SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server



Published: 2024-02-20
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-31582
CVE-2023-32189
CWE-ID CWE-331
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Manager Proxy Module
Operating systems & Components / Operating system

SUSE Manager Server Module
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

susemanager-tools
Operating systems & Components / Operating system package or component

inter-server-sync-debuginfo
Operating systems & Components / Operating system package or component

patterns-suma_server
Operating systems & Components / Operating system package or component

susemanager
Operating systems & Components / Operating system package or component

prometheus-postgres_exporter
Operating systems & Components / Operating system package or component

inter-server-sync
Operating systems & Components / Operating system package or component

patterns-suma_retail
Operating systems & Components / Operating system package or component

spacewalk-taskomatic
Operating systems & Components / Operating system package or component

spacewalk-backend-package-push-server
Operating systems & Components / Operating system package or component

saltboot-formula
Operating systems & Components / Operating system package or component

spacewalk-backend-server
Operating systems & Components / Operating system package or component

prometheus-formula
Operating systems & Components / Operating system package or component

spacewalk-backend-sql
Operating systems & Components / Operating system package or component

susemanager-docs_en-pdf
Operating systems & Components / Operating system package or component

susemanager-schema-utility
Operating systems & Components / Operating system package or component

spacewalk-backend-xmlrpc
Operating systems & Components / Operating system package or component

liberate-formula
Operating systems & Components / Operating system package or component

jose4j
Operating systems & Components / Operating system package or component

spacewalk-backend-iss-export
Operating systems & Components / Operating system package or component

subscription-matcher
Operating systems & Components / Operating system package or component

spacewalk-backend-xml-export-libs
Operating systems & Components / Operating system package or component

spacewalk-backend-sql-postgresql
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files-tool
Operating systems & Components / Operating system package or component

supportutils-plugin-susemanager
Operating systems & Components / Operating system package or component

spacewalk-java-postgresql
Operating systems & Components / Operating system package or component

grafana-formula
Operating systems & Components / Operating system package or component

spacewalk-base
Operating systems & Components / Operating system package or component

spacewalk-html
Operating systems & Components / Operating system package or component

spacewalk-java
Operating systems & Components / Operating system package or component

susemanager-schema
Operating systems & Components / Operating system package or component

susemanager-docs_en
Operating systems & Components / Operating system package or component

uyuni-reportdb-schema
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files-common
Operating systems & Components / Operating system package or component

spacewalk-utils-extras
Operating systems & Components / Operating system package or component

spacewalk-setup
Operating systems & Components / Operating system package or component

cobbler
Operating systems & Components / Operating system package or component

spacewalk-java-lib
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files
Operating systems & Components / Operating system package or component

susemanager-sync-data
Operating systems & Components / Operating system package or component

spacewalk-utils
Operating systems & Components / Operating system package or component

spacewalk-backend-app
Operating systems & Components / Operating system package or component

spacewalk-backend-applet
Operating systems & Components / Operating system package or component

uyuni-config-modules
Operating systems & Components / Operating system package or component

susemanager-sls
Operating systems & Components / Operating system package or component

spacewalk-backend-tools
Operating systems & Components / Operating system package or component

spacewalk-backend-iss
Operating systems & Components / Operating system package or component

spacewalk-java-config
Operating systems & Components / Operating system package or component

patterns-suma_proxy
Operating systems & Components / Operating system package or component

python3-spacewalk-client-tools
Operating systems & Components / Operating system package or component

spacewalk-certs-tools
Operating systems & Components / Operating system package or component

python3-spacewalk-certs-tools
Operating systems & Components / Operating system package or component

spacewalk-backend
Operating systems & Components / Operating system package or component

spacewalk-base-minimal-config
Operating systems & Components / Operating system package or component

spacewalk-client-setup
Operating systems & Components / Operating system package or component

spacecmd
Operating systems & Components / Operating system package or component

python3-spacewalk-client-setup
Operating systems & Components / Operating system package or component

python3-spacewalk-check
Operating systems & Components / Operating system package or component

spacewalk-check
Operating systems & Components / Operating system package or component

susemanager-build-keys-web
Operating systems & Components / Operating system package or component

spacewalk-client-tools
Operating systems & Components / Operating system package or component

susemanager-build-keys
Operating systems & Components / Operating system package or component

mgr-daemon
Operating systems & Components / Operating system package or component

spacewalk-base-minimal
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Insufficient entropy

EUVDB-ID: #VU83977

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-31582

CWE-ID: CWE-331 - Insufficient Entropy

Exploit availability: No

Description

The vulnerability allows a remote attacker to brute-force JWT token.

The vulnerability exists due to usage of insufficient entropy when generating JWT token. A remote attacker can brute-force the JWT token and gain unauthorized access to the application.

