Detections
Analytics

SUSE SLES15: hub-xmlrpc-api / inter-server-sync / locale-formula / etc (SUSE-SU-2022:3878-1)

medium Nessus Plugin ID 177784

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3878-1 advisory.

 hub-xmlrpc-api:

 - Use golang(API) = 1.18 for building on SUSE (bsc#1203599) This source fails to build with the current go1.19 on SUSE and we need to use go1.18 instead.

 inter-server-sync:

 - Version 0.2.4
 * Improve memory usage and log information #17193
 * Conditional insert check for FK reference exists (bsc#1202785)
 * Correct navigation path for table rhnerratafilechannel (bsc#1202785)

 locale-formula:

 - Update to version 0.3
 * Remove .map.gz from kb_map dictionary (bsc#1203406)

 py27-compat-salt:

 - Fix state.apply in test mode with file state module on user/group checking (bsc#1202167)
 - Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)

 python-urlgrabber:

 - Fix wrong logic on find_proxy method causing proxy not being used (bsc#1201788)

 spacecmd:

 - Version 4.2.20-1
 * Remove 'Undefined return code' from debug messages (bsc#1203283)

 spacewalk-backend:

 - Version 4.2.25-1
 * Enhance passwords cleanup and add extra files in spacewalk-debug (bsc#1201059)
 * Prevent mixing credentials for proxy and repository server while using basic authentication and avoid hiding errors i.e. timeouts while having proxy settings issues with extra logging in verbose mode (bsc#1201788)

 spacewalk-client-tools:

 - Version 4.2.21-1
 * Update translation strings

 spacewalk-java:

 - Version 4.2.43-1
 * CVE-2022-31255: Fix directory path traversal vulnerability (bsc#1204543)
 * CVE-2022-43754: Fix reflected cross site scripting vulnerability (bsc#1204741)
 * CVE-2022-43753: Fix arbitrary file disclosure vulnerability (bsc#1204716)
 - Version 4.2.42-1
 * Properly pass allow vendor change to salt state (bsc#1204203)
 * add ongres requirements to spec file (bsc#1203898)
 * Refresh pillar data (bsc#1197724)
 * Fix hardware update where there is no DNS FQDN changes (bsc#1203611)
 * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
 * Support Pay-as-you-go new CA location for SLES15SP4 and higher (bsc#1202729)
 * Detect the clients running on Amazon EC2 (bsc#1195624)

 spacewalk-utils:

 - Version 4.2.18-1
 * Make spacewalk-hostname-rename working with settings.yaml cobbler config file (bsc#1203564)

 spacewalk-web:

 - Version 4.2.30-1
 * Upgrade moment-timezone

 susemanager:

 - Version 4.2.38-1
 * add venv-salt-minion to bootstrap repo (bsc#1204146)

 susemanager-doc-indexes:

 - Documented that only SUSE clients are supported as monitoring servers in the Administration Guide
 - Fixed description of default notification settings (bsc#1203422)
 - Added missing Debian 11 references
 - Removed references to Debian 9, as it is EoL, and therefore unsupported by SUSE Manager
 - Document Helm deployment of the proxy on k3s and MetalLB in Installation and Upgrade Guide
 - Added secure mail communication settings in Administration Guide
 - Fixed the incorrect path to state and pillar files in Salt Guide
 - Documented how pxeboot works with Secure Boot enabled in Client Configuration Guide
 - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and 5.3

 susemanager-docs_en:

 - Documented that only SUSE clients are supported as monitoring servers in the Administration Guide
 - Fixed description of default notification settings (bsc#1203422)
 - Added missing Debian 11 references
 - Removed references to Debian 9, as it is EoL, and therefore unsupported by SUSE Manager
 - Document Helm deployment of the proxy on k3s and MetalLB in Installation and Upgrade Guide
 - Added secure mail communication settings in Administration Guide
 - Fixed the incorrect path to state and pillar files in Salt Guide
 - Documented how pxeboot works with Secure Boot enabled in Client Configuration Guide
 - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and 5.3

 susemanager-schema:

 - Version 4.2.25-1
 * Add subtypes for Amazon EC2 virtual instances (bsc#1195624)

 susemanager-sls:

