Bug 1164120 (CVE-2020-1693) - VUL-0: CVE-2020-1693: spacewalk: XML entity attacks on /rpc/api
Summary: VUL-0: CVE-2020-1693: spacewalk: XML entity attacks on /rpc/api
Status: RESOLVED FIXED
Alias: CVE-2020-1693
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/252748/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-1693:8.6:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-18 12:47 UTC by Robert Frohl
Modified: 2024-05-22 14:29 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-02-18 12:47:14 UTC 
rh#1790381

Spacewalk up to version 2.9 is vulnerable to XML internal entity via the /rpc/api endpoint. Using this vulnerability could allow an attacker to extract local files from the system running Spacewalk, but also files remotely accessible from the host. In addition, this vulnerability opens up the door for server side request forgery, denial of service attacks and potentially remote code execution in some cases.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1790381
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1693
Comment 1 Robert Frohl 2020-02-18 12:48:27 UTC 
only affects:
- SUSE:SLE-12-SP3:Update:Products:Manager32:Update

newer version in:
- SUSE:SLE-15-SP1:Update:Products:Manager40:Update
Comment 3 Julio González Gil 2020-02-20 10:38:41 UTC 
Patch submitted to our upstream (Uyuni): https://build.opensuse.org/request/show/777627

And to Head, 4.0 and 3.2 devel packages.

Fix will be part of next scheduled 4.0 and 3.2 Maintenance updates.

Not sure if the bug should stay open until that moment.
Comment 4 Robert Frohl 2020-02-20 14:34:53 UTC 
(In reply to Julio González Gil from comment #3)
> 
> Not sure if the bug should stay open until that moment.

If you made the submission to the build system, then assign the bug to security-team@suse.de. 

The policy for security issues is at the moment is that the security team should close security bugs.
Comment 9 Swamp Workflow Management 2020-03-13 17:20:30 UTC 
SUSE-SU-2020:0671-1: An update that solves two vulnerabilities and has 51 fixes is now available.

Category: security (moderate)
Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165541,1165927,1166061,1166388
CVE References: CVE-2018-1077,CVE-2020-1693
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    branch-network-formula-0.1.1580471316.1839544-3.10.2, image-sync-formula-0.1.1579102150.4716559-3.11.2, mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, prometheus-formula-0.1-4.7.2, pxe-default-image-sle15-4.0.1-20200305173027, pxe-formula-0.1.1580384994.6076a7e-3.11.2, py26-compat-salt-2016.11.10-10.11.2, python-susemanager-retail-1.0.1580471316.1839544-3.13.2, redstone-xmlrpc-1.1_20071120-0.11.3.2, salt-netapi-client-0.17.0-4.3.2, spacecmd-4.0.18-3.13.2, spacewalk-admin-4.0.9-3.6.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-java-4.0.31-3.23.1, spacewalk-search-4.0.9-3.11.2, spacewalk-setup-4.0.13-3.11.1, spacewalk-utils-4.0.16-3.15.2, spacewalk-web-4.0.19-3.18.3, subscription-matcher-0.25-3.3.2, susemanager-4.0.22-3.20.3, susemanager-doc-indexes-4.0-10.18.2, susemanager-docs_en-4.0-10.18.2, susemanager-schema-4.0.18-3.17.2, susemanager-sls-4.0.24-3.17.2, susemanager-sync-data-4.0.16-3.15.2, system-lock-formula-0.2-4.5.1, virtualization-host-formula-0.2-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-03-13 17:51:45 UTC 
SUSE-RU-2020:0687-1: An update that has 51 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165541,1166061
CVE References: 
Sources used:
SUSE Manager Server 4.0 (src):    release-notes-susemanager-4.0.5-3.38.1
SUSE Manager Retail Branch Server 4.0 (src):    release-notes-susemanager-proxy-4.0.5-0.16.26.1
SUSE Manager Proxy 4.0 (src):    release-notes-susemanager-proxy-4.0.5-0.16.26.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    release-notes-susemanager-4.0.5-3.38.1, release-notes-susemanager-proxy-4.0.5-0.16.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-03-13 18:08:12 UTC 
SUSE-SU-2020:0671-1: An update that solves three vulnerabilities and has 51 fixes is now available.