Mitigation

Update the affected package Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server to the latest version.

Vulnerable software versions

SUSE Manager Proxy Module: 4.3

SUSE Manager Server Module: 4.3

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

susemanager-tools: before 4.3.34-150400.3.45.5

inter-server-sync-debuginfo: before 0.3.2-150400.3.27.5

patterns-suma_server: before 4.3-150400.5.9.5

susemanager: before 4.3.34-150400.3.45.5

prometheus-postgres_exporter: before 0.10.1-150400.3.9.5

inter-server-sync: before 0.3.2-150400.3.27.5

patterns-suma_retail: before 4.3-150400.5.9.5

spacewalk-taskomatic: before 4.3.71-150400.3.74.2

spacewalk-backend-package-push-server: before 4.3.27-150400.3.38.2

saltboot-formula: before 0.1.1701196218.b6b8ca1-150400.3.15.3

spacewalk-backend-server: before 4.3.27-150400.3.38.2

prometheus-formula: before 0.8.0-150400.3.6.5

spacewalk-backend-sql: before 4.3.27-150400.3.38.2

susemanager-docs_en-pdf: before 4.3-150400.9.53.5

susemanager-schema-utility: before 4.3.24-150400.3.36.7

spacewalk-backend-xmlrpc: before 4.3.27-150400.3.38.2

liberate-formula: before 0.1.0-150400.10.3.3

jose4j: before 0.5.1-150400.3.6.2

spacewalk-backend-iss-export: before 4.3.27-150400.3.38.2

subscription-matcher: before 0.35-150400.3.19.5

spacewalk-backend-xml-export-libs: before 4.3.27-150400.3.38.2

spacewalk-backend-sql-postgresql: before 4.3.27-150400.3.38.2

spacewalk-backend-config-files-tool: before 4.3.27-150400.3.38.2

supportutils-plugin-susemanager: before 4.3.10-150400.3.18.5

spacewalk-java-postgresql: before 4.3.71-150400.3.74.2

grafana-formula: before 0.10.0-150400.3.15.5

spacewalk-base: before 4.3.37-150400.3.39.7

spacewalk-html: before 4.3.37-150400.3.39.7

spacewalk-java: before 4.3.71-150400.3.74.2

susemanager-schema: before 4.3.24-150400.3.36.7

susemanager-docs_en: before 4.3-150400.9.53.5

uyuni-reportdb-schema: before 4.3.9-150400.3.12.7

spacewalk-backend-config-files-common: before 4.3.27-150400.3.38.2

spacewalk-utils-extras: before 4.3.19-150400.3.21.5

spacewalk-setup: before 4.3.19-150400.3.30.5

cobbler: before 3.3.3-150400.5.39.5

spacewalk-java-lib: before 4.3.71-150400.3.74.2

spacewalk-backend-config-files: before 4.3.27-150400.3.38.2

susemanager-sync-data: before 4.3.16-150400.3.22.2

spacewalk-utils: before 4.3.19-150400.3.21.5

spacewalk-backend-app: before 4.3.27-150400.3.38.2

spacewalk-backend-applet: before 4.3.27-150400.3.38.2

uyuni-config-modules: before 4.3.40-150400.3.44.1

susemanager-sls: before 4.3.40-150400.3.44.1

spacewalk-backend-tools: before 4.3.27-150400.3.38.2

spacewalk-backend-iss: before 4.3.27-150400.3.38.2

spacewalk-java-config: before 4.3.71-150400.3.74.2

patterns-suma_proxy: before 4.3-150400.5.9.5

python3-spacewalk-client-tools: before 4.3.18-150400.3.24.7

spacewalk-certs-tools: before 4.3.22-150400.3.25.1

python3-spacewalk-certs-tools: before 4.3.22-150400.3.25.1

spacewalk-backend: before 4.3.27-150400.3.38.2

spacewalk-base-minimal-config: before 4.3.37-150400.3.39.7

spacewalk-client-setup: before 4.3.18-150400.3.24.7

spacecmd: before 4.3.26-150400.3.33.5

python3-spacewalk-client-setup: before 4.3.18-150400.3.24.7

python3-spacewalk-check: before 4.3.18-150400.3.24.7

spacewalk-check: before 4.3.18-150400.3.24.7

susemanager-build-keys-web: before 15.4.10-150400.3.23.5

spacewalk-client-tools: before 4.3.18-150400.3.24.7

susemanager-build-keys: before 15.4.10-150400.3.23.5

mgr-daemon: before 4.3.8-150400.3.12.5

spacewalk-base-minimal: before 4.3.37-150400.3.39.7

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240485-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Path traversal

EUVDB-ID: #VU86618

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32189

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in SUSE Manager when processing directory traversal sequences in the private SSH key file name when creating a new user. A remote user can pass a specially crafted filename to the application and overwrite arbitrary files on the system.

