Security update for SUSE Manager Server 4.1 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:3562-1 Final 1 1 2021-10-27T13:34:39Z current 2021-10-27T13:34:39Z 2021-10-27T13:34:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Server 4.1 This update fixes the following issues: spacewalk-admin: - Version 4.1.10-1 * Fix setup with rhn-config-satellite (bsc#1190300) * Allow admins to modify only spacewalk config files with rhn-config-satellite.pl (bsc#1190040) (CVE-2021-40348) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3562,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3562 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20213562-1/ Link for SUSE-SU-2021:3562-1 https://lists.suse.com/pipermail/sle-security-updates/2021-October/009671.html E-Mail link for SUSE-SU-2021:3562-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190040 SUSE Bug 1190040 https://bugzilla.suse.com/1190300 SUSE Bug 1190300 https://www.suse.com/security/cve/CVE-2021-40348/ SUSE CVE CVE-2021-40348 page SUSE Manager Server Module 4.1 spacewalk-admin-4.1.10-3.15.1 spacewalk-admin-4.1.10-3.15.1 as a component of SUSE Manager Server Module 4.1 Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation setup. This can lead to the ability of an attacker to use --option to append arbitrary code to a root-owned file that eventually will be executed by the system. This is fixed in Uyuni spacewalk-admin 4.3.2-1. CVE-2021-40348 SUSE Manager Server Module 4.1:spacewalk-admin-4.1.10-3.15.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213562-1/ https://www.suse.com/security/cve/CVE-2021-40348.html CVE-2021-40348 https://bugzilla.suse.com/1190040 SUSE Bug 1190040