SUSE update for libqt5-qtbase

Published: 2023-08-07

Risk	Medium
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2023-24607 CVE-2023-32762 CVE-2023-33285 CVE-2023-34410 CVE-2023-38197
CWE-ID	CWE-20 CWE-319 CWE-125 CWE-295 CWE-835
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP3 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP2 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing LTSS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing ESPOS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system libQt5Network-private-headers-devel Operating systems & Components / Operating system package or component libqt5-qtbase-private-headers-devel Operating systems & Components / Operating system package or component libQt5Gui-private-headers-devel Operating systems & Components / Operating system package or component libQt5PrintSupport-private-headers-devel Operating systems & Components / Operating system package or component libQt5KmsSupport-private-headers-devel Operating systems & Components / Operating system package or component libQt5Widgets-private-headers-devel Operating systems & Components / Operating system package or component libQt5OpenGL-private-headers-devel Operating systems & Components / Operating system package or component libQt5DBus-private-headers-devel Operating systems & Components / Operating system package or component libQt5Core-private-headers-devel Operating systems & Components / Operating system package or component libQt5Test-private-headers-devel Operating systems & Components / Operating system package or component libQt5Sql-private-headers-devel Operating systems & Components / Operating system package or component libQt5PlatformSupport-private-headers-devel Operating systems & Components / Operating system package or component libQt5DBus5 Operating systems & Components / Operating system package or component libQt5PrintSupport-devel Operating systems & Components / Operating system package or component libQt5Gui5-debuginfo Operating systems & Components / Operating system package or component libQt5Network5-debuginfo Operating systems & Components / Operating system package or component libqt5-qtbase-debugsource Operating systems & Components / Operating system package or component libQt5Sql5-sqlite Operating systems & Components / Operating system package or component libQt5Sql5-postgresql-debuginfo Operating systems & Components / Operating system package or component libQt5Sql5-debuginfo Operating systems & Components / Operating system package or component libQt5OpenGL-devel Operating systems & Components / Operating system package or component libQt5Sql5-postgresql Operating systems & Components / Operating system package or component libQt5Test5 Operating systems & Components / Operating system package or component libQt5PlatformHeaders-devel Operating systems & Components / Operating system package or component libQt5Core-devel Operating systems & Components / Operating system package or component libQt5KmsSupport-devel-static Operating systems & Components / Operating system package or component libQt5Sql5-unixODBC-debuginfo Operating systems & Components / Operating system package or component libqt5-qtbase-devel Operating systems & Components / Operating system package or component libQt5Test5-debuginfo Operating systems & Components / Operating system package or component libQt5Gui-devel Operating systems & Components / Operating system package or component libQt5Xml5-debuginfo Operating systems & Components / Operating system package or component libqt5-qtbase-platformtheme-gtk3 Operating systems & Components / Operating system package or component libQt5Sql5-unixODBC Operating systems & Components / Operating system package or component libQt5Widgets5 Operating systems & Components / Operating system package or component libQt5OpenGL5-debuginfo Operating systems & Components / Operating system package or component libQt5Test-devel Operating systems & Components / Operating system package or component libQt5Xml5 Operating systems & Components / Operating system package or component libQt5Sql-devel Operating systems & Components / Operating system package or component libQt5Sql5 Operating systems & Components / Operating system package or component libQt5Sql5-mysql Operating systems & Components / Operating system package or component libQt5OpenGL5 Operating systems & Components / Operating system package or component libQt5Widgets-devel Operating systems & Components / Operating system package or component libQt5Sql5-sqlite-debuginfo Operating systems & Components / Operating system package or component libQt5Concurrent-devel Operating systems & Components / Operating system package or component libQt5PrintSupport5 Operating systems & Components / Operating system package or component libQt5DBus-devel-debuginfo Operating systems & Components / Operating system package or component libQt5Widgets5-debuginfo Operating systems & Components / Operating system package or component libQt5Core5-debuginfo Operating systems & Components / Operating system package or component libQt5DBus-devel Operating systems & Components / Operating system package or component libQt5Gui5 Operating systems & Components / Operating system package or component libqt5-qtbase-common-devel Operating systems & Components / Operating system package or component libQt5DBus5-debuginfo Operating systems & Components / Operating system package or component libQt5Network-devel Operating systems & Components / Operating system package or component libQt5Network5 Operating systems & Components / Operating system package or component libQt5Xml-devel Operating systems & Components / Operating system package or component libqt5-qtbase-common-devel-debuginfo Operating systems & Components / Operating system package or component libQt5OpenGLExtensions-devel-static Operating systems & Components / Operating system package or component libQt5PlatformSupport-devel-static Operating systems & Components / Operating system package or component libQt5Concurrent5-debuginfo Operating systems & Components / Operating system package or component libQt5Concurrent5 Operating systems & Components / Operating system package or component libQt5PrintSupport5-debuginfo Operating systems & Components / Operating system package or component libqt5-qtbase-platformtheme-gtk3-debuginfo Operating systems & Components / Operating system package or component libQt5Core5 Operating systems & Components / Operating system package or component libQt5Sql5-mysql-debuginfo Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU74061

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-24607

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Qt SQL ODBC driver plugin. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package libqt5-qtbase to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP3

SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3

SUSE Linux Enterprise Server 15: SP2 - SP3

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3

SUSE Linux Enterprise High Performance Computing 15: SP2 - SP3

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.2

SUSE Manager Server: 4.2

SUSE Manager Proxy: 4.2

libQt5Network-private-headers-devel: before 5.12.7-150200.4.23.1

libqt5-qtbase-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5Gui-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5PrintSupport-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5KmsSupport-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5Widgets-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5OpenGL-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5DBus-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5Core-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5Test-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5Sql-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5PlatformSupport-private-headers-devel: before 5.12.7-150200.4.23.1

libQt5DBus5: before 5.12.7-150200.4.23.1

libQt5PrintSupport-devel: before 5.12.7-150200.4.23.1

libQt5Gui5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Network5-debuginfo: before 5.12.7-150200.4.23.1

libqt5-qtbase-debugsource: before 5.12.7-150200.4.23.1

libQt5Sql5-sqlite: before 5.12.7-150200.4.23.1

libQt5Sql5-postgresql-debuginfo: before 5.12.7-150200.4.23.1

libQt5Sql5-debuginfo: before 5.12.7-150200.4.23.1

libQt5OpenGL-devel: before 5.12.7-150200.4.23.1

libQt5Sql5-postgresql: before 5.12.7-150200.4.23.1

libQt5Test5: before 5.12.7-150200.4.23.1

libQt5PlatformHeaders-devel: before 5.12.7-150200.4.23.1

libQt5Core-devel: before 5.12.7-150200.4.23.1

libQt5KmsSupport-devel-static: before 5.12.7-150200.4.23.1

libQt5Sql5-unixODBC-debuginfo: before 5.12.7-150200.4.23.1

libqt5-qtbase-devel: before 5.12.7-150200.4.23.1

libQt5Test5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Gui-devel: before 5.12.7-150200.4.23.1

libQt5Xml5-debuginfo: before 5.12.7-150200.4.23.1

libqt5-qtbase-platformtheme-gtk3: before 5.12.7-150200.4.23.1

libQt5Sql5-unixODBC: before 5.12.7-150200.4.23.1

libQt5Widgets5: before 5.12.7-150200.4.23.1

libQt5OpenGL5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Test-devel: before 5.12.7-150200.4.23.1

libQt5Xml5: before 5.12.7-150200.4.23.1

libQt5Sql-devel: before 5.12.7-150200.4.23.1

libQt5Sql5: before 5.12.7-150200.4.23.1

libQt5Sql5-mysql: before 5.12.7-150200.4.23.1

libQt5OpenGL5: before 5.12.7-150200.4.23.1

libQt5Widgets-devel: before 5.12.7-150200.4.23.1

libQt5Sql5-sqlite-debuginfo: before 5.12.7-150200.4.23.1

libQt5Concurrent-devel: before 5.12.7-150200.4.23.1

libQt5PrintSupport5: before 5.12.7-150200.4.23.1

libQt5DBus-devel-debuginfo: before 5.12.7-150200.4.23.1

libQt5Widgets5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Core5-debuginfo: before 5.12.7-150200.4.23.1

libQt5DBus-devel: before 5.12.7-150200.4.23.1

libQt5Gui5: before 5.12.7-150200.4.23.1

libqt5-qtbase-common-devel: before 5.12.7-150200.4.23.1

libQt5DBus5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Network-devel: before 5.12.7-150200.4.23.1

libQt5Network5: before 5.12.7-150200.4.23.1

libQt5Xml-devel: before 5.12.7-150200.4.23.1

libqt5-qtbase-common-devel-debuginfo: before 5.12.7-150200.4.23.1

libQt5OpenGLExtensions-devel-static: before 5.12.7-150200.4.23.1

libQt5PlatformSupport-devel-static: before 5.12.7-150200.4.23.1

libQt5Concurrent5-debuginfo: before 5.12.7-150200.4.23.1

libQt5Concurrent5: before 5.12.7-150200.4.23.1

libQt5PrintSupport5-debuginfo: before 5.12.7-150200.4.23.1

libqt5-qtbase-platformtheme-gtk3-debuginfo: before 5.12.7-150200.4.23.1

libQt5Core5: before 5.12.7-150200.4.23.1

libQt5Sql5-mysql-debuginfo: before 5.12.7-150200.4.23.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233207-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cleartext transmission of sensitive information

EUVDB-ID: #VU76666

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32762

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. A remote attacker with ability to intercept network traffic can gain access to sensitive data.