SUSE update for SUSE Manager Client Tools



Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2021-27962
CVE-2021-28146
CVE-2021-28147
CVE-2021-28148
CVE-2021-29622
CWE-ID CWE-269
CWE-284
CWE-799
CWE-601
Exploitation vector Network
Public exploit N/A
Vulnerable software
 SUSE Manager Tools
Operating systems & Components / Operating system

suseRegisterInfo
Operating systems & Components / Operating system package or component

spacewalk-oscap
Operating systems & Components / Operating system package or component

spacewalk-koan
Operating systems & Components / Operating system package or component

spacewalk-client-tools
Operating systems & Components / Operating system package or component

spacewalk-client-setup
Operating systems & Components / Operating system package or component

spacewalk-check
Operating systems & Components / Operating system package or component

spacecmd
Operating systems & Components / Operating system package or component

python2-suseRegisterInfo
Operating systems & Components / Operating system package or component

python2-spacewalk-oscap
Operating systems & Components / Operating system package or component

python2-spacewalk-koan
Operating systems & Components / Operating system package or component

python2-spacewalk-client-tools
Operating systems & Components / Operating system package or component

python2-spacewalk-client-setup
Operating systems & Components / Operating system package or component

python2-spacewalk-check
Operating systems & Components / Operating system package or component

python2-rhnlib
Operating systems & Components / Operating system package or component

python2-mgr-virtualization-host
Operating systems & Components / Operating system package or component

python2-mgr-virtualization-common
Operating systems & Components / Operating system package or component

python2-mgr-push
Operating systems & Components / Operating system package or component

python2-mgr-osad
Operating systems & Components / Operating system package or component

python2-mgr-osa-common
Operating systems & Components / Operating system package or component

python2-mgr-cfg-management
Operating systems & Components / Operating system package or component

python2-mgr-cfg-client
Operating systems & Components / Operating system package or component

python2-mgr-cfg-actions
Operating systems & Components / Operating system package or component

python2-mgr-cfg
Operating systems & Components / Operating system package or component

mgr-virtualization-host
Operating systems & Components / Operating system package or component

mgr-push
Operating systems & Components / Operating system package or component

mgr-osad
Operating systems & Components / Operating system package or component

mgr-custom-info
Operating systems & Components / Operating system package or component

mgr-cfg-management
Operating systems & Components / Operating system package or component

mgr-cfg-client
Operating systems & Components / Operating system package or component

mgr-cfg-actions
Operating systems & Components / Operating system package or component

mgr-cfg
Operating systems & Components / Operating system package or component

python2-uyuni-common-libs
Operating systems & Components / Operating system package or component

grafana
Operating systems & Components / Operating system package or component

golang-github-prometheus-prometheus
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Improper Privilege Management

EUVDB-ID: #VU51579

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-27962

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper privilege management. A remote user with Editor privileges can bypass data source permissions on the organization's default data source.

Mitigation

Update the affected package SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 12 BETA

suseRegisterInfo: before 4.2.4-25.18.2

spacewalk-oscap: before 4.2.2-19.18.2

spacewalk-koan: before 4.2.4-24.24.2

spacewalk-client-tools: before 4.2.12-52.53.2

spacewalk-client-setup: before 4.2.12-52.53.2

spacewalk-check: before 4.2.12-52.53.2

spacecmd: before 4.2.11-38.85.2

python2-suseRegisterInfo: before 4.2.4-25.18.2

python2-spacewalk-oscap: before 4.2.2-19.18.2

python2-spacewalk-koan: before 4.2.4-24.24.2

python2-spacewalk-client-tools: before 4.2.12-52.53.2

python2-spacewalk-client-setup: before 4.2.12-52.53.2

python2-spacewalk-check: before 4.2.12-52.53.2

python2-rhnlib: before 4.2.4-21.34.2

python2-mgr-virtualization-host: before 4.2.2-1.20.2

python2-mgr-virtualization-common: before 4.2.2-1.20.2

python2-mgr-push: before 4.2.3-1.12.2

python2-mgr-osad: before 4.2.6-1.30.2

python2-mgr-osa-common: before 4.2.6-1.30.2

python2-mgr-cfg-management: before 4.2.3-1.18.2

python2-mgr-cfg-client: before 4.2.3-1.18.2

python2-mgr-cfg-actions: before 4.2.3-1.18.2

python2-mgr-cfg: before 4.2.3-1.18.2

mgr-virtualization-host: before 4.2.2-1.20.2

mgr-push: before 4.2.3-1.12.2

mgr-osad: before 4.2.6-1.30.2

mgr-custom-info: before 4.2.2-1.12.2

mgr-cfg-management: before 4.2.3-1.18.2

mgr-cfg-client: before 4.2.3-1.18.2

mgr-cfg-actions: before 4.2.3-1.18.2

mgr-cfg: before 4.2.3-1.18.2

python2-uyuni-common-libs: before 4.2.5-1.15.2

grafana: before 7.5.7-1.21.2

golang-github-prometheus-prometheus: before 2.27.1-1.29.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212673-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU51580

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-28146

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and add external groups to existing teams.

