Security update for SUSE Manager Server 4.3 SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2023:2592-1 Final 1 1 2023-06-21T12:34:20Z current 2023-06-21T12:34:20Z 2023-06-21T12:34:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Server 4.3 This update fixes the following issues: release-notes-susemanager: - Update to SUSE Manager 4.3.6 * Salt has been upgraded to 3006.0 * SUSE Linux Enterprise Server 15 SP5 Family support has been added * SUSE Linux Enterprise Server Micro 5.4 support has been added * openSUSE Leap 15.5 support has been added * Ability to install PTFs from SUSE Manager has been added * Scheduling Custom States on recurrent basis is now possible * Syncing optional channels from the webUI is now possible * All Tomcat logs are now rotated with logrotate * Grafana upgraded to 9.5.1 * Node exporter upgraded to 1.5.0 * Prometheus upgraded to 2.37.6 * Postgres exporter upgraded to 0.10.1 * CVEs fixed CVE-2023-22644, CVE-2022-46146 * Bugs mentioned bsc#1201063, bsc#1203599, bsc#1204089, bsc#1204270, bsc#1204900 bsc#1205600, bsc#1206060, bsc#1206191, bsc#1206423, bsc#1206725 bsc#1206783, bsc#1207063, bsc#1207595, bsc#1207814, bsc#1207829 bsc#1207830, bsc#1208288, bsc#1208321, bsc#1208427, bsc#1208522 bsc#1208536, bsc#1208540, bsc#1208550, bsc#1208586, bsc#1208661 bsc#1208687, bsc#1208719, bsc#1208772, bsc#1209143, bsc#1209149 bsc#1209215, bsc#1209220, bsc#1209231, bsc#1209253, bsc#1209277 bsc#1209386, bsc#1209395, bsc#1209508, bsc#1209557, bsc#1209926 bsc#1209938, bsc#1209993, bsc#1210086, bsc#1210094, bsc#1210101 bsc#1210107, bsc#1210154, bsc#1210162, bsc#1210349, bsc#1210437 bsc#1210458, bsc#1210835, bsc#1211958, bsc#1210776, bsc#1209434 bsc#1208046, bsc#1212363, bsc#1212096, bsc#1212516 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/manager/4.3/proxy-httpd:latest-2023-2592,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-2023-2592,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure-2023-2592,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2-2023-2592,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE-2023-2592,Image SLES15-SP4-Manager-Server-4-3-2023-2592,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2023-2592,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2023-2592,Image SLES15-SP4-Manager-Server-4-3-BYOS-2023-2592,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2023-2592,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2023-2592,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2023-2592,Image SLES15-SP4-Manager-Server-4-3-EC2-llc-2023-2592,Image SLES15-SP4-Manager-Server-4-3-EC2-ltd-2023-2592,SUSE-2023-2592,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2023-2592,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2023-2592 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement//suse-ru-20232592-1/ Link for SUSE-RU-2023:2592-1 https://lists.suse.com/pipermail/sle-updates/2024-February/034402.html E-Mail link for SUSE-RU-2023:2592-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201059 SUSE Bug 1201059 https://bugzilla.suse.com/1204186 SUSE Bug 1204186 https://bugzilla.suse.com/1204270 SUSE Bug 1204270 https://bugzilla.suse.com/1205011 SUSE Bug 1205011 https://bugzilla.suse.com/1205088 SUSE Bug 1205088 https://bugzilla.suse.com/1205759 SUSE Bug 1205759 https://bugzilla.suse.com/1206146 SUSE Bug 1206146 https://bugzilla.suse.com/1206520 SUSE Bug 1206520 https://bugzilla.suse.com/1206562 SUSE Bug 1206562 https://bugzilla.suse.com/1206725 SUSE Bug 1206725 https://bugzilla.suse.com/1206800 SUSE Bug 1206800 https://bugzilla.suse.com/1206817 SUSE Bug 1206817 https://bugzilla.suse.com/1206861 SUSE Bug 1206861 https://bugzilla.suse.com/1206932 SUSE Bug 1206932 https://bugzilla.suse.com/1206963 SUSE Bug 1206963 https://bugzilla.suse.com/1206973 SUSE Bug 1206973 https://bugzilla.suse.com/1206979 