 - Version 4.2.28-1
 * Fix mgrnet availability check
 * Remove dependence on Kiwi libraries
 * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
 * Add mgrnet salt module with mgrnet.dns_fqnd function implementation allowing to get all possible FQDNs from DNS (bsc#1199726)

 How to apply this update:

 1. Log in as root user to the SUSE Manager server.
 2. Stop the Spacewalk service:
 `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update.
 4. Start the Spacewalk service:
 `spacewalk-service start`

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1195624

https://bugzilla.suse.com/1197724

https://bugzilla.suse.com/1199726

https://bugzilla.suse.com/1200596

https://bugzilla.suse.com/1201059

https://bugzilla.suse.com/1201788

https://bugzilla.suse.com/1202167

https://bugzilla.suse.com/1202729

https://bugzilla.suse.com/1202785

https://bugzilla.suse.com/1203283

https://bugzilla.suse.com/1203406

https://bugzilla.suse.com/1203422

https://bugzilla.suse.com/1203564

https://bugzilla.suse.com/1203599

https://bugzilla.suse.com/1203611

https://bugzilla.suse.com/1203898

https://bugzilla.suse.com/1204146

https://bugzilla.suse.com/1204203

https://bugzilla.suse.com/1204543

https://bugzilla.suse.com/1204716

https://bugzilla.suse.com/1204741

https://www.suse.com/security/cve/CVE-2022-31255

https://www.suse.com/security/cve/CVE-2022-43753

https://www.suse.com/security/cve/CVE-2022-43754

http://www.nessus.org/u?ab844c47

Plugin Details

Severity: Medium

ID: 177784

File Name: suse_SU-2022-3878-1.nasl

Version: 1.3

Type: Local

Agent: unix

Published: 6/29/2023

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2022-43754

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:susemanager-sls, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal-config, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal, p-cpe:/a:novell:suse_linux:spacewalk-utils-extras, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss-export, p-cpe:/a:novell:suse_linux:spacewalk-java-postgresql, p-cpe:/a:novell:suse_linux:py27-compat-salt, p-cpe:/a:novell:suse_linux:python3-spacewalk-client-tools, p-cpe:/a:novell:suse_linux:spacewalk-html, p-cpe:/a:novell:suse_linux:spacewalk-java-config, p-cpe:/a:novell:suse_linux:spacecmd, p-cpe:/a:novell:suse_linux:spacewalk-backend-app, p-cpe:/a:novell:suse_linux:inter-server-sync, p-cpe:/a:novell:suse_linux:susemanager-schema, p-cpe:/a:novell:suse_linux:spacewalk-backend-tools, p-cpe:/a:novell:suse_linux:susemanager-docs_en, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files, p-cpe:/a:novell:suse_linux:spacewalk-backend-xml-export-libs, p-cpe:/a:novell:suse_linux:spacewalk-base, p-cpe:/a:novell:suse_linux:locale-formula, p-cpe:/a:novell:suse_linux:susemanager-doc-indexes, p-cpe:/a:novell:suse_linux:susemanager-tools, p-cpe:/a:novell:suse_linux:python3-urlgrabber, p-cpe:/a:novell:suse_linux:hub-xmlrpc-api, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss, p-cpe:/a:novell:suse_linux:spacewalk-utils, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-tool, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql, p-cpe:/a:novell:suse_linux:spacewalk-java-lib, p-cpe:/a:novell:suse_linux:susemanager, p-cpe:/a:novell:suse_linux:spacewalk-backend-package-push-server, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql-postgresql, p-cpe:/a:novell:suse_linux:spacewalk-backend-applet, p-cpe:/a:novell:suse_linux:spacewalk-backend-server, p-cpe:/a:novell:suse_linux:susemanager-docs_en-pdf, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:uyuni-config-modules, p-cpe:/a:novell:suse_linux:spacewalk-backend-xmlrpc, p-cpe:/a:novell:suse_linux:spacewalk-taskomatic, p-cpe:/a:novell:suse_linux:spacewalk-backend, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-common, p-cpe:/a:novell:suse_linux:spacewalk-client-tools, p-cpe:/a:novell:suse_linux:spacewalk-java

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/4/2022

Vulnerability Publication Date: 11/10/2022

Reference Information

CVE: CVE-2022-31255, CVE-2022-43753, CVE-2022-43754

SuSE: SUSE-SU-2022:3878-1