Security update for SUSE Manager 4.3: Server

Announcement ID: SUSE-SU-2023:2181-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-46146 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • openSUSE Leap 15.3
  • openSUSE Leap 15.4
  • openSUSE Leap 15.5
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise Desktop 15 SP1
  • SUSE Linux Enterprise Desktop 15 SP2
  • SUSE Linux Enterprise Desktop 15 SP3
  • SUSE Linux Enterprise Desktop 15 SP4
  • SUSE Linux Enterprise Desktop 15 SP5
  • SUSE Linux Enterprise Desktop 15 SP6
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP5
  • SUSE Linux Enterprise High Performance Computing 15 SP6
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Real Time 15 SP4
  • SUSE Linux Enterprise Real Time 15 SP5
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server 15 SP5
  • SUSE Linux Enterprise Server 15 SP6
  • SUSE Linux Enterprise Server for SAP Applications 15
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP5
  • SUSE Linux Enterprise Server for SAP Applications 15 SP6
  • SUSE Manager Client Tools for SLE 15
  • SUSE Manager Proxy 4.2
  • SUSE Manager Proxy 4.2 Module 4.2
  • SUSE Manager Proxy 4.3
  • SUSE Manager Proxy 4.3 Module 4.3
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.2
  • SUSE Manager Server 4.2 Module 4.2
  • SUSE Manager Server 4.3
  • SUSE Manager Server 4.3 Module 4.3

An update that solves one vulnerability, contains one feature and has one security fix can now be installed.

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

system-user-prometheus:

  • Provide system-user-prometheus to SUSE Manager Server repositories and resolve installation issues (no source changes)

prometheus-postgres_exporter:

  • Security issues fixed:
  • CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208060)

  • Other non-security issues fixed:

  • Adapt the systemd service security configuration to be able to start it on for Red Hat Linux Enterprise systems and clones
  • Create the prometheus user for Red Hat Linux Enterprise systems and clones
  • Fix broken log-level for values other than debug (bsc#1208965)

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-service start

Optional update for system-user-prometheus

Description:

This update for system-user-prometheus provides the following fix:

  • Provide system-user-prometheus to SUSE Manager Server repositories and resolve installation issues (no source changes)

Recommended update for SUSE Manager 4.2 and Proxy 4.3

Description:

This update fixes the following issues:

system-user-prometheus:

  • Provide system-user-prometheus to SUSE Manager Server repositories and resolve installation issues (no source changes)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Proxy 4.2 Module 4.2
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2023-2181=1
  • SUSE Manager Proxy 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-2181=1
  • SUSE Manager Server 4.2 Module 4.2
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2023-2181=1
  • SUSE Manager Server 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-2181=1
  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2023-2181=1
  • SUSE Manager Client Tools for SLE 15
    zypper in -t patch SUSE-SLE-Manager-Tools-15-2023-2181=1

Package List:

  • SUSE Manager Proxy 4.2 Module 4.2 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4
  • SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4
  • SUSE Manager Server 4.2 Module 4.2 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4
  • SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    • prometheus-postgres_exporter-0.10.1-150400.3.3.6
  • SUSE Manager Server 4.3 Module 4.3 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4
  • openSUSE Leap 15.4 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4
  • SUSE Manager Client Tools for SLE 15 (noarch)
    • system-user-prometheus-1.0.0-150000.8.4

References: