SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server



Published: 2023-09-28
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-29409
CWE-ID CWE-295
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Manager Proxy Module
Operating systems & Components / Operating system

SUSE Manager Server Module
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

susemanager-tools
Operating systems & Components / Operating system package or component

inter-server-sync-debuginfo
Operating systems & Components / Operating system package or component

prometheus-postgres_exporter
Operating systems & Components / Operating system package or component

susemanager
Operating systems & Components / Operating system package or component

hub-xmlrpc-api
Operating systems & Components / Operating system package or component

inter-server-sync
Operating systems & Components / Operating system package or component

spacewalk-backend-sql
Operating systems & Components / Operating system package or component

spacewalk-java-postgresql
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files
Operating systems & Components / Operating system package or component

spacewalk-backend-xmlrpc
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files-tool
Operating systems & Components / Operating system package or component

spacewalk-backend-sql-postgresql
Operating systems & Components / Operating system package or component

grafana-formula
Operating systems & Components / Operating system package or component

susemanager-sls
Operating systems & Components / Operating system package or component

spacewalk-html
Operating systems & Components / Operating system package or component

spacewalk-backend-tools
Operating systems & Components / Operating system package or component

spacewalk-backend-app
Operating systems & Components / Operating system package or component

spacewalk-backend-server
Operating systems & Components / Operating system package or component

uyuni-config-modules
Operating systems & Components / Operating system package or component

spacewalk-setup
Operating systems & Components / Operating system package or component

supportutils-plugin-susemanager
Operating systems & Components / Operating system package or component

spacewalk-backend-iss-export
Operating systems & Components / Operating system package or component

spacewalk-taskomatic
Operating systems & Components / Operating system package or component

spacewalk-java
Operating systems & Components / Operating system package or component

spacewalk-admin
Operating systems & Components / Operating system package or component

image-sync-formula
Operating systems & Components / Operating system package or component

spacewalk-backend-iss
Operating systems & Components / Operating system package or component

cobbler
Operating systems & Components / Operating system package or component

saltboot-formula
Operating systems & Components / Operating system package or component

susemanager-schema-utility
Operating systems & Components / Operating system package or component

susemanager-docs_en
Operating systems & Components / Operating system package or component

spacewalk-java-config
Operating systems & Components / Operating system package or component

spacewalk-backend-config-files-common
Operating systems & Components / Operating system package or component

spacewalk-backend-xml-export-libs
Operating systems & Components / Operating system package or component

spacewalk-backend-package-push-server
Operating systems & Components / Operating system package or component

spacewalk-java-lib
Operating systems & Components / Operating system package or component

billing-data-service
Operating systems & Components / Operating system package or component

spacewalk-backend-applet
Operating systems & Components / Operating system package or component

prometheus-exporters-formula
Operating systems & Components / Operating system package or component

spacewalk-config
Operating systems & Components / Operating system package or component

spacewalk-base
Operating systems & Components / Operating system package or component

susemanager-schema
Operating systems & Components / Operating system package or component

susemanager-docs_en-pdf
Operating systems & Components / Operating system package or component

python3-uyuni-common-libs
Operating systems & Components / Operating system package or component

supportutils-plugin-susemanager-proxy
Operating systems & Components / Operating system package or component

spacewalk-base-minimal
Operating systems & Components / Operating system package or component

spacewalk-certs-tools
Operating systems & Components / Operating system package or component

spacecmd
Operating systems & Components / Operating system package or component

spacewalk-backend
Operating systems & Components / Operating system package or component

supportutils-plugin-susemanager-client
Operating systems & Components / Operating system package or component

python3-spacewalk-certs-tools
Operating systems & Components / Operating system package or component

spacewalk-base-minimal-config
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper Certificate Validation

EUVDB-ID: #VU78913

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29409

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to verifying certificate chains containing large RSA keys is slow. A remote attacker can cause a client/server to expend significant CPU time verifying signatures.

Mitigation

Update the affected package Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server to the latest version.

