SUSE update for corosync

Published: 2025-04-01

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2025-30472
CWE-ID	CWE-121
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	SUSE Enterprise Server 15 SP3 Business Critical Operating systems & Components / Operating system SUSE Linux Enterprise High Availability Extension 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system libcorosync_common4-64bit Operating systems & Components / Operating system package or component libquorum5-64bit-debuginfo Operating systems & Components / Operating system package or component libcpg4-64bit-debuginfo Operating systems & Components / Operating system package or component libtotem_pg5-64bit-debuginfo Operating systems & Components / Operating system package or component libcfg6-64bit-debuginfo Operating systems & Components / Operating system package or component libtotem_pg5-64bit Operating systems & Components / Operating system package or component libsam4-64bit-debuginfo Operating systems & Components / Operating system package or component libquorum5-64bit Operating systems & Components / Operating system package or component libvotequorum8-64bit Operating systems & Components / Operating system package or component libcpg4-64bit Operating systems & Components / Operating system package or component libcfg6-64bit Operating systems & Components / Operating system package or component libsam4-64bit Operating systems & Components / Operating system package or component libcmap4-64bit-debuginfo Operating systems & Components / Operating system package or component libcorosync_common4-64bit-debuginfo Operating systems & Components / Operating system package or component libcmap4-64bit Operating systems & Components / Operating system package or component libvotequorum8-64bit-debuginfo Operating systems & Components / Operating system package or component libcorosync_common4-32bit Operating systems & Components / Operating system package or component libcorosync_common4-32bit-debuginfo Operating systems & Components / Operating system package or component libtotem_pg5-32bit Operating systems & Components / Operating system package or component libcfg6-32bit Operating systems & Components / Operating system package or component libquorum5-32bit Operating systems & Components / Operating system package or component libtotem_pg5-32bit-debuginfo Operating systems & Components / Operating system package or component libvotequorum8-32bit-debuginfo Operating systems & Components / Operating system package or component libsam4-32bit-debuginfo Operating systems & Components / Operating system package or component libcpg4-32bit-debuginfo Operating systems & Components / Operating system package or component libcfg6-32bit-debuginfo Operating systems & Components / Operating system package or component libquorum5-32bit-debuginfo Operating systems & Components / Operating system package or component libvotequorum8-32bit Operating systems & Components / Operating system package or component libcpg4-32bit Operating systems & Components / Operating system package or component libsam4-32bit Operating systems & Components / Operating system package or component libcmap4-32bit-debuginfo Operating systems & Components / Operating system package or component libcmap4-32bit Operating systems & Components / Operating system package or component libcmap4 Operating systems & Components / Operating system package or component corosync-qnetd Operating systems & Components / Operating system package or component libcpg4 Operating systems & Components / Operating system package or component libcorosync_common4-debuginfo Operating systems & Components / Operating system package or component libcfg6-debuginfo Operating systems & Components / Operating system package or component corosync-testagents Operating systems & Components / Operating system package or component libvotequorum8 Operating systems & Components / Operating system package or component libcpg4-debuginfo Operating systems & Components / Operating system package or component libsam4-debuginfo Operating systems & Components / Operating system package or component corosync-qdevice Operating systems & Components / Operating system package or component libcorosync_common4 Operating systems & Components / Operating system package or component libtotem_pg5-debuginfo Operating systems & Components / Operating system package or component libtotem_pg5 Operating systems & Components / Operating system package or component libquorum5-debuginfo Operating systems & Components / Operating system package or component libquorum5 Operating systems & Components / Operating system package or component corosync-qnetd-debuginfo Operating systems & Components / Operating system package or component corosync-qdevice-debuginfo Operating systems & Components / Operating system package or component corosync-debuginfo Operating systems & Components / Operating system package or component corosync Operating systems & Components / Operating system package or component libvotequorum8-debuginfo Operating systems & Components / Operating system package or component libsam4 Operating systems & Components / Operating system package or component libcorosync-devel Operating systems & Components / Operating system package or component corosync-debugsource Operating systems & Components / Operating system package or component corosync-testagents-debuginfo Operating systems & Components / Operating system package or component libcmap4-debuginfo Operating systems & Components / Operating system package or component libcfg6 Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Stack-based buffer overflow

EUVDB-ID: #VU106058

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-30472

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in orf_token_endian_convert() function in exec/totemsrp.c. A remote attacker can send an overly large UDP packet to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability requires that encryption is disabled.

Mitigation

Update the affected package corosync to the latest version.

