Detections
Analytics

SUSE SLES12 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:2183-1)

high Nessus Plugin ID 175416

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2183-1 advisory.

 golang-github-prometheus-alertmanager:

 - Security issues fixed:
 * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051)

 prometheus-blackbox_exporter:

 - Security issues fixed:
 * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208062)
 - Other non-security bugs fixed and changes:
 * Add `min_version` parameter of `tls_config` to allow enabling TLS 1.0 and 1.1 (bsc#1209113)
 * On SUSE Linux Enterprise build always with Go >= 1.19 (bsc#1203599)

 prometheus-postgres_exporter:

 - Security issues fixed:
 * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208060)
 - Other non-security issues fixed:
 * Adapt the systemd service security configuration to be able to start it on for Red Hat Linux Enterprise systems and clones
 * Create the prometheus user for Red Hat Linux Enterprise systems and clones
 * Fix broken log-level for values other than debug (bsc#1208965)

 golang-github-prometheus-node_exporter:

 - Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578):
 * CVE-2022-27191: Update go/x/crypto (bsc#1197284)
 * CVE-2022-27664: Update go/x/net (bsc#1203185)
 * CVE-2022-46146: Update exporter-toolkit (bsc#1208064)
 - Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578):
 * NOTE: This changes the Go runtime 'GOMAXPROCS' to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads.
 * [BUGFIX] Fix hwmon label sanitizer
 * [BUGFIX] Use native endianness when encoding InetDiagMsg
 * [BUGFIX] Fix btrfs device stats always being zero
 * [BUGFIX] Fix diskstats exclude flags
 * [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning
 * [BUGFIX] Fix concurrency issue in ethtool collector
 * [BUGFIX] Fix concurrency issue in netdev collector
 * [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes
 * [BUGFIX] Fix iostat on macos broken by deprecation warning
 * [BUGFIX] Fix NodeFileDescriptorLimit alerts
 * [BUGFIX] Sanitize rapl zone names
 * [BUGFIX] Add file descriptor close safely in test
 * [BUGFIX] Fix race condition in os_release.go
 * [BUGFIX] Skip ZFS IO metrics if their paths are missing
 * [BUGFIX] Handle nil CPU thermal power status on M1
 * [BUGFIX] bsd: Ignore filesystems flagged as MNT_IGNORE
 * [BUGFIX] Sanitize UTF-8 in dmi collector
 * [CHANGE] Merge metrics descriptions in textfile collector
 * [FEATURE] Add multiple listeners and systemd socket listener activation
 * [FEATURE] [node-mixin] Add darwin dashboard to mixin
 * [FEATURE] Add 'isolated' metric on cpu collector on linux
 * [FEATURE] Add cgroup summary collector
 * [FEATURE] Add selinux collector
 * [FEATURE] Add slab info collector
 * [FEATURE] Add sysctl collector
 * [FEATURE] Also track the CPU Spin time for OpenBSD systems
 * [FEATURE] Add support for MacOS version
 * [ENHANCEMENT] Add RTNL version of netclass collector
 * [ENHANCEMENT] [node-mixin] Add missing selectors
 * [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default
 * [ENHANCEMENT] [node-mixin] Change disk graph to disk table
 * [ENHANCEMENT] [node-mixin] Change io time units to %util
 * [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd
 * [ENHANCEMENT] Add additional vm_stat memory metrics for darwin
 * [ENHANCEMENT] Add device filter flags to arp collector
 * [ENHANCEMENT] Add diskstats include and exclude device flags
 * [ENHANCEMENT] Add node_softirqs_total metric
 * [ENHANCEMENT] Add rapl zone name label option
 * [ENHANCEMENT] Add slabinfo collector
 * [ENHANCEMENT] Allow user to select port on NTP server to query
 * [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev
 * [ENHANCEMENT] Enable builds against older macOS SDK
 * [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name
 * [ENHANCEMENT] systemd: Expose systemd minor version
 * [ENHANCEMENT] Use netlink for tcpstat collector
 * [ENHANCEMENT] Use netlink to get netdev stats
 * [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles
 * [ENHANCEMENT] Add btrfs device error stats

 golang-github-prometheus-prometheus:

