Detections
Analytics

SUSE SLES15: cobbler / image-sync-formula / inter-server-sync / jose4j / etc (SUSE-SU-2024:1507-1)

medium Nessus Plugin ID 195104

Language:

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2024:1507-1 advisory.

 cobbler:

 - Provide option to use pre-built GRUB bootloader
 - Prevent parallel executions of cobbler sync actions (bsc#1218764)

 image-sync-formula:

 - Update to version 0.1.1711646883.4a44375
 * Add missing URL tag
 * Update license to SPDX syntax

 inter-server-sync:

 - Version 0.3.3-1
 * Correct primary key export for table suseproductsccrepository (bsc#1220169)

 jose4j:

 - CVE-2023-51775: Fix denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value (bsc#1220726)

 smdba:

 - Version 1.7.13
 * postmaster no longer exists from >=16 and it's an alias for postgresql, using postgresql command

 spacecmd:

 - Version 4.3.27-0
 * Update translation strings

 spacewalk-backend:

 - Version 4.3.28-0
 * Strip whitespace from .deb package metadata (bsc#1214387)
 * Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980)
 * Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
 * Unquote HTML-encoded credentials before synchronizing repositories (bsc#1217204)

 spacewalk-certs-tools:

 - Version 4.3.23-0
 * Fix liberty bootstrapping when zypper is installed (bsc#1222347)
 * Apply reboot method changes for transactional systems in the bootstrap script

 spacewalk-client-tools:

 - Version 4.3.19-0
 * Update translation strings

 spacewalk-config:

 - Version 4.3.13-0
 * Be explicit about default Apache configs being overwritten on updates and point to making custom configs. (bsc#1219061)

 spacewalk-java:

 - Version 4.3.73-0
 * New API endpoint for getRelevantErrata. It takes multiple servers as argument and it returns an array of maps representing the errata that can be applied to each system
 - Version 4.3.72-0
 * Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805)
 * Update help text for the custom repo filter field (bsc#1217874)
 * Fix issue where Salt cannot access autoinstallation files (bsc#1220221)
 * Fix issue when checking for credential duplication (bsc#1218957)
 * Fix matching epoch while creating Ubuntu erratas
 * When an action that belongs to an action chain is unscheduled, unschedule the action chain as well (bsc#1221784)
 * Reschedule failed SSH actions caused by a connection error due to a scheduled reboot
 * Fix removal of old IPv6 addresses (bsc#1214340)
 * Do not automatically add child channels outside of selected base channel (bsc#1220101)
 * Fix listProxies API call (bsc#1219233)
 * Fix system.provisionSystem when called via HTTP API (bsc#1219875)
 * Remove package sync not available message in Software > Packages > Profile since it is no longer available for supported clients (bsc#1221279)
 * Fix login for read-only users when using HTTP API (bsc#1221111)
 * Add one-shot action execution to recurring custom state create/edit
 * Fix a typo in 'Deploy Files' page
 * Drop system password as identifier on SCC system registration (bsc#1219634, bsc#1221182)
 * Fix memory size extraction in virtual instances (bsc#1219634)
 * Fix virtual systems filters (bsc#1208572)
 * Update license to include the year 2024
 * Add timeout for SMTP server connection (bsc#1218931)
 * Commit Salt event removal in case of process failure (bsc#1218931)
 * Users with API read only are only allowed to make GET requests
 * Ignore retry suffix when getting recurring action id from schedule name
 * Sort CLM project filters by filter name

 spacewalk-web:

 - Version 4.3.38-0
 * Upgrade json5 to 2.2.3
 * Upgrade semver to 7.6.0
 * Add one-shot action execution to recurring custom state create/edit
 * Fix virtual systems filters (bsc#1208572)
 * Improve CLM Create New Filter button
 * Bump the WebUI version to 4.3.12

 subscription-matcher:

 - Version 0.37
 * add missing part number (bsc#1221922)
 * Fix penalties logging by initializing the score director consistently
 - Removed wrong apache-commons-lang dependency
 - Version 0.36
 * Fixed Log4j 2 initialization

 supportutils-plugin-susemanager:

 - Version 4.3.11-0
 * Add Salt and Reposync connections to minimum required DB connections calculation

 susemanager:

 - Version 4.3.35-0
 * Add bootstrap repository definition for openSUSE Leap 15.6
 * Add bootstrap repository definition for SUSE Linux Enterprise 15 SP6

 susemanager-docs_en:

 - Removed Debian 10 from the list of supported clients
 - Added new workflow describing updating of clients using recurring actions to Commown Workflows
 - Added documentation on adding a storage device for VMWare
 - Documented registercloudguest tools for registering public cloud installation (BYOS) by adding a reference to the Public Cloud Guide
 - Added information about requirements for the PostgreSQL database to the Installation and Upgrade Guide (bsc#1220376)
 - Fixed the instructions for SSL Certificates (bsc#1219061)
 - Remove package sync paragraph in package-management doc since it is not available for Salt clients and traditional clients are no longer supported (bsc#1221279)
 - Fixed incorrect reference to SUSE Linux Enterprise Server 15 SP5 as base product for SUSE Manager 4.3, even in public cloud
 - Updated VM based installation for 4.3 VM image with ignition or cloudinit in Installation and Upgrade Guide
 - Added reference from Hub documentation to Inter-Server Synchronization in Large Deployment Guide
 - Documented Virtualization Guest and Virtualization Host Formula
 - Reformatted Supported Clients tables in Client Configuration Guide and Installation and Upgrade Guide
 - Add documentation about SMTP timeout configuration
 - Documented SSH key rotation in Salt Guide (bsc#1170848)
 - Documented liberate formula in Salt Guide
 - Fixed Prepare on-demand images section in Client Configuration
 - Fixed a changed configuration parameter for salt-ssh
 - Added Pay-as-you-go on the Cloud: FAQ document
 - Updated max-connections tuning recommendation in Large Deployment
 - Added troubleshooting instructions for setting up in public cloud (BYOS) to Administration Guide
 - Added section about migrating Enterprise Linux (EL) clients to SUSE Liberty Linux to Client Configuration Guide
 - Added detailed information about the messages produced by subscription matcher
 - Added Pay-as-you-go as supported service on Azure to the Public Cloud Guide
 - Added and fixed configuration details in Troubleshooting Renaming Server in Administration Guide

 susemanager-schema:

 - Version 4.3.25-0
 * Add update-salt to internal state table

 susemanager-sls:

 - Version 4.3.41-0
 * Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805)
 * Do not log dnf needs-restarting output in Salt's log (bsc#1220194)
 * Dynamically load an SELinux policy for 'Push via SSH tunnel' for SELinux enabled clients. This policy allows communication over a custom SSH port
 * Fix reboot needed detection for SUSE systems
 * Fix SUSE Liberty Linux bootstrapping when Zypper is installed (bsc#1222347)
 * Distinguish between different SUSE versions when detecting if a reboot is needed (bsc#1220903, bsc#1221571)
 * Improve updatestack update in uptodate state
 * Add a standalone update-salt state
 * Add pillar check to skip reboot_if_needed state
 * Recognize .tar.xz and .ext4 image files (bsc#1216085)
 * Avoid issues on reactivating traditional clients as Salt managed
 * Fix the case of missing requisites on bootstrap (bsc#1220705)

 susemanager-sync-data:

 - Version 4.3.17-0
 * AlmaLinux 9 PowerTools was renamed into CRB (bsc#1222110)

 uyuni-common-libs:

 - Version 4.3.10-0
 * Add support for package signature type V4 RSA/SHA384
 * Add support for package signature type V4 RSA/SHA512 (bsc#1221465)

 uyuni-reportdb-schema:

 - Version 4.3.10-0
 * Provide reportdb upgrade schema path structure

 How to apply this update:

 1. Log in as root user to the SUSE Manager Server.
 2. Stop the Spacewalk service:
 `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update.
 4. Start the Spacewalk service:
 `spacewalk-service start`