Mitigation

Update the affected package Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server to the latest version.

Vulnerable software versions

SUSE Manager Proxy Module: 4.3

SUSE Manager Server Module: 4.3

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

susemanager-tools: before 4.3.34-150400.3.45.5

inter-server-sync-debuginfo: before 0.3.2-150400.3.27.5

patterns-suma_server: before 4.3-150400.5.9.5

susemanager: before 4.3.34-150400.3.45.5

prometheus-postgres_exporter: before 0.10.1-150400.3.9.5

inter-server-sync: before 0.3.2-150400.3.27.5

patterns-suma_retail: before 4.3-150400.5.9.5

spacewalk-taskomatic: before 4.3.71-150400.3.74.2

spacewalk-backend-package-push-server: before 4.3.27-150400.3.38.2

saltboot-formula: before 0.1.1701196218.b6b8ca1-150400.3.15.3

spacewalk-backend-server: before 4.3.27-150400.3.38.2

prometheus-formula: before 0.8.0-150400.3.6.5

spacewalk-backend-sql: before 4.3.27-150400.3.38.2

susemanager-docs_en-pdf: before 4.3-150400.9.53.5

susemanager-schema-utility: before 4.3.24-150400.3.36.7

spacewalk-backend-xmlrpc: before 4.3.27-150400.3.38.2

liberate-formula: before 0.1.0-150400.10.3.3

jose4j: before 0.5.1-150400.3.6.2

spacewalk-backend-iss-export: before 4.3.27-150400.3.38.2

subscription-matcher: before 0.35-150400.3.19.5

spacewalk-backend-xml-export-libs: before 4.3.27-150400.3.38.2

spacewalk-backend-sql-postgresql: before 4.3.27-150400.3.38.2

spacewalk-backend-config-files-tool: before 4.3.27-150400.3.38.2

supportutils-plugin-susemanager: before 4.3.10-150400.3.18.5

spacewalk-java-postgresql: before 4.3.71-150400.3.74.2

grafana-formula: before 0.10.0-150400.3.15.5

spacewalk-base: before 4.3.37-150400.3.39.7

spacewalk-html: before 4.3.37-150400.3.39.7

spacewalk-java: before 4.3.71-150400.3.74.2

susemanager-schema: before 4.3.24-150400.3.36.7

susemanager-docs_en: before 4.3-150400.9.53.5

uyuni-reportdb-schema: before 4.3.9-150400.3.12.7

spacewalk-backend-config-files-common: before 4.3.27-150400.3.38.2

spacewalk-utils-extras: before 4.3.19-150400.3.21.5

spacewalk-setup: before 4.3.19-150400.3.30.5

cobbler: before 3.3.3-150400.5.39.5

spacewalk-java-lib: before 4.3.71-150400.3.74.2

spacewalk-backend-config-files: before 4.3.27-150400.3.38.2

susemanager-sync-data: before 4.3.16-150400.3.22.2

spacewalk-utils: before 4.3.19-150400.3.21.5

spacewalk-backend-app: before 4.3.27-150400.3.38.2

spacewalk-backend-applet: before 4.3.27-150400.3.38.2

uyuni-config-modules: before 4.3.40-150400.3.44.1

susemanager-sls: before 4.3.40-150400.3.44.1

spacewalk-backend-tools: before 4.3.27-150400.3.38.2

spacewalk-backend-iss: before 4.3.27-150400.3.38.2

spacewalk-java-config: before 4.3.71-150400.3.74.2

patterns-suma_proxy: before 4.3-150400.5.9.5

python3-spacewalk-client-tools: before 4.3.18-150400.3.24.7

spacewalk-certs-tools: before 4.3.22-150400.3.25.1

python3-spacewalk-certs-tools: before 4.3.22-150400.3.25.1

spacewalk-backend: before 4.3.27-150400.3.38.2

spacewalk-base-minimal-config: before 4.3.37-150400.3.39.7

spacewalk-client-setup: before 4.3.18-150400.3.24.7

spacecmd: before 4.3.26-150400.3.33.5

python3-spacewalk-client-setup: before 4.3.18-150400.3.24.7

python3-spacewalk-check: before 4.3.18-150400.3.24.7

spacewalk-check: before 4.3.18-150400.3.24.7

susemanager-build-keys-web: before 15.4.10-150400.3.23.5

spacewalk-client-tools: before 4.3.18-150400.3.24.7

susemanager-build-keys: before 15.4.10-150400.3.23.5

mgr-daemon: before 4.3.8-150400.3.12.5

spacewalk-base-minimal: before 4.3.37-150400.3.39.7

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240485-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###