 - Security issues fixed in this version update to 2.37.6 (jsc#PED-3576):
 * CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576)
 * CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)
 - Other non-security bug fixes and changes in this version update to 2.37.6 (jsc#PED-3576):
 * [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
 * [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
 * [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
 * [BUGFIX] Properly close file descriptor when logging unfinished queries.
 * [BUGFIX] TSDB: In the WAL watcher metrics, expose the type='exemplar' label instead of type='unknown' for exemplar records.
 * [BUGFIX] Alerting: Fix Alertmanager targets not being updated when alerts were queued.
 * [BUGFIX] Hetzner SD: Make authentication files relative to Prometheus config file.
 * [BUGFIX] Promtool: Fix promtool check config not erroring properly on failures.
 * [BUGFIX] Scrape: Keep relabeled scrape interval and timeout on reloads.
 * [BUGFIX] TSDB: Don't increment prometheus_tsdb_compactions_failed_total when context is canceled.
 * [BUGFIX] TSDB: Fix panic if series is not found when deleting series.
 * [BUGFIX] TSDB: Increase prometheus_tsdb_mmap_chunk_corruptions_total on out of sequence errors.
 * [BUGFIX] Uyuni SD: Make authentication files relative to Prometheus configuration file and fix default configuration values.
 * [BUGFIX] Fix serving of static assets like fonts and favicon.
 * [BUGFIX] promtool: Add --lint-fatal option.
 * [BUGFIX] Changing TotalQueryableSamples from int to int64.
 * [BUGFIX] tsdb/agent: Ignore duplicate exemplars.
 * [BUGFIX] TSDB: Fix chunk overflow appending samples at a variable rate.
 * [BUGFIX] Stop rule manager before TSDB is stopped.
 * [BUGFIX] Kubernetes SD: Explicitly include gcp auth from k8s.io.
 * [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly.
 * [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page.
 * [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false.
 * [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments.
 * [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue.
 * [BUGFIX] PromQL: Properly return an error from histogram_quantile when metrics have the same labelset.
 * [BUGFIX] UI: Fix bug that sets the range input to the resolution.
 * [BUGFIX] TSDB: Fix a query panic when memory-snapshot-on-shutdown is enabled.
 * [BUGFIX] Parser: Specify type in metadata parser errors.
 * [BUGFIX] Scrape: Fix label limit changes not applying.
 * [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch.
 * [BUGFIX] TSDB: Fix panic when m-mapping head chunks onto the disk.
 * [BUGFIX] Azure SD: Fix a regression when public IP Address isn't set.
 * [BUGFIX] Azure SD: Fix panic when public IP Address isn't set.
 * [BUGFIX] Remote-write: Fix deadlock when stopping a shard.
 * [BUGFIX] SD: Fix no such file or directory in K8s SD when not running inside K8s.
 * [BUGFIX] Promtool: Make exit codes more consistent.
 * [BUGFIX] Promtool: Fix flakiness of rule testing.
 * [BUGFIX] Remote-write: Update prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric when write irrecoverably fails.
 * [BUGFIX] Storage: Avoid panic in BufferedSeriesIterator.
 * [BUGFIX] TSDB: CompactBlockMetas should produce correct mint/maxt for overlapping blocks.
 * [BUGFIX] TSDB: Fix logging of exemplar storage size.
 * [BUGFIX] UI: Fix overlapping click targets for the alert state checkboxes.
 * [BUGFIX] UI: Fix Unhealthy filter on target page to actually display only Unhealthy targets.
 * [BUGFIX] UI: Fix autocompletion when expression is empty.
 * [BUGFIX] TSDB: Fix deadlock from simultaneous GC and write.
 * [CHANGE] TSDB: Delete *.tmp WAL files when Prometheus starts.
 * [CHANGE] promtool: Add new flag --lint (enabled by default) for the commands check rules and check config, resulting in a new exit code (3) for linter errors.
 * [CHANGE] UI: Classic UI removed.
 * [CHANGE] Tracing: Migrate from Jaeger to OpenTelemetry based tracing.
 * [CHANGE] PromQL: Promote negative offset and @ modifer to stable features.
 * [CHANGE] Web: Promote remote-write-receiver to stable.
 * [FEATURE] Nomad SD: New service discovery for Nomad built-in service discovery.
 * [FEATURE] Add lowercase and uppercase relabel action.
 * [FEATURE] SD: Add IONOS Cloud integration.
 * [FEATURE] SD: Add Vultr integration.
 * [FEATURE] SD: Add Linode SD failure count metric.
 * [FEATURE] Add prometheus_ready metric.
 * [FEATURE] Support for automatically setting the variable GOMAXPROCS to the container CPU limit.
 Enable with the flag `--enable-feature=auto-gomaxprocs`.
 * [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query.
 Additionally, per-step statistics are available with --enable-feature=promql-per-step-stats and using stats=all in the query API. Enable with the flag `--enable-feature=per-step-stats`.
 * [FEATURE] Config: Add stripPort template function.
 * [FEATURE] Promtool: Add cardinality analysis to check metrics, enabled by flag --extended.
 * [FEATURE] SD: Enable target discovery in own K8s namespace.
 * [FEATURE] SD: Add provider ID label in K8s SD.
 * [FEATURE] Web: Add limit field to the rules API.
 * [ENHANCEMENT] Kubernetes SD: Allow attaching node labels for endpoint role.
 * [ENHANCEMENT] PromQL: Optimise creation of signature with/without labels.
 * [ENHANCEMENT] TSDB: Memory optimizations.
 * [ENHANCEMENT] TSDB: Reduce sleep time when reading WAL.
 * [ENHANCEMENT] OAuth2: Add appropriate timeouts and User-Agent header.
 * [ENHANCEMENT] Add stripDomain to template function.
 * [ENHANCEMENT] UI: Enable active search through dropped targets.
 * [ENHANCEMENT] promtool: support matchers when querying label
 * [ENHANCEMENT] Add agent mode identifier.
 * [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup.
 * [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures.
 * [ENHANCEMENT] Azure SD: Add an optional resource_group configuration.
 * [ENHANCEMENT] Kubernetes SD: Support discovery.k8s.io/v1 EndpointSlice (previously only discovery.k8s.io/v1beta1 EndpointSlice was supported).
 * [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods.
 * [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens.
 * [ENHANCEMENT] Configuration: Add the ability to disable HTTP2.
 * [ENHANCEMENT] Config: Support overriding minimum TLS version.
 * [ENHANCEMENT] TSDB: Disable the chunk write queue by default and allow configuration with the experimental flag `--storage.tsdb.head-chunks-write-queue-size`.
 * [ENHANCEMENT] HTTP SD: Add a failure counter.
 * [ENHANCEMENT] Azure SD: Set Prometheus User-Agent on requests.
 * [ENHANCEMENT] Uyuni SD: Reduce the number of logins to Uyuni.
 * [ENHANCEMENT] Scrape: Log when an invalid media type is encountered during a scrape.
 * [ENHANCEMENT] Scrape: Accept application/openmetrics-text;version=1.0.0 in addition to version=0.0.1.
 * [ENHANCEMENT] Remote-read: Add an option to not use external labels as selectors for remote read.
 * [ENHANCEMENT] UI: Optimize the alerts page and add a search bar.
 * [ENHANCEMENT] UI: Improve graph colors that were hard to see.
 * [ENHANCEMENT] Config: Allow escaping of $ with $$ when using environment variables with external labels.
 * [ENHANCEMENT] Remote-write: Avoid allocations by buffering concrete structs instead of interfaces.
 * [ENHANCEMENT] Remote-write: Log time series details for out-of-order samples in remote write receiver.
 * [ENHANCEMENT] Remote-write: Shard up more when backlogged.
 * [ENHANCEMENT] TSDB: Use simpler map key to improve exemplar ingest performance.
 * [ENHANCEMENT] TSDB: Avoid allocations when popping from the intersected postings heap.
 * [ENHANCEMENT] TSDB: Make chunk writing non-blocking, avoiding latency spikes in remote-write.
 * [ENHANCEMENT] TSDB: Improve label matching performance.
 * [ENHANCEMENT] UI: Optimize the service discovery page and add a search bar.
 * [ENHANCEMENT] UI: Optimize the target page and add a search bar.

