Security vulnerability : Remote code execution in ZeroMQ - CVE-2019-13132

This document (7023929) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

Security Researchers have found a remote unauthenticated code execution in ZeroMQ, a message exchange queuing system. The flaw is in the Elliptic Curve support, where elliptic curves can be specified by the client.

ZeroMQ is used by SUSE CaaS Platform, SUSE Enterprise Storage, SUSE Manager, and is also part of the Advanced Systems Management Module for SUSE Linux Enterprise Server.

Resolution

SUSE has released security updates to resolve this problem.

Cause

CVE-2019-13132

Additional Information

On SUSE Linux Enterprise 12 and older, and products building on top of it, ZeroMQ is built without Elliptic CURVE support and is thus not affected by this problem.

On SUSE Linux Enterprise 15, and products building on top of it, the code-base is affected and fixed by security updates.

This means that the following products are :

Not Affected:

SUSE Linux Enterprise 12 and older
SUSE Enterprise Storage 5 and older
SUSE Manager 3.x and older
SUSE CaaS Platform 3.0

Affected :

SUSE Linux Enterprise 15
SUSE Manager 4
SUSE Enterprise Storage 6

On SUSE Linux Enterprise 15 and SUSE Linux Enterprise 15 based products, this security issue is already mitigated by the stack overflow protection mechanisms, so it will only lead to a controlled termination of ZeroMQ, which is effectively only a denial of service attack.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.