Mitigation

Update the affected package SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 12 BETA

suseRegisterInfo: before 4.2.4-25.18.2

spacewalk-oscap: before 4.2.2-19.18.2

spacewalk-koan: before 4.2.4-24.24.2

spacewalk-client-tools: before 4.2.12-52.53.2

spacewalk-client-setup: before 4.2.12-52.53.2

spacewalk-check: before 4.2.12-52.53.2

spacecmd: before 4.2.11-38.85.2

python2-suseRegisterInfo: before 4.2.4-25.18.2

python2-spacewalk-oscap: before 4.2.2-19.18.2

python2-spacewalk-koan: before 4.2.4-24.24.2

python2-spacewalk-client-tools: before 4.2.12-52.53.2

python2-spacewalk-client-setup: before 4.2.12-52.53.2

python2-spacewalk-check: before 4.2.12-52.53.2

python2-rhnlib: before 4.2.4-21.34.2

python2-mgr-virtualization-host: before 4.2.2-1.20.2

python2-mgr-virtualization-common: before 4.2.2-1.20.2

python2-mgr-push: before 4.2.3-1.12.2

python2-mgr-osad: before 4.2.6-1.30.2

python2-mgr-osa-common: before 4.2.6-1.30.2

python2-mgr-cfg-management: before 4.2.3-1.18.2

python2-mgr-cfg-client: before 4.2.3-1.18.2

python2-mgr-cfg-actions: before 4.2.3-1.18.2

python2-mgr-cfg: before 4.2.3-1.18.2

mgr-virtualization-host: before 4.2.2-1.20.2

mgr-push: before 4.2.3-1.12.2

mgr-osad: before 4.2.6-1.30.2

mgr-custom-info: before 4.2.2-1.12.2

mgr-cfg-management: before 4.2.3-1.18.2

mgr-cfg-client: before 4.2.3-1.18.2

mgr-cfg-actions: before 4.2.3-1.18.2

mgr-cfg: before 4.2.3-1.18.2

python2-uyuni-common-libs: before 4.2.5-1.15.2

grafana: before 7.5.7-1.21.2

golang-github-prometheus-prometheus: before 2.27.1-1.29.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212673-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper access control

EUVDB-ID: #VU51581

Risk: Medium

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-28147

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions, when editorsCanAdmin  feature is enabled. A remote user can bypass implemented security restrictions and add external group members to existing teams.

Mitigation

Update the affected package SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 12 BETA

suseRegisterInfo: before 4.2.4-25.18.2

spacewalk-oscap: before 4.2.2-19.18.2

spacewalk-koan: before 4.2.4-24.24.2

spacewalk-client-tools: before 4.2.12-52.53.2

spacewalk-client-setup: before 4.2.12-52.53.2

spacewalk-check: before 4.2.12-52.53.2

spacecmd: before 4.2.11-38.85.2

python2-suseRegisterInfo: before 4.2.4-25.18.2

python2-spacewalk-oscap: before 4.2.2-19.18.2

python2-spacewalk-koan: before 4.2.4-24.24.2

python2-spacewalk-client-tools: before 4.2.12-52.53.2

python2-spacewalk-client-setup: before 4.2.12-52.53.2

python2-spacewalk-check: before 4.2.12-52.53.2

python2-rhnlib: before 4.2.4-21.34.2

python2-mgr-virtualization-host: before 4.2.2-1.20.2

python2-mgr-virtualization-common: before 4.2.2-1.20.2

python2-mgr-push: before 4.2.3-1.12.2

python2-mgr-osad: before 4.2.6-1.30.2

python2-mgr-osa-common: before 4.2.6-1.30.2

python2-mgr-cfg-management: before 4.2.3-1.18.2

python2-mgr-cfg-client: before 4.2.3-1.18.2

python2-mgr-cfg-actions: before 4.2.3-1.18.2

python2-mgr-cfg: before 4.2.3-1.18.2

mgr-virtualization-host: before 4.2.2-1.20.2

mgr-push: before 4.2.3-1.12.2

mgr-osad: before 4.2.6-1.30.2

mgr-custom-info: before 4.2.2-1.12.2

mgr-cfg-management: before 4.2.3-1.18.2

mgr-cfg-client: before 4.2.3-1.18.2

mgr-cfg-actions: before 4.2.3-1.18.2

mgr-cfg: before 4.2.3-1.18.2

python2-uyuni-common-libs: before 4.2.5-1.15.2

grafana: before 7.5.7-1.21.2

golang-github-prometheus-prometheus: before 2.27.1-1.29.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212673-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper control of interaction frequency

EUVDB-ID: #VU51582

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-28148

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to absent control of interaction frequency within the HTTP API endpoint for insights usage. A remote non-authenticated attacker send multiple HTTP requests and perform a denial of service (DoS) attack.

Mitigation

Update the affected package SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 12 BETA

suseRegisterInfo: before 4.2.4-25.18.2

spacewalk-oscap: before 4.2.2-19.18.2

spacewalk-koan: before 4.2.4-24.24.2

spacewalk-client-tools: before 4.2.12-52.53.2

spacewalk-client-setup: before 4.2.12-52.53.2

spacewalk-check: before 4.2.12-52.53.2

spacecmd: before 4.2.11-38.85.2

python2-suseRegisterInfo: before 4.2.4-25.18.2

python2-spacewalk-oscap: before 4.2.2-19.18.2

python2-spacewalk-koan: before 4.2.4-24.24.2

python2-spacewalk-client-tools: before 4.2.12-52.53.2

python2-spacewalk-client-setup: before 4.2.12-52.53.2

python2-spacewalk-check: before 4.2.12-52.53.2

python2-rhnlib: before 4.2.4-21.34.2

python2-mgr-virtualization-host: before 4.2.2-1.20.2

python2-mgr-virtualization-common: before 4.2.2-1.20.2

python2-mgr-push: before 4.2.3-1.12.2

python2-mgr-osad: before 4.2.6-1.30.2

python2-mgr-osa-common: before 4.2.6-1.30.2

python2-mgr-cfg-management: before 4.2.3-1.18.2

python2-mgr-cfg-client: before 4.2.3-1.18.2

python2-mgr-cfg-actions: before 4.2.3-1.18.2

python2-mgr-cfg: before 4.2.3-1.18.2

mgr-virtualization-host: before 4.2.2-1.20.2

mgr-push: before 4.2.3-1.12.2

mgr-osad: before 4.2.6-1.30.2

mgr-custom-info: before 4.2.2-1.12.2

mgr-cfg-management: before 4.2.3-1.18.2

mgr-cfg-client: before 4.2.3-1.18.2

mgr-cfg-actions: before 4.2.3-1.18.2

mgr-cfg: before 4.2.3-1.18.2

python2-uyuni-common-libs: before 4.2.5-1.15.2

grafana: before 7.5.7-1.21.2

golang-github-prometheus-prometheus: before 2.27.1-1.29.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212673-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Open redirect

EUVDB-ID: #VU53343

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-29622

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Update the affected package SUSE Manager Client Tools to the latest version.

Vulnerable software versions

SUSE Manager Tools: 12 BETA

suseRegisterInfo: before 4.2.4-25.18.2

spacewalk-oscap: before 4.2.2-19.18.2

spacewalk-koan: before 4.2.4-24.24.2

spacewalk-client-tools: before 4.2.12-52.53.2

spacewalk-client-setup: before 4.2.12-52.53.2

spacewalk-check: before 4.2.12-52.53.2

spacecmd: before 4.2.11-38.85.2

python2-suseRegisterInfo: before 4.2.4-25.18.2

python2-spacewalk-oscap: before 4.2.2-19.18.2

python2-spacewalk-koan: before 4.2.4-24.24.2

python2-spacewalk-client-tools: before 4.2.12-52.53.2

python2-spacewalk-client-setup: before 4.2.12-52.53.2

python2-spacewalk-check: before 4.2.12-52.53.2

python2-rhnlib: before 4.2.4-21.34.2

python2-mgr-virtualization-host: before 4.2.2-1.20.2

python2-mgr-virtualization-common: before 4.2.2-1.20.2

python2-mgr-push: before 4.2.3-1.12.2

python2-mgr-osad: before 4.2.6-1.30.2

python2-mgr-osa-common: before 4.2.6-1.30.2

python2-mgr-cfg-management: before 4.2.3-1.18.2

python2-mgr-cfg-client: before 4.2.3-1.18.2

python2-mgr-cfg-actions: before 4.2.3-1.18.2

python2-mgr-cfg: before 4.2.3-1.18.2

mgr-virtualization-host: before 4.2.2-1.20.2

mgr-push: before 4.2.3-1.12.2

mgr-osad: before 4.2.6-1.30.2

mgr-custom-info: before 4.2.2-1.12.2

mgr-cfg-management: before 4.2.3-1.18.2

mgr-cfg-client: before 4.2.3-1.18.2

mgr-cfg-actions: before 4.2.3-1.18.2

mgr-cfg: before 4.2.3-1.18.2

python2-uyuni-common-libs: before 4.2.5-1.15.2

grafana: before 7.5.7-1.21.2

golang-github-prometheus-prometheus: before 2.27.1-1.29.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212673-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###