Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2126-1 advisory.
Changes in cfengine:
- cfengine3.target: removed, replaced by upstream cfengine3.service
- In version 3.15.0, cfengine core split off libutils and libcompat directories as libntech. We include both together as we do not use or plan on using it outside of cfengine.
Changes since 3.7.3 are below, in reverse chronological order:
- Update to version 3.21.0: (jsc#SLE-24222, bsc#1197029, CVE-2021-44215)
* Added cf-support utility for generating support information (ENT-9037)
* Adjusted cf-check and package module code for empty updates list (ENT-9050)
* '$(this.promiser)' can now be used in 'files' promise attributes 'if', 'ifvarclass' and 'unless' (CFE-2262, ENT-7008)
* Fixed storage promise for nfs on MacOS (CFE-4093)
* Fixed definition of _low_ldt class from cf-monitord (CFE-4022)
* Insertion of contents of a file with blank lines into another file with blank lines no longer results in mixed content (ENT-8788)
* Added suggestion to use a negative lookahead when non-convergent edits are attempted (CFE-192)
* Unresolved function calls that return scalar values are now considered OK for constraints expecting strings during syntax check (CFE-4094)
* cf-monitord now honors monitorfacility in body monitor control (ENT-4492)
* cf-serverd now periodically reloads its policy if it contains unresolved variables (e.g. $(sys.policy_hub) in 'allowconnect'). (ENT-8456)
* cf-serverd now starts in the network-online.target on systemd-based systems (ENT-8456)
* edit_line bundles can now use the new $(edit.empty_before_use) variable mirroring the value of edit_defaults=>empty_before_use of the related files promise (ENT-5866)
* Package modules with unresolved variables in their names are now skipped in package queries (ENT-9377)
* Removed unsupported name_connect capability for udp_socket class (ENT-8824)
* 'meta' attribute can now be used in custom promises (CFE-3440)
* Custom promise modules can now support the 'action_policy' feature allowing promises of their custom types to be used in dry-run and simulation modes and in combination with 'action_policy => 'warn''. (CFE-3433)
* Use of custom promise modules that don't fully specify protocol now results in warning (CFE-3433)
* Warnings are logged if levels of log messages from custom promise modules don't match results of their related promises (CFE-3433)
* Adjusted SELinux policy for RHEL 9 (ENT-8824)
* Fixed SELinux policy to allow hub to send emails (ENT-9557, ENT-9473)
* SELinux no longer breaks SQL queries with large result sets on RHEL 8 hubs (ENT-9496)
* Added SELinux LDAP port access for Mission Portal (ENT-9694)
* Allowed ciphers are now properly split into TLS 1.3 cipher suites and ciphers used for TLS 1.2 and older (ENT-9018)
* Fixed git_cfbs_deploy_refspec in masterfiles_stage leaving temp dir
- Update to version 3.20.0:
* 'rxdirs' now defaults to 'false'. This means that the read permission bit no longer implies execute bit for directories, by default.
Permission bits will be exactly as specified. To restore the old behavior you can still enable 'rxdirs' explicitly. (CFE-951)
* 'N' or 'Ns' signal specs can now be used to sleep between signals sent by 'processes' promises (CFE-2207, ENT-5899)
* Directories named .no-distrib are no longer copied from policy server (in bootstrap/failsafe) (ENT-8079)
* Files promises using content attribute or template method now create files by default unless create => 'false' is specified.
