SUSE update for Maintenance update for SUSE Manager 4.2: Server, Proxy and Retail Branch Server

1) Improper Certificate Validation

EUVDB-ID: #VU78913

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29409

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to verifying certificate chains containing large RSA keys is slow. A remote attacker can cause a client/server to expend significant CPU time verifying signatures.

Mitigation

Update the affected package Maintenance update for SUSE Manager 4.2: Server, Proxy and Retail Branch Server to the latest version.

Vulnerable software versions

SUSE Manager Proxy Module: 4.2

SUSE Manager Server Module: 4.2

SUSE Manager Retail Branch Server: 4.2

SUSE Manager Server: 4.2

SUSE Manager Proxy: 4.2

spacewalk-backend-config-files-common: before 4.2.29-150300.4.44.5

spacewalk-taskomatic: before 4.2.55-150300.3.73.2

uyuni-config-modules: before 4.2.35-150300.3.54.3

spacewalk-backend-iss-export: before 4.2.29-150300.4.44.5

spacewalk-reports: before 4.2.8-150300.3.12.3

spacewalk-backend-app: before 4.2.29-150300.4.44.5

spacewalk-backend-config-files-tool: before 4.2.29-150300.4.44.5

spacewalk-java-postgresql: before 4.2.55-150300.3.73.2

susemanager-docs_en: before 4.2-150300.12.48.3

susemanager-docs_en-pdf: before 4.2-150300.12.48.3

spacewalk-backend-config-files: before 4.2.29-150300.4.44.5

spacewalk-backend-applet: before 4.2.29-150300.4.44.5

spacewalk-backend-sql: before 4.2.29-150300.4.44.5

spacewalk-backend-server: before 4.2.29-150300.4.44.5

susemanager-schema: before 4.2.29-150300.3.41.5

spacewalk-java-config: before 4.2.55-150300.3.73.2

susemanager-sls: before 4.2.35-150300.3.54.3

spacewalk-backend-sql-postgresql: before 4.2.29-150300.4.44.5

spacewalk-backend-tools: before 4.2.29-150300.4.44.5

spacewalk-base: before 4.2.36-150300.3.47.5

spacewalk-utils: before 4.2.20-150300.3.27.3

susemanager-doc-indexes: before 4.2-150300.12.48.5

spacewalk-java: before 4.2.55-150300.3.73.2

spacewalk-html: before 4.2.36-150300.3.47.5

spacewalk-backend-xmlrpc: before 4.2.29-150300.4.44.5

spacewalk-backend-iss: before 4.2.29-150300.4.44.5

spacewalk-setup: before 4.2.13-150300.3.21.3

spacewalk-utils-extras: before 4.2.20-150300.3.27.3

spacewalk-backend-xml-export-libs: before 4.2.29-150300.4.44.5

spacewalk-backend-package-push-server: before 4.2.29-150300.4.44.5

spacewalk-java-lib: before 4.2.55-150300.3.73.2

susemanager-tools: before 4.2.44-150300.3.59.1

inter-server-sync: before 0.3.0-150300.8.36.1

hub-xmlrpc-api: before 0.7-150300.3.14.2

susemanager: before 4.2.44-150300.3.59.1

inter-server-sync-debuginfo: before 0.3.0-150300.8.36.1

spacewalk-base-minimal: before 4.2.36-150300.3.47.5

spacecmd: before 4.2.24-150300.4.42.3

spacewalk-base-minimal-config: before 4.2.36-150300.3.47.5

spacewalk-backend: before 4.2.29-150300.4.44.5

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233474-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.