Main Vulnerability Database SB2022070436

SB2022070436 - SUSE update for salt

Published: July 4, 2022

Security Bulletin ID SB2022070436

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2022-22967)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a missing check for PAM_ACCT_MGM return value. A remote user whose account is locked can continue to run Salt commands.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2022/suse-su-20222253-1/

Vulnerable Software

SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-LTSS
SUSE Linux Enterprise Server: 15-LTSS
salt-zsh-completion: before 3004-150000.8.41.40.1
salt-fish-completion: before 3004-150000.8.41.40.1
salt-bash-completion: before 3004-150000.8.41.40.1
salt-transactional-update: before 3004-150000.8.41.40.1
salt-syndic: before 3004-150000.8.41.40.1
salt-standalone-formulas-configuration: before 3004-150000.8.41.40.1
salt-ssh: before 3004-150000.8.41.40.1
salt-proxy: before 3004-150000.8.41.40.1
salt-minion: before 3004-150000.8.41.40.1
salt-master: before 3004-150000.8.41.40.1
salt-doc: before 3004-150000.8.41.40.1
salt-cloud: before 3004-150000.8.41.40.1
salt-api: before 3004-150000.8.41.40.1
salt: before 3004-150000.8.41.40.1
python3-salt: before 3004-150000.8.41.40.1

SB2022070436 - SUSE update for salt

Breakdown by Severity

Description

Remediation

References

Please verify you're human