Bug 1209395

Summary:	VUL-0: SUMA: SSH private key diclosed in log file
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Paolo Perego <paolo.perego>
Component:	Incidents	Assignee:	Kevin Walter <kwalter>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P1 - Urgent	CC:	abdelrahman.mohamed, galaxy-bugs, jgonzalez, johannes.hahn, kwalter, marina.latini, witold.bedyk
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1197339, 1209434

Description Paolo Perego 2023-03-16 17:24:43 UTC

During the analysis of bsc#1209351, a security vulnerability was found.

While adding the PAYG image, the following log message was logged in the `/var/log/rhn/rhn_web_api.log` file:
"""
root@suma-server1:~# tail -f /var/log/rhn/rhn_web_api.log 
[2023-03-15 15:37:55,766] INFO  - REQUESTED FROM: 35.235.240.146 CALL: admin.config.payg(bastion_port="", bastion_host="", instance_edit=false, description="SUMA PAYG Client1", bastion_password="", bastion_key="", password="", bastion_username="", port="22", bastion_key_password="", bastion_edit=false, host="suma-payg-client1.ab-suma.lab", key_password="", key="-----BEGIN OPENSSH PRIVATE KEY-----
<PRIVATE KEY>
-----END OPENSSH PRIVATE KEY-----", username="ab") CALLER: (suma-admin) TIME: 0.035 seconds
"""

Comment 6 Julio González Gil 2023-03-22 10:58:39 UTC

For whoever will prepare a fix for this:

- For 4.2, if affected: PR against `Manager-4.2` and ping Marina (she's preparing the 4.2.15 submission.
- For 4.3, PR against `Manager-4.3-MU-4.3.5` and ping Julio (he will prepare the unscheduled MU for this)
- For master: do not do anything until the embargo is lifted. Not even preparing commits in your fork!


Disregard previous comments about target branches.

Comment 7 Witek Bedyk 2023-03-23 13:12:10 UTC

PR for SUMA 4.3: https://github.com/SUSE/spacewalk/pull/20868
SUMA 4.2 is not affected.

Comment 10 Paolo Perego 2023-03-31 13:17:39 UTC

This is an instance of CVE-2023-22644 (bsc#1209434)

Comment 16 Paolo Perego 2023-04-14 08:03:52 UTC

Closed also for upstream: https://lists.opensuse.org/archives/list/announce@lists.uyuni-project.org/thread/W5WBXQOUV7TT3JCVJ4GGBMF5YLDRT72D/

Comment 20 Maintenance Automation 2024-02-27 11:07:10 UTC

SUSE-SU-2023:1830-1: An update that has four security fixes can now be installed.

Category: security (moderate)
Bug References: 1209386, 1209395, 1209689, 1209703
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): spacewalk-web-4.3.29-150400.3.18.1
SUSE Manager Server 4.3 Module 4.3 (src): spacewalk-web-4.3.29-150400.3.18.1, spacewalk-java-4.3.52-150400.3.41.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2024-02-27 11:26:16 UTC

SUSE-RU-2023:2566-1: An update that solves one vulnerability, contains one feature and has 58 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1201063, 1203599, 1204089, 1204270, 1204900, 1205600, 1206060, 1206191, 1206423, 1206725, 1206783, 1207063, 1207595, 1207814, 1207829, 1207830, 1208288, 1208321, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208661, 1208687, 1208719, 1208772, 1208965, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209277, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-666
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): susemanager-build-keys-15.4.9-150400.3.20.2, spacecmd-4.3.21-150400.3.18.5, mgr-daemon-4.3.7-150400.3.9.5, spacewalk-web-4.3.31-150400.3.21.7, spacewalk-proxy-4.3.16-150400.3.20.6, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-proxy-installer-4.3.11-150400.3.6.4, uyuni-common-libs-4.3.8-150400.3.12.5
SUSE Manager Server 4.3 Module 4.3 (src): susemanager-4.3.27-150400.3.26.5, spacewalk-setup-4.3.16-150400.3.21.6, python-urlgrabber-4.1.0-150400.4.3.6.3, spacewalk-search-4.3.9-150400.3.12.7, virtual-host-gatherer-1.0.26-150400.3.12.3, perl-Satcon-4.3.2-150400.3.3.5, spacewalk-admin-4.3.11-150400.3.6.6, branch-network-formula-0.1.1680167239.23f2fec-150400.3.3.3, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-java-4.3.58-150400.3.46.4, supportutils-plugin-susemanager-4.3.7-150400.3.9.6, spacewalk-config-4.3.10-150400.3.6.3, susemanager-sls-4.3.33-150400.3.25.7, spacecmd-4.3.21-150400.3.18.5, hub-xmlrpc-api-0.7-150400.5.6.5, susemanager-docs_en-4.3-150400.9.27.3, susemanager-tftpsync-4.3.4-150400.3.9.9, cpu-mitigations-formula-0.5.0-150400.3.3.3, susemanager-schema-4.3.18-150400.3.18.7, susemanager-build-keys-15.4.9-150400.3.20.2, spacewalk-web-4.3.31-150400.3.21.7, cobbler-3.3.3-150400.5.25.3, uyuni-common-libs-4.3.8-150400.3.12.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Maintenance Automation 2024-02-27 11:33:12 UTC

SUSE-RU-2023:2592-1: An update that solves two vulnerabilities, contains one feature and has 90 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1201059, 1201063, 1203599, 1204089, 1204186, 1204270, 1204900, 1205011, 1205088, 1205600, 1205759, 1206060, 1206146, 1206191, 1206423, 1206520, 1206562, 1206725, 1206783, 1206800, 1206817, 1206861, 1206932, 1206963, 1206973, 1206979, 1206981, 1207063, 1207087, 1207141, 1207297, 1207352, 1207595, 1207792, 1207799, 1207814, 1207829, 1207830, 1207838, 1207867, 1207883, 1208046, 1208119, 1208288, 1208321, 1208325, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208611, 1208661, 1208687, 1208719, 1208772, 1208908, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209259, 1209277, 1209369, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212096, 1212363, 1212516
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-666
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4, release-notes-susemanager-4.3.6-150400.3.63.2
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.6-150400.3.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.