(CFE-3955, CFE-3916)
* template_method mustache and inline_mustache now create file in promiser, if template rendering was successfull and file does not exist. (ENT-4792)
* Added support for use of custom bodies in custom promise types (CFE-3574)
* Custom promise modules now never get promise data with unresolved variables (CFE-3434)
* Custom promises now use standard promise locking and support ifelapsed (CFE-3434)
* Enable comment-attribute for custom promise types (CFE-3432)
* cf-secret encrypt now encrypts for localhost if no key or host is specified (CFE-3874)
* CFEngine now builds with OpenSSL 3 (ENT-8355)
* CFEngine now requires OpenSSL 1.0.0 or newer (ENT-8355)
* Moved Skipping loading of duplicate policy file messages from VERBOSE to DEBUG (CFE-3934)
* CFEngine processes now try to use getent if the builtin user/group info lookup fails (CFE-3937)
* No longer possible to undefine reserved hard classes (ENT-7718)
* Unspecified 'rxdirs' now produces a warning (CFE-951)
* Fixed wrong use of log level in users promises log messages (CFE-3906)
* Fixed default for ignore_missing_bundles and ignore_missing_inputs The issue here was that these attributes should default to false, but when they are assigned with an unresolved variable, they would default to true. (ENT-8430)
* Added protocol 3 (cookie) to syntax description (ENT-8560)
* Moved errors from data_sysctlvalues from inform to verbose (CFE-3818)
* Fixed inconsistencies with methods promises and missing bundles
- Update to 3.10.3 (fate#323149, bsc#1086475)
- Enable Xen hypervisor detection on all x86 platforms (CFE-2203)
- cf-execd systemd service now only kills cf-execd itself (ENT-3395)
- Ignore commented out entries in fstab when edit_fstab is true.
(CFE-2198)
- Do not move obstructions in warn policy mode (CFE-2740)
- libutils/man.c: allow to override build time
- Improve support for Alpine Linux
- Promise comments for file changes moved to verbose (ENT-3414)
- cf-execd now re-parses augments on policy reload (CFE-2406)
- Fix memory leak in cf-execd, triggered when sending email failed.
(CFE-2712)
- Improve logging of ACL errors (ENT-3455)
- Fix bug preventing permission changes on Unix sockets. (CFE-1782)
- Do not tag large volatile variables for inventory sys.interfaces_data, sys.inet and sys.inet6 are commonly larger than the maximum data size allowed to be collected by cf-hub. Data larger than 1k is truncated. Instead of reporting truncated data this change stops tagging the variable so that it will not be collected to the Enterprise hub and will not be available in Mission Portal.
Do not tag sys.inet and sys.inet6 for inventory (ENT-3483)
- Fix mergedata segfault when called on a non-container (CFE-2704)
- fix storage mount promise when existing mount point has a similar path (CFE-1960)
- Properly redirect init script to systemd on debian systems (ENT-3326)
- Do not segfault if policy_server.dat only contains whitespaces and/or line breaks
- Fix segfault when cf-promises -p is called against a file with syntax errors.
(CFE-2696)
- Fix rare cf-execd hang (CFE-2719)
- Properly reverse-resolve DNS names longer than 63 chars. (ENT-3379)
- Fix segfault on JSON policy files with no bundles and bodies (CFE-2754)
- Set the exit value when running cf-key When running cf-key to generate new keys, set the exit value of the program to be 0 on success and 1 on failure. This makes it easier to catch errors during setup of a new machine.
Change the default behavior of the program to not write anything to stdout, opting to use the Log() function which can write to stdout and will also allow output to be sent to syslog.
Add a --inform option to set the global log level to LOG_LEVEL_INFO.
Change the permissions of the randseed file to 600 and catch the exception if the chmod call fails.
- Improve misleading verbose message For constraints if/ifvarclass/unless, we now print the whole rval of the constraint.
Previously the message was just 'skipping variable because ifvarclass is not defined' while the variable itself was defined.
