SUSE SLES15: POS_Image-Graphical7 / POS_Image-JeOS7 / ansible / ansible-doc / etc (SUSE-SU-2024:1509-1)

critical Nessus Plugin ID 195097

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1509-1 advisory.

POS_Image-Graphical7 was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

* Moved image services to dracut-saltboot package
* Use salt bundle

- Version 0.1.1645440615.7f1328c

* Removed deprecated kiwi functions

POS_Image-JeOS7 was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

* Moved image services to dracut-saltboot package
* Use salt bundle

- Version 0.1.1645440615.7f1328c

* Removed deprecated kiwi functions

ansible received the following fixes:

- Security issues fixed:

* CVE-2023-5764: Address issues where internal templating can cause unsafe variables to lose their unsafe designation (bsc#1216854)

- Breaking changes:
assert - Nested templating may result in an inability for the conditional to be evaluated. See the porting guide for more information.

* CVE-2024-0690: Address issue where ANSIBLE_NO_LOG was ignored (bsc#1219002)
* CVE-2020-14365: Ensure that packages are GPG validated (bsc#1175993)
* CVE-2020-10744: Fixed insecure temporary directory creation (bsc#1171823)
* CVE-2018-10874: Fixed inventory variables loading from current working directory when running ad-hoc command that can lead to code execution (bsc#1099805)

- Bugs fixed:

* Don't Require python-coverage, it is needed only for testing (bsc#1177948)

dracut-saltboot was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

* Load only first available leaseinfo (bsc#1221092)

- Version 0.1.1681904360.84ef141

grafana was updated to version 9.5.18:

- Grafana now requires Go 1.20
- Security issues fixed:

* CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)
* CVE-2023-6152: Add email verification when updating user email (bsc#1219912)

- Other non-security related changes:

* Version 9.5.17:

- [FEATURE] Alerting: Backport use Alertmanager API v2

* Version 9.5.16:

- [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL

* Version 9.5.15:

- [FEATURE] Alerting: Attempt to retry retryable errors

* Version 9.5.14:

- [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error
- [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied
- [BUGFIX] LDAP: Fix enable users on successfull login

* Version 9.5.13:

- [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
- [BUGFIX] Licensing: Pass func to update env variables when starting plugin

* Version 9.5.12:

- [FEATURE] Azure: Add support for Workload Identity authentication

* Version 9.5.9:

- [FEATURE] SSE: Fix DSNode to not panic when response has empty response
- [FEATURE] Prometheus: Handle the response with different field key order
- [BUGFIX] LDAP: Fix user disabling

mgr-daemon was updated to version 4.3.9-0:

- Version 4.3.9-0

* Update translation strings

spacecmd was updated to version 4.3.27-0:

- Version 4.3.27-0

* Update translation strings

spacewalk-client-tools was updated to version 4.3.19-0:

- Version 4.3.19-0

* Update translation strings

spacewalk-koan was updated to version version 4.3.6-0:

- Version 4.3.6-0

* Change Docker image location for test

uyuni-common-libs was updated to version 4.3.10-0:

- Version 4.3.10-0

* Add support for package signature type V4 RSA/SHA384
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)

uyuni-proxy-systemd-services was updated to version 4.3.12-0:

- Version 4.3.12-0

* Update to SUSE Manager 4.3.12

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1008037

https://bugzilla.suse.com/1008038

https://bugzilla.suse.com/1010940

https://bugzilla.suse.com/1019021

https://bugzilla.suse.com/1038785

https://bugzilla.suse.com/1059235

https://bugzilla.suse.com/1099805

https://bugzilla.suse.com/1166389

https://bugzilla.suse.com/1171823

https://bugzilla.suse.com/1174145

https://bugzilla.suse.com/1174302

https://bugzilla.suse.com/1175993

https://bugzilla.suse.com/1177948

https://bugzilla.suse.com/1216854

https://bugzilla.suse.com/1219002

https://bugzilla.suse.com/1219912

https://bugzilla.suse.com/1221092

https://bugzilla.suse.com/1221465

https://bugzilla.suse.com/1222155

https://lists.suse.com/pipermail/sle-updates/2024-May/035168.html

https://www.suse.com/security/cve/CVE-2016-8614

https://www.suse.com/security/cve/CVE-2016-8628

https://www.suse.com/security/cve/CVE-2016-8647

https://www.suse.com/security/cve/CVE-2016-9587

https://www.suse.com/security/cve/CVE-2017-7550

https://www.suse.com/security/cve/CVE-2018-10874

https://www.suse.com/security/cve/CVE-2020-10744

https://www.suse.com/security/cve/CVE-2020-14330

https://www.suse.com/security/cve/CVE-2020-14332

https://www.suse.com/security/cve/CVE-2020-14365

https://www.suse.com/security/cve/CVE-2020-1753

https://www.suse.com/security/cve/CVE-2023-5764

https://www.suse.com/security/cve/CVE-2023-6152

https://www.suse.com/security/cve/CVE-2024-0690

https://www.suse.com/security/cve/CVE-2024-1313

Plugin Details

Severity: Critical

ID: 195097

File Name: suse_SU-2024-1509-1.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 5/7/2024

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.99

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-9587

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2017-7550

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2016-8628

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:ansible, p-cpe:/a:novell:suse_linux:ansible-doc, p-cpe:/a:novell:suse_linux:golang-github-prometheus-promu, p-cpe:/a:novell:suse_linux:uyuni-proxy-systemd-services

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2024

Vulnerability Publication Date: 11/1/2016

Reference Information

CVE: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313

IAVA: 2024-A-0126-S

IAVB: 2020-B-0016-S, 2020-B-0073-S

SuSE: SUSE-SU-2024:1509-1