Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2023:2185-1
Rating:	important
References:	bsc#1181400 bsc#1197284 bsc#1203185 bsc#1208060 bsc#1208064 bsc#1208965 jsc#MSQA-663 jsc#MSQA-665
Cross-References:	CVE-2022-27191 CVE-2022-27664 CVE-2022-46146
CVSS scores:	CVE-2022-27191 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27191 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46146 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Manager Client Tools for RHEL, Liberty and Clones 9

An update that solves three vulnerabilities, contains two features and has three security fixes can now be installed.

Description:

This update fixes the following issues:

prometheus-postgres_exporter:

• Security issues fixed:
• CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208060)
• Other non-security issues fixed:
• Adapt the systemd service security configuration to be able to start it on for Red Hat Linux Enterprise systems and clones
• Add hardening to systemd service(s) (bsc#1181400)
• Create the prometheus user for Red Hat Linux Enterprise systems and clones
• Fix broken log-level for values other than debug (bsc#1208965)

golang-github-prometheus-node_exporter:

• Security issues fixed in this version upgrade to 1.5.0:
• CVE-2022-27191: Update go/x/crypto (bsc#1197284)
• CVE-2022-27664: Update go/x/net (bsc#1203185)
• CVE-2022-46146: Update exporter-toolkit (bsc#1208064)
• Other non-security bug fixes and changes in this version update to 1.5.0:
• NOTE: This changes the Go runtime "GOMAXPROCS" to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads.
• [CHANGE] Default GOMAXPROCS to 1
• [CHANGE] Merge metrics descriptions in textfile collector
• [BUGFIX] Fix hwmon label sanitizer
• [BUGFIX] Use native endianness when encoding InetDiagMsg
• [BUGFIX] Fix btrfs device stats always being zero
• [BUGFIX] Fix diskstats exclude flags
• [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning
• [BUGFIX] Fix concurrency issue in ethtool collector
• [BUGFIX] Fix concurrency issue in netdev collector
• [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes
• [BUGFIX] Fix iostat on macos broken by deprecation warning
• [BUGFIX] Fix NodeFileDescriptorLimit alerts
• [BUGFIX] Sanitize rapl zone names
• [BUGFIX] Add file descriptor close safely in test
• [BUGFIX] Fix race condition in os_release.go
• [BUGFIX] Skip ZFS IO metrics if their paths are missing
• [FEATURE] Add multiple listeners and systemd socket listener activation
• [FEATURE] [node-mixin] Add darwin dashboard to mixin
• [FEATURE] Add "isolated" metric on cpu collector on linux
• [FEATURE] Add cgroup summary collector
• [FEATURE] Add selinux collector
• [FEATURE] Add slab info collector
• [FEATURE] Add sysctl collector
• [FEATURE] Also track the CPU Spin time for OpenBSD systems
• [FEATURE] Add support for MacOS version
• [ENHANCEMENT] Add RTNL version of netclass collector
• [ENHANCEMENT] [node-mixin] Add missing selectors
• [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default
• [ENHANCEMENT] [node-mixin] Change disk graph to disk table
• [ENHANCEMENT] [node-mixin] Change io time units to %util
• [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd
• [ENHANCEMENT] Add additional vm_stat memory metrics for darwin
• [ENHANCEMENT] Add device filter flags to arp collector
• [ENHANCEMENT] Add diskstats include and exclude device flags
• [ENHANCEMENT] Add node_softirqs_total metric
• [ENHANCEMENT] Add rapl zone name label option
• [ENHANCEMENT] Add slabinfo collector
• [ENHANCEMENT] Allow user to select port on NTP server to query
• [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev
• [ENHANCEMENT] Enable builds against older macOS SDK
• [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name
• [ENHANCEMENT] systemd: Expose systemd minor version
• [ENHANCEMENT] Use netlink for tcpstat collector
• [ENHANCEMENT] Use netlink to get netdev stats
• [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles
• [ENHANCEMENT] Add btrfs device error stats

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9
  zypper in -t patch SUSE-EL-9-CLIENT-TOOLS-2023-2185=1

Package List:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le x86_64)
  • golang-github-prometheus-node_exporter-debugsource-1.5.0-1.6.1
  • golang-github-prometheus-node_exporter-1.5.0-1.6.1
  • golang-github-prometheus-node_exporter-debuginfo-1.5.0-1.6.1
• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le s390x x86_64)
  • prometheus-postgres_exporter-0.10.1-1.6.2

References:

• https://www.suse.com/security/cve/CVE-2022-27191.html
• https://www.suse.com/security/cve/CVE-2022-27664.html
• https://www.suse.com/security/cve/CVE-2022-46146.html
• https://bugzilla.suse.com/show_bug.cgi?id=1181400
• https://bugzilla.suse.com/show_bug.cgi?id=1197284
• https://bugzilla.suse.com/show_bug.cgi?id=1203185
• https://bugzilla.suse.com/show_bug.cgi?id=1208060
• https://bugzilla.suse.com/show_bug.cgi?id=1208064
• https://bugzilla.suse.com/show_bug.cgi?id=1208965
• https://jira.suse.com/browse/MSQA-663
• https://jira.suse.com/browse/MSQA-665