Bug 1204543 (CVE-2022-31255)

Summary: VUL-0: CVE-2022-31255: SUMA/UYUNI directory path traversal vulnerability in CobblerSnipperViewAction
Product: [Novell Products] SUSE Security Incidents Reporter: Paolo Perego <paolo.perego>
Component: IncidentsAssignee: Kevin Walter <kwalter>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: amehmood, galaxy-bugs, jgonzalez, johannes.hahn, kwalter, marina.latini, mc, obarrios, paolo.perego, parlt, rmateus
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2020-29411:5.0:(AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1201713    
Attachments: The exploited vulnerability showing /etc/passwd file content

Description Paolo Perego 2022-10-20 13:49:18 UTC 
During a SUMA/UYUNI audit, a directory path traversal vulnerability has been found. 

When viewing cobbler autoinstallation snippet, it is possible to evade from /var/lib/cobbler/snippet path using the "path" request parameter and accessing files outside the webserver root directory.

On a default installation, tomcat is running as a non-privileged user process, so the impact on the file system confidentiality is for files viewable by tomcat user, for groups www, susemanager and tomcat and for files viewable by anyone.

To exploit this vulnerability there is no need for a particular script but an authenticated SUMA session is needed.
Comment 2 Paolo Perego 2022-10-20 13:52:18 UTC 
CRD: 2022-11-03 15.00 UTC
Comment 5 Paolo Perego 2022-10-20 14:00:36 UTC 
The vulnerability is in class com.redhat.rhn.frontend.action.kickstart.cobbler.CobblerSnipperViewAction reads “path” parameter from URL and then pass it to a File() class (line 51).

The parameter is used to load a com.redhat.rhn.domain.kickstart.cobbler.CobblerSnippet object.

As a suggested mitigation some regex control can be done to make sure no file is loaded outside /var/lib/cobbler/snippets
Comment 11 Paolo Perego 2022-10-20 16:25:11 UTC 
After an internal brainstorm with Johannes, I re-calculated CVSS score assigning a value of 5

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H

Since tomcat is running as low priv user process by default give us a pretty solid posture over critical system-wide files.

However consider that with this, a user can disclose constant and password at application level.
Comment 17 Paolo Perego 2022-10-21 11:29:32 UTC 
CRD: 2022-11-04 15.00 UTC
Comment 20 Johannes Segitz 2022-10-24 15:12:14 UTC 
Please use CVE-2022-31255
Comment 25 Paolo Perego 2022-11-04 16:13:01 UTC 
Fixed versions: SUMA 4.3.2, 4.2.10 and Uyuni-2022.10
Comment 26 Swamp Workflow Management 2022-11-04 17:30:09 UTC 
SUSE-SU-2022:3880-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    spacewalk-java-4.3.39-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-11-04 17:32:28 UTC 
SUSE-SU-2022:3878-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls-4.2.28-150300.3.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-11-04 17:39:20 UTC 
SUSE-SU-2022:3879-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.10-150300.3.57.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.