Old message example:
verbose: Skipping promise 'mailto' because 'if'/'ifvarclass' is not defined Changed to:
verbose: Skipping promise 'mailto' because 'ifvarclass => not(isvariable('mailto'))' is not defined (CFE-2697)
- Suppress output from systemctl based restart of services in bootstrap/failsafe (CFE-1459)
3.10.2:
- fix cf-execd not exiting immediately with SIGTERM on AIX (ENT-3147)
- Fix logic detecting if running under a Xen Hypervisor (CFE-1563)
- Fix automatic service stops based on runlevel (redhat/centos) (CFE-2611)
- Allow opening symlinks owned by root or by the current user (CFE-2516)
- Stop service cfengine3 status from warning on multiple httpd processes (ENT-3123)
- fix IPv6 parsing to be un-reversed (CFE-2580)
3.10.1:
New features/additions:
- 'make tar-package' should create a tarball with the contents of 'make install' (ENT-3041)
Bugfixes:
- Fix rare output truncation on Solaris 10/11 (CFE-2527)
- Change: Don't error during dry run for proposed execution. (CFE-2561)
- prevent LMDB assertion on AIX by ensuring nested DB calls are not occuring during signal handler cleanup (CFE-1996)
- Detect Amazon Linux and set 'AmazonLinux' hard class and sys.flavour variable.
- Fix 'lastseenexpireafter' 32-bit signed int overflow.
- Add missing pcre build flags to cf-key (CFE-2525)
- Fix a bug which could cause cf-execd to believe there was an error when sending the email report, when there really wasn't.
- cf-serverd: Auto configure max open files ulimit according to maxconnections (CFE-2575)
- Added vars and classes for CoreOS (ENT-3043)
3.10.0:
New features/additions:
- All new features/additions for 3.8 and 3.9 are also included in 3.10.
- Add: Classes body tailored for use with diff
- New feature: Classes promise: allow classes without an expression to default to defined.
- Support for custom ports and host names as policy hub (CFE-953)
- Add: Definition of from_cfexecd for cf-execd initiated runs (CFE-2386)
- Add < <= > >= operators to eval().
- Add testing jUnit and TAP bundles and include them in stdlib.cf
- New function isipinsubnet() (ENT-7949)
- LogDebug(): implement module-based debug logging.
Now most DEBUG messages are *not* printed even when '-d' is in use, but the specific debug module has to be enabled on the command line. For example to enable all log modules, run:
cf-agent -d --log-modules=all
- Add: edit_line contains_literal_string to stdlib
- add variablesmatching_as_data() function paralleling variablesmatching() (Redmine #7885)
- Allow specifying agent maxconnections via def.json (CFE-2461)
- Add getuserinfo() function
- Add body agent control select_end_match_eof option. (CFE-2390)
- Add class to enable post transfer verification during policy updates
- Add ability to append to bundlesequnece with def.json (CFE-2460)
- policy_server.dat now appends a newline and supports host & port
Changes:
- Rewrite iteration engine to avoid combinatorial explosion with nested variable expansions.
This speeds up enormously the execution of policies that included long slists or JSON containers, that in the past didn't even terminate.
Change: 'cf_null' string literal was changed to not be something special, and it's now a string that can be used anywhere, like in slists or part of bundlesequence etc.
NOTE: Old policy should be grep'ed for 'cf_null' and in case such occurences were handled specially, they should be reworked.
Change: '--empty-list--' is now never printed by format(), an empty list is now printed as '{ }'.
Change: Order of pre-evaluation was slightly changed, A new 'vars' pass at the beginning of pre-evaluation was added. It used to be classes-vars, but it was changed to vars-classes-vars. As a result some classes or variables might be evaluated at a different time than before. As always try to write policy code that works no matter what the order of execution is.
One way is to always *guard* the execution of functions to avoid bogus function results. For example the following will avoid running execresult() bevore the file has been created:
execresult('cmd /path/to/filename') if => fileexists('/path/to/filename');
C internals: NULL Rlist is now perfectly valid, in fact it is the only way to denote an empty Rlist.
C internals: Since a slist variable can be NULL, API of EvalContextVariableGet() changed: The way to detect if a variable is found, is not to check return value for NULL, but to check returned *type* for CF_DATA_TYPE_NONE.
