk-backend Operating systems & Components / Operating system package or component spacecmd Operating systems & Components / Operating system package or component salt-netapi-client Operating systems & Components / Operating system package or component python3-urlgrabber Operating systems & Components / Operating system package or component python3-susemanager-retail Operating systems & Components / Operating system package or component python3-spacewalk-client-tools Operating systems & Components / Operating system package or component python3-spacewalk-certs-tools Operating systems & Components / Operating system package or component optaplanner Operating systems & Components / Operating system package or component mvel2 Operating systems & Components / Operating system package or component kie-api Operating systems & Components / Operating system package or component jose4j Operating systems & Components / Operating system package or component jakarta-commons-validator Operating systems & Components / Operating system package or component image-sync-formula Operating systems & Components / Operating system package or component drools Operating systems & Components / Operating system package or component apache-commons-math3 Operating systems & Components / Operating system package or component apache-commons-csv Operating systems & Components / Operating system package or component susemanager-tools Operating systems & Components / Operating system package or component susemanager Operating systems & Components / Operating system package or component smdba Operating systems & Components / Operating system package or component reprepro-debugsource Operating systems & Components / Operating system package or component reprepro-debuginfo Operating systems & Components / Operating system package or component reprepro Operating systems & Components / Operating system package or component python3-uyuni-common-libs Operating systems & Components / Operating system package or component inter-server-sync-debuginfo Operating systems & Components / Operating system package or component inter-server-sync Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information Exposure Through an Error Message

EUVDB-ID: #VU64572

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31248

CWE-ID: CWE-209 - Information Exposure Through an Error Message

Exploit availability: No

Description

The vulnerability allows a remote attacker to enumerate email addresses of registered users.

The vulnerability exists due to the application in /rhn/help/ForgotCredentials.do exposes information about pretense of an email address of the registered user within the application. A remote non-authenticated attacker can enumerate email addresses of application users.

Mitigation

Update the affected package SUSE Manager Server 4.3 to the latest version.

Vulnerable software versions

SUSE Manager Server: 4.3

SUSE Linux Enterprise Module for SUSE Manager Server: 4.3

xmlpull-api: before 1.1.3.1-150400.3.3.1

woodstox: before 4.4.2-150400.3.3.1

virtual-host-gatherer-libcloud: before 1.0.23-150400.3.3.1

virtual-host-gatherer-VMware: before 1.0.23-150400.3.3.1

virtual-host-gatherer-Nutanix: before 1.0.23-150400.3.3.1

virtual-host-gatherer-Kubernetes: before 1.0.23-150400.3.3.1

virtual-host-gatherer: before 1.0.23-150400.3.3.1

uyuni-config-modules: before 4.3.24-150400.3.3.1

susemanager-sls: before 4.3.24-150400.3.3.1

susemanager-schema-utility: before 4.3.13-150400.3.3.3

susemanager-schema: before 4.3.13-150400.3.3.3

susemanager-retail-tools: before 1.0.1658330139.861779d-150400.3.3.1

susemanager-docs_en-pdf: before 4.3-150400.9.3.1

susemanager-docs_en: before 4.3-150400.9.3.1

susemanager-build-keys-web: before 15.4.3-150400.3.3.1

susemanager-build-keys: before 15.4.3-150400.3.3.1

subscription-matcher: before 0.29-150400.3.3.1

spacewalk-utils-extras: before 4.3.13-150400.3.3.3

spacewalk-utils: before 4.3.13-150400.3.3.3

spacewalk-taskomatic: before 4.3.35-150400.3.3.5

spacewalk-setup: before 4.3.10-150400.3.3.3

spacewalk-search: before 4.3.6-150400.3.3.3

spacewalk-postgresql: before 4.3.5-150400.3.3.2

spacewalk-java-postgresql: before 4.3.35-150400.3.3.5

spacewalk-java-lib: before 4.3.35-150400.3.3.5

spacewalk-java-config: before 4.3.35-150400.3.3.5

spacewalk-java: before 4.3.35-150400.3.3.5

spacewalk-html: before 4.3.23-150400.3.3.4

spacewalk-config: before 4.3.9-150400.3.3.3

spacewalk-common: before 4.3.5-150400.3.3.2

spacewalk-client-tools: before 4.3.11-150400.3.3.4

spacewalk-certs-tools: before 4.3.14-150400.3.3.2

spacewalk-base-minimal-config: before 4.3.23-150400.3.3.4

spacewalk-base-minimal: before 4.3.23-150400.3.3.4

spacewalk-base: before 4.3.23-150400.3.3.4

spacewalk-backend-xmlrpc: before 4.3.15-150400.3.3.5

spacewalk-backend-xml-export-libs: before 4.3.15-150400.3.3.5

spacewalk-backend-tools: before 4.3.15-150400.3.3.5

spacewalk-backend-sql-postgresql: before 4.3.15-150400.3.3.5

spacewalk-backend-sql: before 4.3.15-150400.3.3.5

spacewalk-backend-server: before 4.3.15-150400.3.3.5

spacewalk-backend-package-push-server: before 4.3.15-150400.3.3.5

spacewalk-backend-iss-export: before 4.3.15-150400.3.3.5

spacewalk-backend-iss: before 4.3.15-150400.3.3.5

spacewalk-backend-config-files-tool: before 4.3.15-150400.3.3.5

spacewalk-backend-config-files-common: before 4.3.15-150400.3.3.5

spacewalk-backend-config-files: before 4.3.15-150400.3.3.5

spacewalk-backend-applet: before 4.3.15-150400.3.3.5

spacewalk-backend-app: before 4.3.15-150400.3.3.5

spacewalk-backend: before 4.3.15-150400.3.3.5

spacecmd: before 4.3.14-150400.3.3.2

salt-netapi-client: before 0.20.0-150400.3.3.5

python3-urlgrabber: before 4.1.0-150400.3.3.1

python3-susemanager-retail: before 1.0.1658330139.861779d-150400.3.3.1

python3-spacewalk-client-tools: before 4.3.11-150400.3.3.4

python3-spacewalk-certs-tools: before 4.3.14-150400.3.3.2

optaplanner: before 7.17.0-150400.3.3.1

mvel2: before 2.2.6.Final-150400.3.3.1

kie-api: before 7.17.0-150400.3.3.1

jose4j: before 0.5.1-150400.3.3.1

jakarta-commons-validator: before 1.1.4-21.150400.21.3.4

image-sync-formula: before 0.1.1658330139.861779d-150400.3.3.1

drools: before 7.17.0-150400.3.3.1

apache-commons-math3: before 3.2-150400.3.3.1

apache-commons-csv: before 1.2-150400.3.3.1

susemanager-tools: before 4.3.18-150400.3.3.2

susemanager: before 4.3.18-150400.3.3.2

smdba: before 1.7.10-0.150400.4.3.1

reprepro-debugsource: before 5.3.0-150400.3.3.1

reprepro-debuginfo: before 5.3.0-150400.3.3.1

reprepro: before 5.3.0-150400.3.3.1

python3-uyuni-common-libs: before 4.3.5-150400.3.3.2

inter-server-sync-debuginfo: before 0.2.3-150400.3.3.1

inter-server-sync: before 0.2.3-150400.3.3.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223194-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.