Security vulnerability : Remote code execution in ZeroMQ - CVE-2019-13132

This document (7023929) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

Security Researchers have found a remote unauthenticated code execution in ZeroMQ, a message exchange queuing system. The flaw is in the Elliptic Curve support, where elliptic curves can be specified by the client.

ZeroMQ is used by SUSE CaaS Platform, SUSE Enterprise Storage, SUSE Manager, and is also part of the Advanced Systems Management Module for SUSE Linux Enterprise Server.

Resolution

SUSE has released security updates to resolve this problem.

Cause

Additional Information

On SUSE Linux Enterprise 12 and older, and products building on top of it, ZeroMQ is built without Elliptic CURVE support and is thus not affected by this problem.
On SUSE Linux Enterprise 15, and products building on top of it, the code-base is affected and fixed by security updates.

This means that the following products are :


Not Affected:
    • SUSE Linux Enterprise 12 and older
    • SUSE Enterprise Storage 5 and older
    • SUSE Manager 3.x and older
    • SUSE CaaS Platform 3.0 

Affected :
    • SUSE Linux Enterprise 15
    • SUSE Manager 4
    • SUSE Enterprise Storage 6

On SUSE Linux Enterprise 15 and SUSE Linux Enterprise 15 based products, this security issue is already mitigated by the stack overflow protection mechanisms, so it will only lead to a controlled termination of ZeroMQ, which is effectively only a denial of service attack.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023929
  • Creation Date: 12-Jun-2019
  • Modified Date:03-Mar-2020
    • SUSE Enterprise Storage
    • SUSE Linux Enterprise Server
    • SUSE Manager

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center