 golang-github-prometheus-promu:

 - Non-security bug fixes and changes in this version update to 0.14.0 (jsc#PED-3576):
 * [BUGFIX] Set build date from last changelog modification (bsc#1047218)
 * [BUGFIX] Validate environment variable value
 * [BUGFIX]Set build date from SOURCE_DATE_EPOCH
 * [BUGFIX]Make extldflags extensible by configuration.
 * [BUGFIX] Avoid bind-mounting to allow building with a remote docker engine
 * [BUGFIX] Fix build on SmartOS by not setting gcc's -static flag
 * [BUGFIX] Fix git repository url parsing
 * [CHANGE] Remove ioutil
 * [CHANGE] Update common Prometheus files
 * [FEATURE] Add the ability to override tags per GOOS
 * [FEATURE] Adding changes to support s390x
 * [FEATURE] Added check_licenses Command to Promu
 * [ENHANCEMENT] Allow to customize nested options via env variables
 * [ENHANCEMENT] Add warning if promu info is unable to determine repo info

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected golang-github-prometheus-node_exporter package.

See Also

https://bugzilla.suse.com/1047218

https://bugzilla.suse.com/1197284

https://bugzilla.suse.com/1203185

https://bugzilla.suse.com/1203599

https://bugzilla.suse.com/1204023

https://bugzilla.suse.com/1208049

https://bugzilla.suse.com/1208051

https://bugzilla.suse.com/1208060

https://bugzilla.suse.com/1208062

https://bugzilla.suse.com/1208064

https://bugzilla.suse.com/1208965

https://bugzilla.suse.com/1209113

https://lists.suse.com/pipermail/sle-updates/2023-May/029370.html

https://www.suse.com/security/cve/CVE-2022-27191

https://www.suse.com/security/cve/CVE-2022-27664

https://www.suse.com/security/cve/CVE-2022-41715

https://www.suse.com/security/cve/CVE-2022-46146

Plugin Details

Severity: High

ID: 175416

File Name: suse_SU-2023-2183-1.nasl

Version: 1.3

Type: Local

Agent: unix

Published: 5/12/2023

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-27191

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-46146

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:golang-github-prometheus-node_exporter

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/11/2023

Vulnerability Publication Date: 3/18/2022

Reference Information

CVE: CVE-2022-27191, CVE-2022-27664, CVE-2022-41715, CVE-2022-46146

SuSE: SUSE-SU-2023:2183-1