Vulnerable software versions

SUSE Enterprise Server 15 SP3 Business Critical: Linux

SUSE Linux Enterprise High Availability Extension 15: SP3 - SP6

openSUSE Leap: 15.3 - 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP6

SUSE Linux Enterprise Server 15: SP3 - SP6

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Manager Retail Branch Server: 4.2 - 4.3

SUSE Manager Server: 4.2 - 4.3

SUSE Manager Proxy: 4.2 - 4.3

libcorosync_common4-64bit: before 2.4.6-150300.12.13.1

libquorum5-64bit-debuginfo: before 2.4.6-150300.12.13.1

libcpg4-64bit-debuginfo: before 2.4.6-150300.12.13.1

libtotem_pg5-64bit-debuginfo: before 2.4.6-150300.12.13.1

libcfg6-64bit-debuginfo: before 2.4.6-150300.12.13.1

libtotem_pg5-64bit: before 2.4.6-150300.12.13.1

libsam4-64bit-debuginfo: before 2.4.6-150300.12.13.1

libquorum5-64bit: before 2.4.6-150300.12.13.1

libvotequorum8-64bit: before 2.4.6-150300.12.13.1

libcpg4-64bit: before 2.4.6-150300.12.13.1

libcfg6-64bit: before 2.4.6-150300.12.13.1

libsam4-64bit: before 2.4.6-150300.12.13.1

libcmap4-64bit-debuginfo: before 2.4.6-150300.12.13.1

libcorosync_common4-64bit-debuginfo: before 2.4.6-150300.12.13.1

libcmap4-64bit: before 2.4.6-150300.12.13.1

libvotequorum8-64bit-debuginfo: before 2.4.6-150300.12.13.1

libcorosync_common4-32bit: before 2.4.6-150300.12.13.1

libcorosync_common4-32bit-debuginfo: before 2.4.6-150300.12.13.1

libtotem_pg5-32bit: before 2.4.6-150300.12.13.1

libcfg6-32bit: before 2.4.6-150300.12.13.1

libquorum5-32bit: before 2.4.6-150300.12.13.1

libtotem_pg5-32bit-debuginfo: before 2.4.6-150300.12.13.1

libvotequorum8-32bit-debuginfo: before 2.4.6-150300.12.13.1

libsam4-32bit-debuginfo: before 2.4.6-150300.12.13.1

libcpg4-32bit-debuginfo: before 2.4.6-150300.12.13.1

libcfg6-32bit-debuginfo: before 2.4.6-150300.12.13.1

libquorum5-32bit-debuginfo: before 2.4.6-150300.12.13.1

libvotequorum8-32bit: before 2.4.6-150300.12.13.1

libcpg4-32bit: before 2.4.6-150300.12.13.1

libsam4-32bit: before 2.4.6-150300.12.13.1

libcmap4-32bit-debuginfo: before 2.4.6-150300.12.13.1

libcmap4-32bit: before 2.4.6-150300.12.13.1

libcmap4: before 2.4.6-150300.12.13.1

corosync-qnetd: before 2.4.6-150300.12.13.1

libcpg4: before 2.4.6-150300.12.13.1

libcorosync_common4-debuginfo: before 2.4.6-150300.12.13.1

libcfg6-debuginfo: before 2.4.6-150300.12.13.1

corosync-testagents: before 2.4.6-150300.12.13.1

libvotequorum8: before 2.4.6-150300.12.13.1

libcpg4-debuginfo: before 2.4.6-150300.12.13.1

libsam4-debuginfo: before 2.4.6-150300.12.13.1

corosync-qdevice: before 2.4.6-150300.12.13.1

libcorosync_common4: before 2.4.6-150300.12.13.1

libtotem_pg5-debuginfo: before 2.4.6-150300.12.13.1

libtotem_pg5: before 2.4.6-150300.12.13.1

libquorum5-debuginfo: before 2.4.6-150300.12.13.1

libquorum5: before 2.4.6-150300.12.13.1

corosync-qnetd-debuginfo: before 2.4.6-150300.12.13.1

corosync-qdevice-debuginfo: before 2.4.6-150300.12.13.1

corosync-debuginfo: before 2.4.6-150300.12.13.1

corosync: before 2.4.6-150300.12.13.1

libvotequorum8-debuginfo: before 2.4.6-150300.12.13.1

libsam4: before 2.4.6-150300.12.13.1

libcorosync-devel: before 2.4.6-150300.12.13.1

corosync-debugsource: before 2.4.6-150300.12.13.1

corosync-testagents-debuginfo: before 2.4.6-150300.12.13.1

libcmap4-debuginfo: before 2.4.6-150300.12.13.1

libcfg6: before 2.4.6-150300.12.13.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251084-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.