Fixed what I could find as wrong API uses. (CFE-2162)
- Allow arbitrary service policies (CFE-2402)
- Behaviour change: cf-execd: Do not append -Dfrom_cfexecd to exec_command .
(CFE-2386)
- Failsafe/Bootstrap no longer copy files starting with .git (like .gitignore) or .mailmap (CFE-2439)
- Change: Enable strict transport security
- Change: Disable http TRACE method
- Change: Verify transfered files during policy update
- Allow getvariablemetatags() and getclassmetatags() to get a specific tag key
- Change: Use more restrictive unix socket perms (ENT-2705)
- Add sys.user_data container for user starting agent.
- Pass package promise options to underlying apt-get call (#802) (CFE-2468)
- Change: Enable agent component management policy on systemd hosts (CFE-2429)
- Change: Switch processes restart_class logging to verbose
- Change: Log level for keeping verbatim JSON to DEBUG (CFE-2141)
- Change: Require network before cfengine services (CFE-2435)
- Behaviour change: getvalues(inexistent_var) returns an empty list.
Restores 3.7.x and earlier behaviour. (CFE-2479)
- Behaviour change: when used with CFEngine 3.10.0 or greater, bundles set_config_values() and set_line_based() are appending a trailing space when inserting a configuration option with empty value.
(CFE-2466)
- Behaviour change: getvalues() always returns a list now. Even when v is a simple string (i.e. not an iterable) it will return an slist with one element:
the value of the string variable.
- Behaviour change: readintlist() now prints an error if the file contains real numbers, not integers, and aborts; previously it was printing an info-level error message, was half-reading an integer out of the real, and was continuing successfully.
- Ensure synchronous start and stop with systemctl (ENT-2841)
- Change select_region INI_section to match end of section or end of file (CFE-2519)
Bug fixes:
- fix files promise not setting ACL properly on directories. (CFE-616)
- Upgrade CFEngine dependencies to the following versions:
- lixml2 2.9.4
- OpenSSL 1.0.2j
- LibYAML 0.1.7
- Curl 7.50.3
- Fix cumulative() to accept up to 1000 years, like it's documented.
- Fixed parsing of host name/IP and port number in cf-runagent (CFE-546)
- Fix intermittent error message of type:
'error: Process table lacks space for last columns: ' (CFE-2371)
- storage: Properly initialize the list of current mounts (CFE-1803)
- Fix 'contain' attribute 'no_output' having no effect when the 'commands' promise is using 'module => 'true''. (CFE-2412)
- Fix bug which caused empty emails to be sent from cf-execd if there was no previous output log and the new log was fully filtered by email filters. (ENT-2739)
- allow ifelse(FALSE, $(x), 'something else') to work. (CFE-2260)
- Fix connection cache, reuse connections when possible. (CFE-2447)
- Fix rare bug that would sometimes prevent redis-server from launching.
- Fix bug in files promise when multiple owners are promised but first one doesn't exist, and improve logging . (CFE-2432)
- define kept outcome with action warn if edit_line is as expected (CFE-2424)
- Example using getvariablemetatags() and getclassmetatags() to get a specific tag key
- Remove 2k limit on strings length when writing JSON policies (CFE-2383)
- Fix ttime_range constraint to go higher than 2G as number of seconds.
- Change: cronjob bundle tolerates different spacing
- Allow editing fields in lines longer than 4k (CFE-2438)
- Don't send empty emails for logs where everything is filtered.
(ENT-2739)
- allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration (ARCHIVE-1619)
- insert_lines is no longer implicitly matching EOF as end of the region if 'select_end' pattern is not matched . (CFE-2263)
- Change: Remove executable bit from systemd units (CFE-2436)
- cf-serverd should reload def.json when reloading policy (CFE-2406)
- Fix cf-monitord detection of usernames of the process table on AIX.
- Speed up local and remote file copying and fix spurious errors.
