SUSE update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt



Published: 2023-09-20
Risk High
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2018-1000518
CVE-2020-25659
CVE-2020-36242
CVE-2021-22569
CVE-2021-22570
CVE-2022-1941
CVE-2022-3171
CWE-ID CWE-400
CWE-385
CWE-190
CWE-399
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe 		SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15
Operating systems & Components / Operating system

python3-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python3-psutil
Operating systems & Components / Operating system package or component

python3-cryptography
Operating systems & Components / Operating system package or component

python-psutil-debugsource
Operating systems & Components / Operating system package or component

python3-psutil-debuginfo
Operating systems & Components / Operating system package or component

python-cryptography-debugsource
Operating systems & Components / Operating system package or component

python2-psutil
Operating systems & Components / Operating system package or component

python2-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python2-psutil-debuginfo
Operating systems & Components / Operating system package or component

python-psutil-debuginfo
Operating systems & Components / Operating system package or component

python2-cryptography
Operating systems & Components / Operating system package or component

python-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python3-requests
Operating systems & Components / Operating system package or component

python2-requests
Operating systems & Components / Operating system package or component

libprotobuf-lite20
Operating systems & Components / Operating system package or component

python3-websocket-client
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU77962

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000518

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling compressed data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Covert Timing Channel

EUVDB-ID: #VU50367

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25659

CWE-ID: CWE-385 - Covert Timing Channel

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU50990

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36242

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing certain sequences of update calls to symmetrically encrypt multi-GB values. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU60181

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-22569

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper input validation

EUVDB-ID: #VU62403

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22570

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Compiling (protobuf) component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU71261

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1941

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Connector/Python (Python) component in MySQL Connectors. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU69293

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3171

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Mitigation

Update the affected package grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15: SP1

python3-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-psutil: before 5.9.1-150100.6.6.3

python3-cryptography: before 3.3.2-150100.7.15.3

python-psutil-debugsource: before 5.9.1-150100.6.6.3

python3-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-cryptography-debugsource: before 3.3.2-150100.7.15.3

python2-psutil: before 5.9.1-150100.6.6.3

python2-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python2-psutil-debuginfo: before 5.9.1-150100.6.6.3

python-psutil-debuginfo: before 5.9.1-150100.6.6.3

python2-cryptography: before 3.3.2-150100.7.15.3

python-cryptography-debuginfo: before 3.3.2-150100.7.15.3

python3-requests: before 2.25.1-150100.6.13.3

python2-requests: before 2.25.1-150100.6.13.3

libprotobuf-lite20: before 3.9.2-150100.8.3.3

python3-websocket-client: before 1.3.2-150100.6.7.3

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###