SUSE update for go1.21-openssl
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 |
| CWE-ID | CWE-79 CWE-94 CWE-20 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #8 is being exploited in the wild. |
| Vulnerable software Subscribe |
Development Tools Module Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system go1.21-openssl Operating systems & Components / Operating system package or component go1.21-openssl-race Operating systems & Components / Operating system package or component go1.21-openssl-doc Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU80572
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39318
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the html/template package when handling HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU80573
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39319
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Code Injection
EUVDB-ID: #VU80571
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39320
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the go.mod toolchain directive. A remote attacker can execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
Update the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU80574
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39321
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU80575
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39322
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU81964
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39323
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing line directives (e.g. "//line") in the code. A remote attacker can bypass restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource exhaustion
EUVDB-ID: #VU82064
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39325
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU81728
Risk: High
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C]
CVE-ID: CVE-2023-44487
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
Update the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
9) Input validation error
EUVDB-ID: #VU83255
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-45283
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
Update the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU83254
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-45284
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names
"COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly
reported as local. A local user can abuse such behavior and bypass implemented security restrictions.
Update the affected package go1.21-openssl to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
go1.21-openssl: before 1.21.4.1-150000.1.5.1
go1.21-openssl-race: before 1.21.4.1-150000.1.5.1
go1.21-openssl-doc: before 1.21.4.1-150000.1.5.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:development_tools_module:15-SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:
http://www.suse.com/support/update/announcement/2023/suse-su-20234469-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