SUSE Bug 1206979 https://bugzilla.suse.com/1206981 SUSE Bug 1206981 https://bugzilla.suse.com/1207087 SUSE Bug 1207087 https://bugzilla.suse.com/1207141 SUSE Bug 1207141 https://bugzilla.suse.com/1207297 SUSE Bug 1207297 https://bugzilla.suse.com/1207352 SUSE Bug 1207352 https://bugzilla.suse.com/1207792 SUSE Bug 1207792 https://bugzilla.suse.com/1207799 SUSE Bug 1207799 https://bugzilla.suse.com/1207814 SUSE Bug 1207814 https://bugzilla.suse.com/1207829 SUSE Bug 1207829 https://bugzilla.suse.com/1207830 SUSE Bug 1207830 https://bugzilla.suse.com/1207838 SUSE Bug 1207838 https://bugzilla.suse.com/1207867 SUSE Bug 1207867 https://bugzilla.suse.com/1207883 SUSE Bug 1207883 https://bugzilla.suse.com/1208046 SUSE Bug 1208046 https://bugzilla.suse.com/1208119 SUSE Bug 1208119 https://bugzilla.suse.com/1208288 SUSE Bug 1208288 https://bugzilla.suse.com/1208325 SUSE Bug 1208325 https://bugzilla.suse.com/1208611 SUSE Bug 1208611 https://bugzilla.suse.com/1208719 SUSE Bug 1208719 https://bugzilla.suse.com/1208772 SUSE Bug 1208772 https://bugzilla.suse.com/1208908 SUSE Bug 1208908 https://bugzilla.suse.com/1209119 SUSE Bug 1209119 https://bugzilla.suse.com/1209231 SUSE Bug 1209231 https://bugzilla.suse.com/1209259 SUSE Bug 1209259 https://bugzilla.suse.com/1209369 SUSE Bug 1209369 https://bugzilla.suse.com/1209434 SUSE Bug 1209434 https://bugzilla.suse.com/1210437 SUSE Bug 1210437 https://bugzilla.suse.com/1210458 SUSE Bug 1210458 https://bugzilla.suse.com/1210776 SUSE Bug 1210776 https://bugzilla.suse.com/1211958 SUSE Bug 1211958 https://bugzilla.suse.com/1212096 SUSE Bug 1212096 https://bugzilla.suse.com/1212363 SUSE Bug 1212363 https://bugzilla.suse.com/1212516 SUSE Bug 1212516 https://www.suse.com/security/cve/CVE-2022-46146/ SUSE CVE CVE-2022-46146 page https://www.suse.com/security/cve/CVE-2023-22644/ SUSE CVE CVE-2023-22644 page Container suse/manager/4.3/proxy-httpd:latest Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-EC2-llc Image SLES15-SP4-Manager-Server-4-3-EC2-ltd SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 release-notes-susemanager-proxy-4.3.6-150400.3.55.4 release-notes-susemanager-4.3.6-150400.3.63.2 release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of Container suse/manager/4.3/proxy-httpd:latest release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3 release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-llc release-notes-susemanager-4.3.6-150400.3.63.2 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-ltd release-notes-susemanager-proxy-4.3.6-150400.3.55.4 as a component of SUSE Manager Proxy 4.3 release-notes-susemanager-4.3.6-150400.3.63.2 as a component of SUSE Manager Server 4.3 Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. CVE-2022-46146 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3:release-notes-susemanager-4.3.6-150400.3.63.2 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 SUSE Manager Server 4.3:release-notes-susemanager-4.3.6-150400.3.63.2 important 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-ru-20232592-1/ https://www.suse.com/security/cve/CVE-2022-46146.html CVE-2022-46146 https://bugzilla.suse.com/1208046 SUSE Bug 1208046 A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE. CVE-2023-22644 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:release-notes-susemanager-4.3.6-150400.3.63.2 Image SLES15-SP4-Manager-Server-4-3:release-notes-susemanager-4.3.6-150400.3.63.2 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.6-150400.3.55.4 SUSE Manager Server 4.3:release-notes-susemanager-4.3.6-150400.3.63.2 important 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-ru-20232592-1/ https://www.suse.com/security/cve/CVE-2023-22644.html CVE-2023-22644 https://bugzilla.suse.com/1207199 SUSE Bug 1207199 https://bugzilla.suse.com/1209434 SUSE Bug 1209434