Security update for salt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14650-1 Final 1 1 2021-02-26T10:11:55Z current 2021-02-26T10:11:55Z 2021-02-26T10:11:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for salt This update for salt fixes the following issues: - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Allow `extra_filerefs` as sanitized `kwargs` for SSH client - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slesctsp3-salt-14650,slesctsp4-salt-14650 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ Link for SUSE-SU-2021:14650-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008380.html E-Mail link for SUSE-SU-2021:14650-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181556 SUSE Bug 1181556 https://bugzilla.suse.com/1181557 SUSE Bug 1181557 https://bugzilla.suse.com/1181558 SUSE Bug 1181558 https://bugzilla.suse.com/1181559 SUSE Bug 1181559 https://bugzilla.suse.com/1181560 SUSE Bug 1181560 https://bugzilla.suse.com/1181561 SUSE Bug 1181561 https://bugzilla.suse.com/1181562 SUSE Bug 1181562 https://bugzilla.suse.com/1181563 SUSE Bug 1181563 https://bugzilla.suse.com/1181564 SUSE Bug 1181564 https://bugzilla.suse.com/1181565 SUSE Bug 1181565 https://bugzilla.suse.com/1182740 SUSE Bug 1182740 https://www.suse.com/security/cve/CVE-2020-28243/ SUSE CVE CVE-2020-28243 page https://www.suse.com/security/cve/CVE-2020-28972/ SUSE CVE CVE-2020-28972 page https://www.suse.com/security/cve/CVE-2020-35662/ SUSE CVE CVE-2020-35662 page https://www.suse.com/security/cve/CVE-2021-25281/ SUSE CVE CVE-2021-25281 page https://www.suse.com/security/cve/CVE-2021-25282/ SUSE CVE CVE-2021-25282 page https://www.suse.com/security/cve/CVE-2021-25283/ SUSE CVE CVE-2021-25283 page https://www.suse.com/security/cve/CVE-2021-25284/ SUSE CVE CVE-2021-25284 page https://www.suse.com/security/cve/CVE-2021-3144/ SUSE CVE CVE-2021-3144 page https://www.suse.com/security/cve/CVE-2021-3148/ SUSE CVE CVE-2021-3148 page https://www.suse.com/security/cve/CVE-2021-3197/ SUSE CVE CVE-2021-3197 page SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-2016.11.10-43.69.1 salt-doc-2016.11.10-43.69.1 salt-minion-2016.11.10-43.69.1 salt-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-doc-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-minion-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-doc-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-minion-2016.11.10-43.69.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. CVE-2020-28243 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2020-28243.html CVE-2020-28243 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181556 SUSE Bug 1181556 In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. CVE-2020-28972 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2020-28972.html CVE-2020-28972 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181557 SUSE Bug 1181557 In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. CVE-2020-35662 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2020-35662.html CVE-2020-35662 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181565 SUSE Bug 1181565 An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. CVE-2021-25281 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-25281.html CVE-2021-25281 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181559 SUSE Bug 1181559 An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. CVE-2021-25282 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-25282.html CVE-2021-25282 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181560 SUSE Bug 1181560 An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. CVE-2021-25283 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-25283.html CVE-2021-25283 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181561 SUSE Bug 1181561 An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. CVE-2021-25284 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 1.9 AV:L/AC:M/Au:N/C:N/I:P/A:N 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-25284.html CVE-2021-25284 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) CVE-2021-3144 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-3144.html CVE-2021-3144 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181562 SUSE Bug 1181562 An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. CVE-2021-3148 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-3148.html CVE-2021-3148 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181558 SUSE Bug 1181558 An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request. CVE-2021-3197 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.10-43.69.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.10-43.69.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114650-1/ https://www.suse.com/security/cve/CVE-2021-3197.html CVE-2021-3197 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181564 SUSE Bug 1181564