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1170848

https://bugzilla.suse.com/1208572

https://bugzilla.suse.com/1214340

https://bugzilla.suse.com/1214387

https://bugzilla.suse.com/1216085

https://bugzilla.suse.com/1217204

https://bugzilla.suse.com/1217874

https://bugzilla.suse.com/1218764

https://bugzilla.suse.com/1218805

https://bugzilla.suse.com/1218931

https://bugzilla.suse.com/1218957

https://bugzilla.suse.com/1219061

https://bugzilla.suse.com/1219233

https://bugzilla.suse.com/1219634

https://bugzilla.suse.com/1219875

https://bugzilla.suse.com/1220101

https://bugzilla.suse.com/1220169

https://bugzilla.suse.com/1220194

https://bugzilla.suse.com/1220221

https://bugzilla.suse.com/1220376

https://bugzilla.suse.com/1220705

https://bugzilla.suse.com/1220726

https://bugzilla.suse.com/1220903

https://bugzilla.suse.com/1220980

https://bugzilla.suse.com/1221111

https://bugzilla.suse.com/1221182

https://bugzilla.suse.com/1221279

https://bugzilla.suse.com/1221465

https://bugzilla.suse.com/1221571

https://bugzilla.suse.com/1221784

https://bugzilla.suse.com/1221922

https://bugzilla.suse.com/1222110

https://bugzilla.suse.com/1222347

https://lists.suse.com/pipermail/sle-updates/2024-May/035170.html

https://www.suse.com/security/cve/CVE-2023-51775

Plugin Details

Severity: Medium

ID: 195104

File Name: suse_SU-2024-1507-1.nasl

Version: 1.3

Type: Local

Agent: unix

Published: 5/7/2024

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-51775

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:susemanager-sls, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal-config, p-cpe:/a:novell:suse_linux:subscription-matcher, p-cpe:/a:novell:suse_linux:python3-spacewalk-certs-tools, p-cpe:/a:novell:suse_linux:spacewalk-base-minimal, p-cpe:/a:novell:suse_linux:spacewalk-config, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss-export, p-cpe:/a:novell:suse_linux:spacewalk-java-postgresql, p-cpe:/a:novell:suse_linux:susemanager-schema-utility, p-cpe:/a:novell:suse_linux:python3-spacewalk-client-tools, p-cpe:/a:novell:suse_linux:spacewalk-html, p-cpe:/a:novell:suse_linux:spacewalk-java-config, p-cpe:/a:novell:suse_linux:spacewalk-certs-tools, p-cpe:/a:novell:suse_linux:spacecmd, p-cpe:/a:novell:suse_linux:spacewalk-backend-app, p-cpe:/a:novell:suse_linux:inter-server-sync, p-cpe:/a:novell:suse_linux:susemanager-schema, p-cpe:/a:novell:suse_linux:cobbler, p-cpe:/a:novell:suse_linux:spacewalk-backend-tools, p-cpe:/a:novell:suse_linux:susemanager-docs_en, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files, p-cpe:/a:novell:suse_linux:spacewalk-backend-xml-export-libs, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql-postgresql, p-cpe:/a:novell:suse_linux:supportutils-plugin-susemanager, p-cpe:/a:novell:suse_linux:image-sync-formula, p-cpe:/a:novell:suse_linux:spacewalk-base, p-cpe:/a:novell:suse_linux:susemanager-tools, p-cpe:/a:novell:suse_linux:jose4j, p-cpe:/a:novell:suse_linux:spacewalk-backend-iss, p-cpe:/a:novell:suse_linux:spacewalk-backend-applet, p-cpe:/a:novell:suse_linux:spacewalk-backend-server, p-cpe:/a:novell:suse_linux:susemanager-docs_en-pdf, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:uyuni-config-modules, p-cpe:/a:novell:suse_linux:spacewalk-backend-xmlrpc, p-cpe:/a:novell:suse_linux:spacewalk-taskomatic, p-cpe:/a:novell:suse_linux:spacewalk-backend, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-common, p-cpe:/a:novell:suse_linux:python3-uyuni-common-libs, p-cpe:/a:novell:suse_linux:spacewalk-client-tools, p-cpe:/a:novell:suse_linux:spacewalk-java, p-cpe:/a:novell:suse_linux:susemanager-sync-data, p-cpe:/a:novell:suse_linux:spacewalk-backend-config-files-tool, p-cpe:/a:novell:suse_linux:uyuni-reportdb-schema, p-cpe:/a:novell:suse_linux:spacewalk-backend-sql, p-cpe:/a:novell:suse_linux:spacewalk-java-lib, p-cpe:/a:novell:suse_linux:susemanager, p-cpe:/a:novell:suse_linux:smdba, p-cpe:/a:novell:suse_linux:spacewalk-backend-package-push-server

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/6/2024

Vulnerability Publication Date: 2/29/2024

Reference Information

CVE: CVE-2023-51775

SuSE: SUSE-SU-2024:1507-1