Bug 1214797 (CVE-2023-20898)

Summary: VUL-0: CVE-2023-20898: salt: Git Providers can read from the wrong environment because they get the same cache directory base name
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pablo.suarezhernandez, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/376740/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-20898:4.2:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2023-08-30 16:05:28 UTC 
CVE-2023-20898

Description: Git Providers can read from the wrong environment because they get the same cache directory base name.
Impact: Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
Solution: Include environment and other information in the hash that generates cache directory base name. So, if the same repository is used with different environments, they all get their own cache directory. Also wrap Git Providers lock with a multiprocessing lock to help mitigate locking race conditions.
How to Mitigate:
Upgrade masters to 3005.2 or 3006.2.
Attribution: https://www.suse.com
Severity Rating: 4.2 CVSS v3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Comment 1 Gabriele Sonnu 2023-08-31 09:43:21 UTC 
This only affects the Salt Master stack. We only maintain it for Salt 3006.0.

Tracking as affected: 

- SUSE:ALP:Source:Standard:1.0/salt
- SUSE:SLE-15-SP1:Update/salt
- SUSE:SLE-15-SP2:Update/salt
- SUSE:SLE-15-SP3:Update/salt
- SUSE:SLE-15-SP4:Update/salt
- SUSE:SLE-15-SP5:Update/salt
- SUSE:Debian-10:Update:Products:ManagerTools:Update/salt
- SUSE:RES-8:Update:Products:ManagerTools:Update/salt
- SUSE:Ubuntu-18.04:Update/salt
- SUSE:Ubuntu-20.04:Update:Products:ManagerTools:Update/salt
Comment 2 Gabriele Sonnu 2023-08-31 09:58:36 UTC 
salt-master is not shipped in the last 4 codestreams listed in comment 3, so only this codestreams are affected:

- SUSE:ALP:Source:Standard:1.0/salt
- SUSE:SLE-15-SP1:Update/salt
- SUSE:SLE-15-SP2:Update/salt
- SUSE:SLE-15-SP3:Update/salt
- SUSE:SLE-15-SP4:Update/salt
- SUSE:SLE-15-SP5:Update/salt
Comment 8 Pablo Suárez Hernández 2023-09-20 15:18:25 UTC 
This should be fixed now by:

SUSE:ALP:Source:Standard:1.0 - https://build.suse.de/request/show/307891
SUSE:SLE-15-SP1:Update/salt - https://build.suse.de/request/show/307877
SUSE:SLE-15-SP2:Update/salt - https://build.suse.de/request/show/307872
SUSE:SLE-15-SP3:Update/salt - https://build.suse.de/request/show/307875
SUSE:SLE-15-SP4:Update/salt - https://build.suse.de/request/show/307874
SUSE:SLE-15-SP5:Update/salt - https://build.suse.de/request/show/307876

I'm setting assignee back to Security Team. Thanks!
Comment 12 Maintenance Automation 2023-09-28 12:30:16 UTC 
SUSE-SU-2023:3885-1: An update that solves six vulnerabilities, contains seven features and has 74 security fixes can now be installed.

Category: security (important)
Bug References: 1193948, 1193948, 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213441, 1213441, 1213445, 1213445, 1213445, 1213469, 1213469, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214796, 1214796, 1214797, 1214797, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756
CVE References: CVE-2023-20897, CVE-2023-20897, CVE-2023-20898, CVE-2023-20898, CVE-2023-29409, CVE-2023-29409
Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2, release-notes-susemanager-4.3.8-150400.3.77.1
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.8-150400.3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-09-28 12:30:16 UTC 
SUSE-SU-2023:3885-1: An update that solves six vulnerabilities, contains seven features and has 74 security fixes can now be installed.

Category: security (important)
Bug References: 1193948, 1193948, 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213441, 1213441, 1213445, 1213445, 1213445, 1213469, 1213469, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214796, 1214796, 1214797, 1214797, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756
CVE References: CVE-2023-20897, CVE-2023-20897, CVE-2023-20898, CVE-2023-20898, CVE-2023-29409, CVE-2023-29409
Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2, release-notes-susemanager-4.3.8-150400.3.77.1
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.8-150400.3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-09-28 12:30:25 UTC 
SUSE-SU-2023:3884-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:
SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-09-28 12:30:31 UTC 
SUSE-SU-2023:3881-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-09-28 12:30:41 UTC 
SUSE-SU-202308:15234-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2023-09-28 12:30:49 UTC 
SUSE-SU-202309:15233-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2023-09-28 12:30:55 UTC 
SUSE-SU-2023:3877-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:
SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.42.1
SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.42.1
SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1
SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2023-09-28 12:31:01 UTC 
SUSE-SU-2023:3876-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:
SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2023-09-28 12:31:13 UTC 
SUSE-SU-2023:3871-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Jira References: MSQA-699
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2023-09-28 12:31:21 UTC 
SUSE-SU-202309:15230-1: An update that solves three vulnerabilities, contains two features and has 11 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213691, 1213880, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898, CVE-2023-29409
Jira References: ECO-3319, MSQA-699
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2023-09-28 12:31:37 UTC 
SUSE-SU-2023:3866-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Sources used:
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.107.1
SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.107.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2023-09-28 12:31:45 UTC 
SUSE-SU-2023:3865-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.108.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-09-28 12:31:51 UTC 
SUSE-SU-2023:3864-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.60.1
SUSE Manager Proxy 4.2 (src): salt-3006.0-150300.53.60.1
SUSE Manager Retail Branch Server 4.2 (src): salt-3006.0-150300.53.60.1
SUSE Manager Server 4.2 (src): salt-3006.0-150300.53.60.1
SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.60.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2023-09-28 12:31:57 UTC 
SUSE-SU-2023:3863-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Sources used:
Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.44.1
openSUSE Leap 15.4 (src): salt-3006.0-150400.8.44.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.44.1
SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.44.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.44.1
SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.44.1
Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.44.1
Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2023-09-28 12:32:04 UTC 
SUSE-SU-2023:3862-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Category: security (moderate)
Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2023-20897, CVE-2023-20898
Sources used:
openSUSE Leap 15.5 (src): salt-3006.0-150500.4.19.1
Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.19.1
Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.19.1
Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2023-11-09 08:30:28 UTC 
SUSE-RU-2023:4408-1: An update that solves eight vulnerabilities, contains two features and has 48 fixes can now be installed.

Category: recommended (important)
Bug References: 1097531, 1182851, 1186738, 1190781, 1193357, 1193948, 1194632, 1195624, 1195895, 1196050, 1196432, 1197288, 1197417, 1197533, 1197637, 1198489, 1198556, 1198744, 1199149, 1199372, 1199562, 1200566, 1200596, 1201082, 1202165, 1202631, 1203685, 1203834, 1203886, 1204206, 1204939, 1205687, 1207071, 1208691, 1209233, 1210954, 1210994, 1211591, 1211612, 1211741, 1211754, 1212516, 1212517, 1212794, 1212844, 1212855, 1213257, 1213293, 1213441, 1213518, 1213630, 1213926, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967, CVE-2023-20897, CVE-2023-20898, CVE-2023-28370
Jira References: MSQA-706, PED-3139
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.