Upstream information

CVE-2020-8028 at MITRE

Description

A Improper Access Control vulnerability in the configuration of salt of SUSE Linux Enterprise Module for SUSE Manager Server 4.1, SUSE Manager Proxy 4.0, SUSE Manager Retail Branch Server 4.0, SUSE Manager Server 3.2, SUSE Manager Server 4.0 allows local users to escalate to root on every system managed by SUSE manager. On the managing node itself code can be executed as user salt, potentially allowing for escalation to root there. This issue affects: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 google-gson versions prior to 2.8.5-3.4.3, httpcomponents-client-4.5.6-3.4.2, httpcomponents-. SUSE Manager Proxy 4.0 release-notes-susemanager-proxy versions prior to 4.0.9-0.16.38.1. SUSE Manager Retail Branch Server 4.0 release-notes-susemanager-proxy versions prior to 4.0.9-0.16.38.1. SUSE Manager Server 3.2 salt-netapi-client versions prior to 0.16.0-4.14.1, spacewalk-. SUSE Manager Server 4.0 release-notes-susemanager versions prior to 4.0.9-3.54.1.

SUSE information

Overall state of this security issue: Running

This issue is currently rated as having important severity.

CVSS v3 Scores
  SUSE
Base Score 7.8
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Access Vector Local
Access Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1175884 [IN_PROGRESS]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for SUSE Manager Server 4.0
  • hibernate5 >= 5.3.7-4.3.2
  • image-sync-formula >= 0.1.1595937550.0285244-3.20.2
  • openvpn-formula >= 0.1.1-4.6.2
  • prometheus-exporters-formula >= 0.7.1-3.10.2
  • python3-spacewalk-certs-tools >= 4.0.17-3.21.3
  • salt-netapi-client >= 0.17.0-4.6.3
  • saltboot-formula >= 0.1.1595937550.0285244-3.19.2
  • spacecmd >= 4.0.20-3.19.2
  • spacewalk-admin >= 4.0.11-3.12.1
  • spacewalk-base >= 4.0.23-3.30.3
  • spacewalk-base-minimal >= 4.0.23-3.30.3
  • spacewalk-base-minimal-config >= 4.0.23-3.30.3
  • spacewalk-certs-tools >= 4.0.17-3.21.3
  • spacewalk-html >= 4.0.23-3.30.3
  • spacewalk-java >= 4.0.37-3.39.1
  • spacewalk-java-config >= 4.0.37-3.39.1
  • spacewalk-java-lib >= 4.0.37-3.39.1
  • spacewalk-java-postgresql >= 4.0.37-3.39.1
  • spacewalk-setup >= 4.0.14-3.14.1
  • spacewalk-taskomatic >= 4.0.37-3.39.1
  • spacewalk-utils >= 4.0.18-3.21.3
  • spacewalk-web >= 4.0.23-3.30.3
  • susemanager >= 4.0.28-3.36.3
  • susemanager-frontend-libs >= 4.0.2-4.3.2
  • susemanager-schema >= 4.0.22-3.29.2
  • susemanager-sls >= 4.0.29-3.31.3
  • susemanager-sync-data >= 4.0.18-3.24.2
  • susemanager-tools >= 4.0.28-3.36.3
  • susemanager-web-libs >= 4.0.23-3.30.3
  • virtualization-host-formula >= 0.5-4.12.3
Patchnames:
SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-2650
SUSE Linux Enterprise Module for SUSE Manager Server 4.1
  • google-gson >= 2.8.5-3.4.3
  • httpcomponents-client >= 4.5.6-3.4.2
  • httpcomponents-core >= 4.4.10-3.4.2
  • salt-netapi-client >= 0.17.0-3.3.2
  • spacewalk-admin >= 4.1.6-3.3.3
  • spacewalk-java >= 4.1.19-3.8.2
  • spacewalk-java-config >= 4.1.19-3.8.2
  • spacewalk-java-lib >= 4.1.19-3.8.2
  • spacewalk-java-postgresql >= 4.1.19-3.8.2
  • spacewalk-setup >= 4.1.6-3.3.2
  • spacewalk-taskomatic >= 4.1.19-3.8.2
Patchnames:
SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-2647
SUSE Manager Server 3.2
  • salt-netapi-client >= 0.16.0-4.14.1
  • spacewalk-admin >= 2.8.4.7-3.15.1
  • spacewalk-java >= 2.8.78.30-3.53.1
  • spacewalk-java-config >= 2.8.78.30-3.53.1
  • spacewalk-java-lib >= 2.8.78.30-3.53.1
  • spacewalk-java-oracle >= 2.8.78.30-3.53.1
  • spacewalk-java-postgresql >= 2.8.78.30-3.53.1
  • spacewalk-setup >= 2.8.7.11-3.28.1
  • spacewalk-taskomatic >= 2.8.78.30-3.53.1
Patchnames:
SUSE-SUSE-Manager-Server-3.2-2020-2648


Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s) Source package State
SUSE Manager Proxy 4.0 release-notes-susemanager-proxy Released
SUSE Manager Proxy 4.0 Module spacecmd Released
SUSE Manager Proxy 4.0 Module spacewalk-certs-tools Released
SUSE Manager Proxy 4.0 Module spacewalk-proxy Released
SUSE Manager Proxy 4.0 Module spacewalk-web Released
SUSE Manager Retail Branch Server 4.0 release-notes-susemanager-proxy Released
SUSE Manager Server 3.2 salt-netapi-client Released
SUSE Manager Server 3.2 spacewalk Affected
SUSE Manager Server 3.2 spacewalk-admin Released
SUSE Manager Server 3.2 spacewalk-java Released
SUSE Manager Server 3.2 spacewalk-setup Released
SUSE Manager Server 4.0 release-notes-susemanager Released
SUSE Manager Server 4.0 Module hibernate5 Released
SUSE Manager Server 4.0 Module image-sync-formula Released
SUSE Manager Server 4.0 Module openvpn-formula Released
SUSE Manager Server 4.0 Module prometheus-exporters-formula Released
SUSE Manager Server 4.0 Module salt-netapi-client Released
SUSE Manager Server 4.0 Module saltboot-formula Released
SUSE Manager Server 4.0 Module spacecmd Released
SUSE Manager Server 4.0 Module spacewalk Affected
SUSE Manager Server 4.0 Module spacewalk-admin Released
SUSE Manager Server 4.0 Module spacewalk-certs-tools Released
SUSE Manager Server 4.0 Module spacewalk-java Released
SUSE Manager Server 4.0 Module spacewalk-setup Released
SUSE Manager Server 4.0 Module spacewalk-utils Released
SUSE Manager Server 4.0 Module spacewalk-web Released
SUSE Manager Server 4.0 Module susemanager Released
SUSE Manager Server 4.0 Module susemanager-frontend-libs Released
SUSE Manager Server 4.0 Module susemanager-schema Released
SUSE Manager Server 4.0 Module susemanager-sls Released
SUSE Manager Server 4.0 Module susemanager-sync-data Released
SUSE Manager Server 4.0 Module virtualization-host-formula Released
SUSE Manager Server 4.1 Module google-gson Released
SUSE Manager Server 4.1 Module httpcomponents-client Released
SUSE Manager Server 4.1 Module httpcomponents-core Released
SUSE Manager Server 4.1 Module salt-netapi-client Released
SUSE Manager Server 4.1 Module spacewalk-admin Released
SUSE Manager Server 4.1 Module spacewalk-java Released
SUSE Manager Server 4.1 Module spacewalk-setup Released