Security update for cobbler SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2561-1 Final 1 1 2018-08-30T14:10:22Z current 2018-08-30T14:10:22Z 2018-08-30T14:10:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cobbler This update for cobbler fixes the following issues: Security issues fixed: - Forbid exposure of private methods in the API (CVE-2018-10931, CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442) - Check access token when calling 'modify_setting' API endpoint (bsc#1104190, bsc#1105440, CVE-2018-1000226) Other bugs fixed: - Do not try to hardlink to a symlink. The result will be a dangling symlink in the general case. (bsc#1097733) - fix kernel options when generating bootiso (bsc#1101670) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2018-1795,SUSE-OpenStack-Cloud-8-2018-1795,SUSE-SLE-Manager-Tools-12-2018-1795,SUSE-SUSE-Manager-Server-3.0-2018-1795 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182561-1/ Link for SUSE-SU-2018:2561-1 https://lists.suse.com/pipermail/sle-security-updates/2018-August/004514.html E-Mail link for SUSE-SU-2018:2561-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1097733 SUSE Bug 1097733 https://bugzilla.suse.com/1101670 SUSE Bug 1101670 https://bugzilla.suse.com/1104189 SUSE Bug 1104189 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105440 SUSE Bug 1105440 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 https://www.suse.com/security/cve/CVE-2018-1000225/ SUSE CVE CVE-2018-1000225 page https://www.suse.com/security/cve/CVE-2018-1000226/ SUSE CVE CVE-2018-1000226 page https://www.suse.com/security/cve/CVE-2018-10931/ SUSE CVE CVE-2018-10931 page HPE Helion OpenStack 8 SUSE Manager Client Tools 12 SUSE Manager Server 3.0 SUSE OpenStack Cloud 8 cobbler-2.6.6-49.14.1 koan-2.6.6-49.14.1 cobbler-2.6.6-49.14.1 as a component of HPE Helion OpenStack 8 koan-2.6.6-49.14.1 as a component of SUSE Manager Client Tools 12 cobbler-2.6.6-49.14.1 as a component of SUSE Manager Server 3.0 cobbler-2.6.6-49.14.1 as a component of SUSE OpenStack Cloud 8 Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). CVE-2018-1000225 HPE Helion OpenStack 8:cobbler-2.6.6-49.14.1 SUSE Manager Client Tools 12:koan-2.6.6-49.14.1 SUSE Manager Server 3.0:cobbler-2.6.6-49.14.1 SUSE OpenStack Cloud 8:cobbler-2.6.6-49.14.1 critical 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182561-1/ https://www.suse.com/security/cve/CVE-2018-1000225.html CVE-2018-1000225 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. CVE-2018-1000226 HPE Helion OpenStack 8:cobbler-2.6.6-49.14.1 SUSE Manager Client Tools 12:koan-2.6.6-49.14.1 SUSE Manager Server 3.0:cobbler-2.6.6-49.14.1 SUSE OpenStack Cloud 8:cobbler-2.6.6-49.14.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182561-1/ https://www.suse.com/security/cve/CVE-2018-1000226.html CVE-2018-1000226 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105440 SUSE Bug 1105440 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 https://bugzilla.suse.com/1131852 SUSE Bug 1131852 It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. CVE-2018-10931 HPE Helion OpenStack 8:cobbler-2.6.6-49.14.1 SUSE Manager Client Tools 12:koan-2.6.6-49.14.1 SUSE Manager Server 3.0:cobbler-2.6.6-49.14.1 SUSE OpenStack Cloud 8:cobbler-2.6.6-49.14.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182561-1/ https://www.suse.com/security/cve/CVE-2018-10931.html CVE-2018-10931 https://bugzilla.suse.com/1104189 SUSE Bug 1104189 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105440 SUSE Bug 1105440 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 https://bugzilla.suse.com/1130105 SUSE Bug 1130105