(ENT-2769)
- Fix occasional segfault when running getindices() on a variable that has indices of multiple depths (e.g. both 'a[x]' and 'a[x][y]'). (CFE-2397)
- When no file is provided when calling cf-promises with cf or json output, use promises.cf by default. This restores the previous behavior. (CFE-2375)
- Fix: Services starting or stopping unnecessarily (CFE-2421)
- Change: Split systemd units (CFE-2278)
- EOF is matched as an end of the region in edit_line promises only if 'select_end_match_eof' parameter is true. (CFE-2263)
- Fix double logging of output_prefix, and log process name for cf-agent syslog messages.
(CFE-2225)
- Be less verbose if a network interface doesn't have a MAC address.
(CFE-1995)
- Fix: CFEngine choking on standard services (CFE-2806)
- fix insert_lines related memory corruption (CFE-2520)
- fix cf-serverd crash when reporting corrupted data. (ENT-3023)
- Fix ability to manage INI sections with metachars for manage_variable_values_ini and set_variable_values_ini (CFE-2519)
- Fix apt_get package module incorrectly using interactive mode.
- Fix crash on Solaris when ps ucb variant is not available. (CFE-2506)
- cf-serverd: Do not close connection when file does not exist.
(CFE-2532)
- getvalues() now behaves correctly for old CFEngine arrays of depth 1.
Known issues: getvalues() still misbehaves with double-indexed arrays (see (CFE-2504, CFE-2536)
3.9.0:
New features/additions:
- Add optional interface parameter to iprange() to match only one interface.
- Allow '=' in symbolic modes (Redmine #7826)
- Add: FreeBSD ports package module
- New package module for FreeBSD pkg package manager.
- Add support for adding/removing fifos in policy
- Add Linux parsing of /proc/net/ data.
- sys.inet
- sys.inet6
- sys.interface_data
- Data is returned as a data container.
- See documentation for more details. (Jira CFE-1991)
- sys.ip2iface: new reverse mapping variable from IP to interface name
- Namespaced classes can now be specified on the command line.
- namespaces can now be passed to cf-runagent -D and --remote-bundles (Redmine #7856)
- Add 'cf-full' and 'json-full' to cf-promises '-p' option.
They generate output based on the entire policy. The existing 'cf' already behaved this way, and it has now been changed to generate output only for a single file, which the existing 'json' option already does.
- New language functions: processexists() and findprocesses() (Redmine #7633)
- Implement new regex_replace() function. (Redmine #7346)
- Add log rotation policy for state/classes.jsonl log. (Redmine #7951)
- Added collect_vars utility bundle to stdlib
- Intoduce report_class_log attribute to body agent control.
(Redmine #7951)
- Add standard_services service_method allowing for explicit usage
- cf-promises --show-vars can now show JSON variables.
- Add json_pipe mode to mapdata(), which allows piping a JSON container to an external program for manipulation and receiving JSON back. The `jq` tool is a good example where this mode can be useful. A corresponding `$(def.jq)` variable has also been added with a default path to this tool. See documentation for mapdata() for more information and examples. (Jira CFE-2071)
- behaviour change: 'true' is always defined and 'false' is never defined in a context expression.
- Add: nimclient package module for AIX This module provides basic functionality for using nimclient as a means to ensure packages are either present or absent. It does not support listing package updates available or provide any special caching.
- Add callstack_callers() and callstack_promisers() functions.
- Log variable definitions in debug output. (Redmine #7137)
- Add: Memory information to host info report (Jira CFE-1177)
- In Mustache templates, one can now use `` and `` tags to iterate over the top level element in a container. (Redmine #6545)
- Add network_connections() function that parses /proc/net
- Provide new -w argument to override the workdir for testing
- New feature: Emails sent by cf-execd can be filtered to get rid of emails for unwanted log messages. The attributes mailfilter_include and mailfilter_exclude in body executor control control what to include. See documentation for cf-execd for more information. (Jira CFE-2283)
- Add: file_make_mustache bundle to render mustache templates
- Add '-n' flag to cf-key to avoid host name lookups.
- cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor multiple -D, -N and -s arguments (Redmine #7191)
- Add 'canonify' mode to mapdata().
- Add: printfile bodies to stdlib
- Add: New `results` classes body [] (Redmine #7418, #7481)
- Implement cf-runagent --remote-bundles and cf-serverd 'bundle' access promise.
(Redmine #7581)
- Add commands promise arglist attribute, augmenting args attribute.
- It's now possible to reference variables in inline JSON, for example: `mergedata('[ thing, { 'mykey': otherthing[123] } ]')`.
`thing` and `otherthing[123]` will be resolved as variables, since they are unquoted. See the documentation for more details.
(Redmine #7871)
- Allow inline JSON to be used in the following function calls:
- data_expand()
- difference()
- every()
- filter()
- format()
- getindices()
- getvalues()
- grep()
- intersection()
- join()
- length()
- makerule()
- mapdata()
- maplist()
- mean()
- mergedata()
- none()
- nth()
- parsejson()
- product()
- regarray()
- reglist()
- reverse()
- shuffle()
- some()
- sort()
- storejson()
- string_mustache()
- sublist()
- sum()
- unique()
- url_get()
- variance() For example: `mergedata('[ 'thing', { 'mykey': 'myvalue' } ]')` See the documentation for more details. (Jira CFE-2253)
- Add: edit_line contains_literal_string to stdlib
- Add body agent control select_end_match_eof option. (Jira CFE-2390) Changes:
- Change: classesmatching(): order of classes changed
- Change: getindices(), getvalues(), variablesmatching(), maparray():
order of variables returned has changed
- Change: set_quoted_values uses bundle scoped classes
- Change: set_config_values uses bundle scoped classes
- Change: set_variable_values uses bundle scoped classes
- Change: set_config_values_matching uses bundle scoped classes
- Change: manage_variable_values_ini uses bundle scoped classes
- Change: set_line_based should use bundle scoped classes (Jira CFE-1959)
- getvalues() will now return a list also for data containers, and will descend recursively into the containers. (Redmine #7116)
- Change: Improve git drop user support
- Use new package promise as default package promise implementation. (Jira CFE-2332)
- Don't follow symbolic links when copying extended attributes.
- When a bodydefault:_ body is defined, it will be used by all promises of type unless another body is explicitly used.
- cf-serverd no longer appends '-I -Dcfruncommand' to cfruncommand, this has to be done manually in masterfiles body server control. (Redmine #7732)
- eval() function arguments mode and options are now optional.
- sort() function argument mode is now optional.
- Change: returnszero() no longer outputs the output of a command.
The output can be seen by enabling info mode (-I).
- cfruncommand is not executed under shell. (Redmine #7409)
- Remove: Apache CGI module
- Change: Make maxbytes arg of readjson() and readyaml() optional
- Classes matching agent control's abortclasses are now printed before exit, even if they are defined in common bundles.
Previously the regex (in abortclasses) that matched the class was printed if the class was defined in a common bundle, but the class itself was printed if it was defined in an agent bundle. With this change, the defined class that caused the abort is always printed.
- Remove: Support for email settings from augments_file (Redmine #7682)
- Change: set_variable_values_ini uses bundle scoped cla ...
Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected cfengine, cfengine-masterfiles, libpromises-devel and / or libpromises3 packages.
Plugin Details
File Name: suse_SU-2023-2126-1.nasl
Agent: unix
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:cfengine, p-cpe:/a:novell:suse_linux:cfengine-masterfiles, p-cpe:/a:novell:suse_linux:libpromises-devel, p-cpe:/a:novell:suse_linux:libpromises3
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 5/8/2023
Vulnerability Publication Date: 3/10/2022