Vulnerable software versions

SUSE Manager Proxy Module: 4.3

SUSE Manager Server Module: 4.3

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

susemanager-tools: before 4.3.31-150400.3.36.12

inter-server-sync-debuginfo: before 0.3.0-150400.3.21.15

prometheus-postgres_exporter: before 0.10.1-150400.3.6.17

susemanager: before 4.3.31-150400.3.36.12

hub-xmlrpc-api: before 0.7-150400.5.9.15

inter-server-sync: before 0.3.0-150400.3.21.15

spacewalk-backend-sql: before 4.3.23-150400.3.27.19

spacewalk-java-postgresql: before 4.3.66-150400.3.60.1

spacewalk-backend-config-files: before 4.3.23-150400.3.27.19

spacewalk-backend-xmlrpc: before 4.3.23-150400.3.27.19

spacewalk-backend-config-files-tool: before 4.3.23-150400.3.27.19

spacewalk-backend-sql-postgresql: before 4.3.23-150400.3.27.19

grafana-formula: before 0.9.0-150400.3.12.1

susemanager-sls: before 4.3.35-150400.3.31.12

spacewalk-html: before 4.3.33-150400.3.27.16

spacewalk-backend-tools: before 4.3.23-150400.3.27.19

spacewalk-backend-app: before 4.3.23-150400.3.27.19

spacewalk-backend-server: before 4.3.23-150400.3.27.19

uyuni-config-modules: before 4.3.35-150400.3.31.12

spacewalk-setup: before 4.3.18-150400.3.27.13

supportutils-plugin-susemanager: before 4.3.9-150400.3.15.13

spacewalk-backend-iss-export: before 4.3.23-150400.3.27.19

spacewalk-taskomatic: before 4.3.66-150400.3.60.1

spacewalk-java: before 4.3.66-150400.3.60.1

spacewalk-admin: before 4.3.13-150400.3.12.13

image-sync-formula: before 0.1.1692188980.9aa0455-150400.3.15.13

spacewalk-backend-iss: before 4.3.23-150400.3.27.19

cobbler: before 3.3.3-150400.5.33.13

saltboot-formula: before 0.1.1692188980.9aa0455-150400.3.12.13

susemanager-schema-utility: before 4.3.20-150400.3.24.17

susemanager-docs_en: before 4.3-150400.9.38.2

spacewalk-java-config: before 4.3.66-150400.3.60.1

spacewalk-backend-config-files-common: before 4.3.23-150400.3.27.19

spacewalk-backend-xml-export-libs: before 4.3.23-150400.3.27.19

spacewalk-backend-package-push-server: before 4.3.23-150400.3.27.19

spacewalk-java-lib: before 4.3.66-150400.3.60.1

billing-data-service: before 0.3-150400.10.6.13

spacewalk-backend-applet: before 4.3.23-150400.3.27.19

prometheus-exporters-formula: before 1.3.0-150400.3.3.13

spacewalk-config: before 4.3.11-150400.3.9.13

spacewalk-base: before 4.3.33-150400.3.27.16

susemanager-schema: before 4.3.20-150400.3.24.17

susemanager-docs_en-pdf: before 4.3-150400.9.38.2

python3-uyuni-common-libs: before 4.3.9-150400.3.15.13

supportutils-plugin-susemanager-proxy: before 4.3.3-150400.3.3.13

spacewalk-base-minimal: before 4.3.33-150400.3.27.16

spacewalk-certs-tools: before 4.3.19-150400.3.18.13

spacecmd: before 4.3.23-150400.3.24.13

spacewalk-backend: before 4.3.23-150400.3.27.19

supportutils-plugin-susemanager-client: before 4.3.3-150400.3.3.13

python3-spacewalk-certs-tools: before 4.3.19-150400.3.18.13

spacewalk-base-minimal-config: before 4.3.33-150400.3.27.16

CPE2.3 External links

http://www.suse.com/support/update/announcement/2023/suse-su-20233861-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###