Bug 1062464 – VUL-0: CVE-2017-14696: salt: Remote DoS with a specially crafted authentication request

Bug 1062464 - (CVE-2017-14696) VUL-0: CVE-2017-14696: salt: Remote DoS with a specially crafted authentication request

(CVE-2017-14696)
Summary:	VUL-0: CVE-2017-14696: salt: Remote DoS with a specially crafted authenticati...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/193041/
Whiteboard:	CVSSv2:SUSE:CVE-2017-14696:5.0:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-10-10 07:17 UTC by Alexander Bergmann
Modified:	2023-03-01 10:06 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2017-10-10 07:17:00 UTC

CVE-2017-14696

https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html

Remote Denial of Service with a specially crafted authentication request. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14696
https://docs.saltstack.com/en/2016.11/topics/releases/2016.3.8.html
https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.2.html
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.8.html

Comment 1 Bernhard Wiedemann 2017-10-17 12:03:11 UTC

This is an autogenerated message for OBS integration:
This bug (1062464) was mentioned in
https://build.opensuse.org/request/show/534410 42.3 / salt

Comment 2 Bernhard Wiedemann 2017-10-17 18:08:10 UTC

This is an autogenerated message for OBS integration:
This bug (1062464) was mentioned in
https://build.opensuse.org/request/show/534524 42.2 / salt

Comment 3 Swamp Workflow Management 2017-10-20 22:16:04 UTC

openSUSE-SU-2017:2822-1: An update that solves three vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 1020831,1022562,1022841,1023535,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1040886,1042749,1043111,1052264,1053955,1059758,1061407,1062462,1062464,985112
CVE References: CVE-2017-12791,CVE-2017-14695,CVE-2017-14696
Sources used:
openSUSE Leap 42.2 (src):    salt-2017.7.2-5.3.1

Comment 4 Swamp Workflow Management 2017-10-20 22:18:10 UTC

openSUSE-SU-2017:2824-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1042749,1052264,1059758,1061407,1062462,1062464,985112
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
openSUSE Leap 42.3 (src):    salt-2017.7.2-14.1

Comment 5 Swamp Workflow Management 2017-12-20 17:26:38 UTC

SUSE-SU-2017:3380-1: An update that solves two vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE Manager Tools 12 (src):    salt-2016.11.4-46.10.1
SUSE Manager Server 3.1 (src):    salt-2016.11.4-46.10.1
SUSE Manager Server 3.0 (src):    salt-2016.11.4-46.10.1
SUSE Manager Proxy 3.1 (src):    salt-2016.11.4-46.10.1
SUSE Manager Proxy 3.0 (src):    salt-2016.11.4-46.10.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2016.11.4-46.10.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2016.11.4-46.10.1
SUSE Enterprise Storage 5 (src):    salt-2016.11.4-46.10.1
SUSE Enterprise Storage 4 (src):    salt-2016.11.4-46.10.1
SUSE Enterprise Storage 3 (src):    salt-2016.11.4-46.10.1
SUSE Container as a Service Platform ALL (src):    salt-2016.11.4-46.10.1
OpenStack Cloud Magnum Orchestration 7 (src):    salt-2016.11.4-46.10.1

Comment 6 Swamp Workflow Management 2017-12-20 17:28:12 UTC

SUSE-SU-2017:3381-1: An update that solves two vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    salt-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    salt-2016.11.4-43.10.2

Comment 7 Andreas Stieger 2018-02-06 09:08:19 UTC

showing as resolved here

Comment 9 Swamp Workflow Management 2018-06-19 19:41:40 UTC

SUSE-SU-2018:1757-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE Manager Tools 12 (src):    salt-2018.3.0-46.28.1, supportutils-plugin-salt-1.1.4-6.9.1
SUSE Manager Server 3.1 (src):    salt-2018.3.0-46.28.1, supportutils-plugin-salt-1.1.4-6.9.1
SUSE Manager Server 3.0 (src):    salt-2018.3.0-46.28.1, supportutils-plugin-salt-1.1.4-6.9.1
SUSE Manager Proxy 3.1 (src):    salt-2018.3.0-46.28.1, supportutils-plugin-salt-1.1.4-6.9.1
SUSE Manager Proxy 3.0 (src):    salt-2018.3.0-46.28.1, supportutils-plugin-salt-1.1.4-6.9.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2018.3.0-46.28.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2018.3.0-46.28.1

Comment 11 Swamp Workflow Management 2018-10-05 13:21:51 UTC

SUSE-RU-2018:3021-1: An update that solves 5 vulnerabilities and has 125 fixes is now available.

Category: recommended (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1103699,1104154,1106164,1108969,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE CaaS Platform 3.0 (src):    salt-2018.3.0-2.3.2, sles12-salt-api-image-3.1.0-3.3.2, sles12-salt-master-image-3.1.0-4.3.2, sles12-salt-minion-image-3.1.0-3.3.2

Comment 13 Swamp Workflow Management 2019-02-27 17:16:39 UTC

SUSE-OU-2019:13965-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:

Comment 14 Swamp Workflow Management 2019-02-27 17:41:28 UTC

SUSE-OU-2019:13964-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:

Comment 19 Swamp Workflow Management 2020-06-23 16:24:57 UTC

SUSE-SU-2020:14402-1: An update that solves 11 vulnerabilities and has 245 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135732,1135881,1137642,1138454,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1159284,1162327,1162504,1163871,1163981,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2020-07-21 04:22:37 UTC

SUSE-SU-2020:14431-1: An update that solves 11 vulnerabilities and has 251 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1135881,1137642,1138454,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1158940,1159118,1159284,1160931,1162327,1162504,1163871,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2021-02-08 14:43:35 UTC

SUSE-SU-2021:0315-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2021-02-08 15:18:47 UTC

SUSE-SU-2021:0316-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.