Bug 1193678 (CVE-2021-45082) - VUL-0: CVE-2021-45082: cobbler: incomplete template sanitization
Summary: VUL-0: CVE-2021-45082: cobbler: incomplete template sanitization
Status: RESOLVED FIXED
Alias: CVE-2021-45082
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/317280/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-45082:7.0:(AV:...
Keywords:
Depends on:
Blocks: 1191952
  Show dependency treegraph
 
Reported: 2021-12-13 14:27 UTC by Paolo Perego
Modified: 2024-01-17 09:24 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paolo Perego 2021-12-13 14:27:50 UTC 
In templar.py file, function check_for_invalid_imports, ensures that Cheetah code is not importing Python modules. However, the control is very basic and it fires up when line begins with #import:

        lines = data.split("\n")
        for line in lines:
            if line.find("#import") != -1:
                rest = line.replace("#import", "").replace(" ", "").strip()
                if self.settings and rest not in self.settings.cheetah_import_whitelist:
                    raise CX("potentially insecure import in template: %s" % rest)
                    
However, accordingly to Cheetah documentation[1], is it possible to include python code with statement with this syntax:

#from MODULE import MODULE_OR_OBJECT [as NAME] [, ...]

Having a rogue module using #from can bypass import sanitization declared so far.

[1] https://cheetahtemplate.org/users_guide/inheritanceEtc.html
Comment 1 Paolo Perego 2021-12-17 09:45:41 UTC 
Tracked with CVE-2021-45082
CVSS 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 
CRD 2022-02-16 or earlier
Comment 3 Thomas Leroy 2022-01-04 16:47:32 UTC 
I think the following codestreams are affected:
- openSUSE:Backports:SLE-15-SP3                                 3.1.2
- openSUSE:Backports:SLE-15-SP4                                 3.3.0
- openSUSE:Factory                                              3.3.0
- SUSE:SLE-11-SP3:Update	                                2.2.2-0.68.12.1	
- SUSE:SLE-11-SP3:Update:Products:ManagerToolsBeta:Update	2.2.2	
- SUSE:SLE-12:Update 	                                        2.6.6-49.14.1	
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update 	        2.6.6
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update	        3.0.0+git20190806.32c4bae0-5.14.1	
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update	        3.1.2
Comment 4 Thomas Leroy 2022-02-04 10:49:58 UTC 
(In reply to Thomas Leroy from comment #3)
> I think the following codestreams are affected:
> - openSUSE:Backports:SLE-15-SP3                                 3.1.2
> - openSUSE:Backports:SLE-15-SP4                                 3.3.0
> - openSUSE:Factory                                              3.3.0
> - SUSE:SLE-11-SP3:Update	                                2.2.2-0.68.12.1	
> - SUSE:SLE-11-SP3:Update:Products:ManagerToolsBeta:Update	2.2.2	
> - SUSE:SLE-12:Update 	                                        2.6.6-49.14.1	
> - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update 	        2.6.6
> - SUSE:SLE-15-SP2:Update:Products:Manager41:Update	       3.0.0+git20190806.32c4bae0-5.14.1	
> - SUSE:SLE-15-SP3:Update:Products:Manager42:Update	        3.1.2

For this issue, the vulnerable function is *not* contained in the shipped Koan sources, so Koan is not affected.

The list of affected codestreams is only for the Cobbler package. Furthermore, we should now add SUSE:SLE-15-SP4:Update:Products:Manager43:Update to the list of affceted codestreams.
Comment 9 Paolo Perego 2022-02-18 10:58:49 UTC 
Issue is now public after fixes submission
Comment 10 OBSbugzilla Bot 2022-02-18 11:50:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1193678) was mentioned in
https://build.opensuse.org/request/show/955837 Backports:SLE-15-SP3 / cobbler
Comment 11 Swamp Workflow Management 2022-02-18 14:29:51 UTC 
SUSE-SU-2022:0510-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1193671,1193673,1193675,1193676,1193678,1195906,1195918
CVE References: CVE-2021-45082,CVE-2021-45083
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    cobbler-3.0.0+git20190806.32c4bae0-8.22.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-02-18 14:32:23 UTC 
SUSE-SU-2022:0509-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1193671,1193673,1193675,1193676,1193678,1195906,1195918
CVE References: CVE-2021-45082,CVE-2021-45083
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    cobbler-3.1.2-150300.5.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-03-01 20:20:48 UTC 
openSUSE-SU-2022:0062-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1184561,1185679,1186124,1189458,1193671,1193673,1193675,1193676,1193678,1194333,1195906,1195918
CVE References: CVE-2021-40323,CVE-2021-40324,CVE-2021-40325,CVE-2021-45082,CVE-2021-45083,CVE-2021-45942
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openexr-2.2.1-3.41.1
openSUSE Backports SLE-15-SP3 (src):    cobbler-3.1.2-bp153.2.3.1