Bugzilla – Bug 1113699
VUL-0: CVE-2018-15751: salt: remote authentication bypass in salt-api(netapi) allows to execute arbitrary commands
Last modified: 2023-03-01 10:10:05 UTC
CVE-2018-15751 SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15751 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15751.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15751 https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html https://groups.google.com/d/msg/salt-users/dimVF7rpphY/jn3Xv3MbBQAJ https://groups.google.com/d/msg/salt-users/L9xqcJ0UXxs/qgDj42obBQAJ
SUSE-RU-2018:3809-1: An update that has 38 recommended fixes can now be installed. Category: recommended (low) Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094705,1094992,1095220,1095942,1095972,1096319,1096494,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699 CVE References: Sources used: SUSE Manager Server 3.1 (src): release-notes-susemanager-3.1.9-5.41.1, susemanager-docs_en-3.1-10.23.1 SUSE Manager Proxy 3.1 (src): release-notes-susemanager-proxy-3.1.9-0.15.32.1
SUSE-SU-2018:3811-1: An update that solves two vulnerabilities and has 33 fixes is now available. Category: security (moderate) Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094992,1095220,1095942,1095972,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699 CVE References: CVE-2017-14695,CVE-2017-14696 Sources used: SUSE Manager Server 3.1 (src): apache-mybatis-3.2.3-1.3.1, hadoop-0.18.1-1.3.1, icu4j-55.1-1.3.1, lucene-2.4.1-1.3.1, nekohtml-1.9.21-1.3.1, nutch-core-1.0.1-1.3.1, picocontainer-1.3.7-1.3.1, py26-compat-salt-2016.11.10-1.16.1, smdba-1.6.2-0.2.9.1, spacecmd-2.7.8.13-2.26.1, spacewalk-2.7.0.6-2.6.1, spacewalk-backend-2.7.73.15-2.26.1, spacewalk-branding-2.7.2.15-2.25.1, spacewalk-doc-indexes-2.7.0.4-2.6.1, spacewalk-java-2.7.46.17-2.35.1, spacewalk-search-2.7.3.6-2.16.1, spacewalk-utils-2.7.10.9-2.17.1, spacewalk-web-2.7.1.19-2.29.1, subscription-matcher-0.21-4.6.1, susemanager-3.1.16-2.26.1, susemanager-branding-oss-3.1.2-3.3.1, susemanager-schema-3.1.20-2.33.1, susemanager-sls-3.1.19-2.30.1, susemanager-sync-data-3.1.16-2.29.1, tagsoup-1.2.1-1.3.1, tika-core-1.19.1-1.3.1
SUSE-SU-2018:3813-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1113698,1113699 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src): salt-2016.11.10-43.38.1 SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src): salt-2016.11.10-43.38.1
SUSE-SU-2018:3815-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1110938,1113698,1113699,1113784,1114197 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): salt-2018.3.0-5.20.1 SUSE Linux Enterprise Module for Basesystem 15 (src): salt-2018.3.0-5.20.1
SUSE-SU-2018:3816-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1113698,1113699 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: SUSE Manager Server 3.2 (src): py26-compat-salt-2016.11.10-6.15.1
SUSE-SU-2018:3862-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1110938,1113698,1113699,1113784,1114197 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: SUSE Manager Tools 12 (src): salt-2018.3.0-46.44.1 SUSE Manager Server 3.2 (src): salt-2018.3.0-46.44.1 SUSE Manager Server 3.1 (src): salt-2018.3.0-46.44.1 SUSE Manager Server 3.0 (src): salt-2018.3.0-46.44.1 SUSE Manager Proxy 3.2 (src): salt-2018.3.0-46.44.1 SUSE Manager Proxy 3.1 (src): salt-2018.3.0-46.44.1 SUSE Manager Proxy 3.0 (src): salt-2018.3.0-46.44.1 SUSE Linux Enterprise Point of Sale 12-SP2 (src): salt-2018.3.0-46.44.1 SUSE Linux Enterprise Module for Advanced Systems Management 12 (src): salt-2018.3.0-46.44.1 SUSE CaaS Platform 3.0 (src): salt-2018.3.0-46.44.1 OpenStack Cloud Magnum Orchestration 7 (src): salt-2018.3.0-46.44.1
This is an autogenerated message for OBS integration: This bug (1113699) was mentioned in https://build.opensuse.org/request/show/658952 15.0 / salt
This is an autogenerated message for OBS integration: This bug (1113699) was mentioned in https://build.opensuse.org/request/show/659069 42.3 / salt
openSUSE-SU-2018:4174-1: An update that solves two vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1110938,1112874,1113698,1113699,1113784,1114197,1114824 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: openSUSE Leap 15.0 (src): salt-2018.3.0-lp150.3.17.1
openSUSE-SU-2018:4197-1: An update that solves two vulnerabilities and has 11 fixes is now available. Category: security (moderate) Bug References: 1104491,1107333,1108557,1108834,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114197,1114824 CVE References: CVE-2018-15750,CVE-2018-15751 Sources used: openSUSE Leap 42.3 (src): salt-2018.3.0-23.1
SUSE-OU-2019:13965-1: An update that solves 7 vulnerabilities and has 144 fixes is now available. Category: optional (low) Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751 Sources used:
SUSE-OU-2019:13964-1: An update that solves 7 vulnerabilities and has 144 fixes is now available. Category: optional (low) Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751 Sources used:
I am not sure of what happened here. Do we need two different MRs? I a was not aware of SUSE:SLE-12:Update:Products:Update at all, but it seems that having an old version impacts SES4 and SES5 as well. Pinging Maintenance to see what we need to do.
What do we need to check here? Thanks
SUSE-SU-2020:14402-1: An update that solves 11 vulnerabilities and has 245 fixes is now available. Category: security (moderate) Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135732,1135881,1137642,1138454,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1159284,1162327,1162504,1163871,1163981,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14431-1: An update that solves 11 vulnerabilities and has 251 fixes is now available. Category: security (moderate) Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1135881,1137642,1138454,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1158940,1159118,1159284,1160931,1162327,1162504,1163871,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Can this be closed?
SUSE-SU-2021:0315-1: An update that solves 14 vulnerabilities and has 218 fixes is now available. Category: security (moderate) Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592 JIRA References: Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0316-1: An update that solves 14 vulnerabilities and has 218 fixes is now available. Category: security (moderate) Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852 CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592 JIRA References: Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Setting back assignee to Security team since I think we're already done here.
Fixed and released.