SUSE update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt



Published: 2023-07-05
Risk High
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2018-1000518
CVE-2020-25659
CVE-2020-36242
CVE-2021-22569
CVE-2021-22570
CVE-2022-1941
CVE-2022-3171
CWE-ID CWE-400
CWE-385
CWE-190
CWE-399
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe 		Server Applications Module
Operating systems & Components / Operating system

Public Cloud Module
Operating systems & Components / Operating system

SUSE Package Hub 15
Operating systems & Components / Operating system

Basesystem Module
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Real Time 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Desktop 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP3 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP1 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing LTSS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing ESPOS 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE CaaS Platform
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

python3-Twisted-debuginfo
Operating systems & Components / Operating system package or component

python3-incremental
Operating systems & Components / Operating system package or component

python3-Automat
Operating systems & Components / Operating system package or component

libprotobuf20-32bit
Operating systems & Components / Operating system package or component

libprotobuf-lite20-32bit
Operating systems & Components / Operating system package or component

libprotoc20-32bit
Operating systems & Components / Operating system package or component

python3-cryptography-debuginfo
Operating systems & Components / Operating system package or component

protobuf-debugsource
Operating systems & Components / Operating system package or component

libprotobuf20
Operating systems & Components / Operating system package or component

python3-psutil
Operating systems & Components / Operating system package or component

python3-protobuf
Operating systems & Components / Operating system package or component

python3-aiocontextvars
Operating systems & Components / Operating system package or component

libgrpc++1
Operating systems & Components / Operating system package or component

libgrpc8
Operating systems & Components / Operating system package or component

python3-websockets
Operating systems & Components / Operating system package or component

python3-cryptography
Operating systems & Components / Operating system package or component

python3-Twisted
Operating systems & Components / Operating system package or component

libprotoc20
Operating systems & Components / Operating system package or component

protobuf-java
Operating systems & Components / Operating system package or component

python3-grpcio
Operating systems & Components / Operating system package or component

grpc-devel
Operating systems & Components / Operating system package or component

protobuf-devel-debuginfo
Operating systems & Components / Operating system package or component

python2-protobuf
Operating systems & Components / Operating system package or component

python-psutil-debugsource
Operating systems & Components / Operating system package or component

python3-psutil-debuginfo
Operating systems & Components / Operating system package or component

python2-grpcio
Operating systems & Components / Operating system package or component

python-cryptography-debugsource
Operating systems & Components / Operating system package or component

python2-grpcio-debuginfo
Operating systems & Components / Operating system package or component

python-websockets-debugsource
Operating systems & Components / Operating system package or component

python2-psutil
Operating systems & Components / Operating system package or component

python2-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python3-websockets-debuginfo
Operating systems & Components / Operating system package or component

libgrpc8-debuginfo
Operating systems & Components / Operating system package or component

libprotoc20-debuginfo
Operating systems & Components / Operating system package or component

grpc-devel-debuginfo
Operating systems & Components / Operating system package or component

python3-grpcio-debuginfo
Operating systems & Components / Operating system package or component

python2-psutil-debuginfo
Operating systems & Components / Operating system package or component

python-psutil-debuginfo
Operating systems & Components / Operating system package or component

libprotobuf20-debuginfo
Operating systems & Components / Operating system package or component

libgrpc++1-debuginfo
Operating systems & Components / Operating system package or component

python2-cryptography
Operating systems & Components / Operating system package or component

protobuf-devel
Operating systems & Components / Operating system package or component

grpc-debuginfo
Operating systems & Components / Operating system package or component

grpc-debugsource
Operating systems & Components / Operating system package or component

python-cryptography-debuginfo
Operating systems & Components / Operating system package or component

libprotobuf-lite20-debuginfo
Operating systems & Components / Operating system package or component

python3-PyGithub
Operating systems & Components / Operating system package or component

python3-Deprecated
Operating systems & Components / Operating system package or component

python3-opencensus-ext-threading
Operating systems & Components / Operating system package or component

python3-google-api-core
Operating systems & Components / Operating system package or component

python3-opencensus-context
Operating systems & Components / Operating system package or component

protobuf-source
Operating systems & Components / Operating system package or component

python3-googleapis-common-protos
Operating systems & Components / Operating system package or component

python3-pytest
Operating systems & Components / Operating system package or component

python2-jsondiff
Operating systems & Components / Operating system package or component

python3-cryptography-vectors
Operating systems & Components / Operating system package or component

python2-cryptography-vectors
Operating systems & Components / Operating system package or component

python2-googleapis-common-protos
Operating systems & Components / Operating system package or component

python3-grpcio-gcp
Operating systems & Components / Operating system package or component

python3-requests
Operating systems & Components / Operating system package or component

python3-opencensus
Operating systems & Components / Operating system package or component

python2-requests
Operating systems & Components / Operating system package or component

grpc-source
Operating systems & Components / Operating system package or component

python2-grpcio-gcp
Operating systems & Components / Operating system package or component

python3-opentelemetry-api
Operating systems & Components / Operating system package or component

python3-avro
Operating systems & Components / Operating system package or component

python3-pytest-asyncio
Operating systems & Components / Operating system package or component

python2-humanfriendly
Operating systems & Components / Operating system package or component

libprotobuf-lite20
Operating systems & Components / Operating system package or component

python3-zope.interface-debuginfo
Operating systems & Components / Operating system package or component

python-zope.interface-debuginfo
Operating systems & Components / Operating system package or component

python-zope.interface-debugsource
Operating systems & Components / Operating system package or component

python3-zope.interface
Operating systems & Components / Operating system package or component

python3-constantly
Operating systems & Components / Operating system package or component

azure-cli-core
Operating systems & Components / Operating system package or component

python3-knack
Operating systems & Components / Operating system package or component

python3-websocket-client
Operating systems & Components / Operating system package or component

python3-jsondiff
Operating systems & Components / Operating system package or component

python3-hyperlink
Operating systems & Components / Operating system package or component

python3-humanfriendly
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU77962