Category: security (moderate)
Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165425,1165541,1165927,1166061,1166388
CVE References: CVE-2018-1077,CVE-2019-16769,CVE-2020-1693
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    branch-network-formula-0.1.1580471316.1839544-3.10.2, image-sync-formula-0.1.1579102150.4716559-3.11.2, mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, prometheus-formula-0.1-4.7.2, pxe-default-image-sle15-4.0.1-20200305173027, pxe-formula-0.1.1580384994.6076a7e-3.11.2, py26-compat-salt-2016.11.10-10.11.2, python-susemanager-retail-1.0.1580471316.1839544-3.13.2, redstone-xmlrpc-1.1_20071120-0.11.3.2, salt-netapi-client-0.17.0-4.3.2, spacecmd-4.0.18-3.13.2, spacewalk-admin-4.0.9-3.6.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-java-4.0.31-3.23.1, spacewalk-search-4.0.9-3.11.2, spacewalk-setup-4.0.13-3.11.1, spacewalk-utils-4.0.16-3.15.2, spacewalk-web-4.0.19-3.18.3, subscription-matcher-0.25-3.3.2, susemanager-4.0.22-3.20.3, susemanager-doc-indexes-4.0-10.18.2, susemanager-docs_en-4.0-10.18.2, susemanager-schema-4.0.18-3.17.2, susemanager-sls-4.0.24-3.17.2, susemanager-sync-data-4.0.16-3.15.2, system-lock-formula-0.2-4.5.1, virtualization-host-formula-0.2-4.3.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (src):    mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, spacecmd-4.0.18-3.13.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-web-4.0.19-3.18.3, supportutils-plugin-susemanager-client-4.0.3-3.3.2, supportutils-plugin-susemanager-proxy-4.0.3-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-04-02 19:18:08 UTC 
SUSE-SU-2020:0856-1: An update that solves two vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 1085414,1140332,1155372,1157317,1158899,1159184,1160246,1161862,1162609,1162683,1163001,1163538,1164120,1164563,1164771,1165425,1165921
CVE References: CVE-2018-1077,CVE-2020-1693
Sources used:
SUSE Manager Server 3.2 (src):    py26-compat-salt-2016.11.10-6.35.1, redstone-xmlrpc-1.1_20071120-0.11.3.1, spacecmd-2.8.25.14-3.32.1, spacewalk-admin-2.8.4.6-3.12.1, spacewalk-backend-2.8.57.22-3.48.1, spacewalk-certs-tools-2.8.8.14-3.23.1, spacewalk-client-tools-2.8.22.7-3.12.1, spacewalk-java-2.8.78.28-3.47.1, spacewalk-setup-2.8.7.10-3.25.1, spacewalk-utils-2.8.18.6-3.12.1, spacewalk-web-2.8.7.23-3.45.1, subscription-matcher-0.25-4.15.1, susemanager-3.2.23-3.40.2, susemanager-sls-3.2.30-3.44.1, susemanager-sync-data-3.2.19-3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-04-02 19:23:21 UTC 
SUSE-RU-2020:0855-1: An update that has 17 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1085414,1140332,1155372,1157317,1158899,1159184,1160246,1161862,1162609,1162683,1163001,1163538,1164120,1164563,1164771,1165425,1165921
CVE References: 
Sources used:
SUSE Manager Server 3.2 (src):    release-notes-susemanager-3.2.14-6.50.1
SUSE Manager Proxy 3.2 (src):    release-notes-susemanager-proxy-3.2.14-0.16.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Andrea Mattiazzo 2024-05-22 14:29:56 UTC 
All done, closing.