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000518

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling compressed data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Covert Timing Channel

EUVDB-ID: #VU50367

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25659

CWE-ID: CWE-385 - Covert Timing Channel

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU50990

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36242

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing certain sequences of update calls to symmetrically encrypt multi-GB values. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU60181

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-22569

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper input validation

EUVDB-ID: #VU62403

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22570

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Compiling (protobuf) component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU71261

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1941

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Connector/Python (Python) component in MySQL Connectors. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU69293

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3171

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

Server Applications Module: 15-SP4 - 15-SP5

Public Cloud Module: 15-SP1 - 15-SP5

SUSE Package Hub 15: 15-SP5

Basesystem Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP5

SUSE Linux Enterprise Server 15: SP1 - SP5

SUSE Linux Enterprise Real Time 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.4

python3-Twisted-debuginfo: before 17.9.0-150000.3.8.1

python3-incremental: before 17.5.0-150000.3.4.1

python3-Automat: before 0.6.0-150000.3.4.1

libprotobuf20-32bit: before 3.9.2-150100.8.3.3

libprotobuf-lite20-32bit: before 3.9.2-150100.8.3.3

libprotoc20-32bit: before 3.9.2-150100.8.3.3

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

protobuf-debugsource: before 3.9.2-150100.8.3.3

libprotobuf20: before 3.9.2-150100.8.3.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-protobuf: before 3.9.2-150100.8.3.3

python3-aiocontextvars: before 0.2.2-150100.3.3.3

libgrpc++1: before 1.25.0-150100.3.3.3

libgrpc8: before 1.25.0-150100.3.3.3

python3-websockets: before 9.1-150100.3.3.3

python3-cryptography: before 3.3.2-150100.7.15.3

python3-Twisted: before 17.9.0-150000.3.8.1

libprotoc20: before 3.9.2-150100.8.3.3

protobuf-java: before 3.9.2-150100.8.3.3

python3-grpcio: before 1.25.0-150100.3.3.3

grpc-devel: before 1.25.0-150100.3.3.3

protobuf-devel-debuginfo: before 3.9.2-150100.8.3.3

python2-protobuf: before 3.9.2-150100.8.3.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-grpcio: before 1.25.0-150100.3.3.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python-websockets-debugsource: before 9.1-150100.3.3.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-websockets-debuginfo: before 9.1-150100.3.3.3

libgrpc8-debuginfo: before 1.25.0-150100.3.3.3

libprotoc20-debuginfo: before 3.9.2-150100.8.3.3

grpc-devel-debuginfo: before 1.25.0-150100.3.3.3

python3-grpcio-debuginfo: before 1.25.0-150100.3.3.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

libprotobuf20-debuginfo: before 3.9.2-150100.8.3.3

libgrpc++1-debuginfo: before 1.25.0-150100.3.3.3

python2-cryptography: before 3.3.2-150100.7.15.3

protobuf-devel: before 3.9.2-150100.8.3.3

grpc-debuginfo: before 1.25.0-150100.3.3.3

grpc-debugsource: before 1.25.0-150100.3.3.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

libprotobuf-lite20-debuginfo: before 3.9.2-150100.8.3.3

python3-PyGithub: before 1.43.5-150100.3.3.3

python3-Deprecated: before 1.2.13-150100.3.3.3

python3-opencensus-ext-threading: before 0.1.2-150100.3.3.3

python3-google-api-core: before 1.14.2-150100.3.3.3

python3-opencensus-context: before 0.1.2-150100.3.3.3

protobuf-source: before 3.9.2-150100.8.3.3

python3-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-pytest: before 3.10.1-150000.7.5.1

python2-jsondiff: before 1.3.0-150100.3.6.3

python3-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-cryptography-vectors: before 3.3.2-150100.3.11.3

python2-googleapis-common-protos: before 1.6.0-150100.3.3.3

python3-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-requests: before 2.25.1-150100.6.13.3

python3-opencensus: before 0.8.0-150100.3.3.3

python2-requests: before 2.25.1-150100.6.13.3

grpc-source: before 1.25.0-150100.3.3.3

python2-grpcio-gcp: before 0.2.2-150100.3.3.3

python3-opentelemetry-api: before 1.5.0-150100.3.3.3

python3-avro: before 1.11.0-150100.3.3.3

python3-pytest-asyncio: before 0.8.0-150100.3.3.3

python2-humanfriendly: before 10.0-150100.6.3.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debuginfo: before 4.4.2-150000.3.4.1

python-zope.interface-debugsource: before 4.4.2-150000.3.4.1

python3-zope.interface: before 4.4.2-150000.3.4.1

python3-constantly: before 15.1.0-150000.3.4.1

azure-cli-core: before 2.17.1-150100.6.18.1

python3-knack: before 0.9.0-150100.3.7.3

python3-websocket-client: before 1.3.2-150100.6.7.3

python3-jsondiff: before 1.3.0-150100.3.6.3

python3-hyperlink: before 17.2.1-150000.3.4.1

python3-humanfriendly: before 10.0-150100.6.3.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###