Bug 1113699 (CVE-2018-15751) - VUL-0: CVE-2018-15751: salt: remote authentication bypass in salt-api(netapi) allows to execute arbitrary commands
Summary: VUL-0: CVE-2018-15751: salt: remote authentication bypass in salt-api(netapi)...
Status: RESOLVED FIXED
Alias: CVE-2018-15751
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/218029/
Whiteboard: CVSSv3:SUSE:CVE-2018-15751:9.8:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-29 10:41 UTC by Alexander Bergmann
Modified: 2023-03-01 10:10 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 8 Swamp Workflow Management 2018-11-19 17:15:04 UTC
SUSE-RU-2018:3809-1: An update that has 38 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094705,1094992,1095220,1095942,1095972,1096319,1096494,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699
CVE References: 
Sources used:
SUSE Manager Server 3.1 (src):    release-notes-susemanager-3.1.9-5.41.1, susemanager-docs_en-3.1-10.23.1
SUSE Manager Proxy 3.1 (src):    release-notes-susemanager-proxy-3.1.9-0.15.32.1
Comment 9 Swamp Workflow Management 2018-11-19 20:13:47 UTC
SUSE-SU-2018:3811-1: An update that solves two vulnerabilities and has 33 fixes is now available.

Category: security (moderate)
Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094992,1095220,1095942,1095972,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE Manager Server 3.1 (src):    apache-mybatis-3.2.3-1.3.1, hadoop-0.18.1-1.3.1, icu4j-55.1-1.3.1, lucene-2.4.1-1.3.1, nekohtml-1.9.21-1.3.1, nutch-core-1.0.1-1.3.1, picocontainer-1.3.7-1.3.1, py26-compat-salt-2016.11.10-1.16.1, smdba-1.6.2-0.2.9.1, spacecmd-2.7.8.13-2.26.1, spacewalk-2.7.0.6-2.6.1, spacewalk-backend-2.7.73.15-2.26.1, spacewalk-branding-2.7.2.15-2.25.1, spacewalk-doc-indexes-2.7.0.4-2.6.1, spacewalk-java-2.7.46.17-2.35.1, spacewalk-search-2.7.3.6-2.16.1, spacewalk-utils-2.7.10.9-2.17.1, spacewalk-web-2.7.1.19-2.29.1, subscription-matcher-0.21-4.6.1, susemanager-3.1.16-2.26.1, susemanager-branding-oss-3.1.2-3.3.1, susemanager-schema-3.1.20-2.33.1, susemanager-sls-3.1.19-2.30.1, susemanager-sync-data-3.1.16-2.29.1, tagsoup-1.2.1-1.3.1, tika-core-1.19.1-1.3.1
Comment 10 Swamp Workflow Management 2018-11-19 20:15:03 UTC
SUSE-SU-2018:3813-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1113698,1113699
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    salt-2016.11.10-43.38.1
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    salt-2016.11.10-43.38.1
Comment 11 Swamp Workflow Management 2018-11-20 14:09:26 UTC
SUSE-SU-2018:3815-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1110938,1113698,1113699,1113784,1114197
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    salt-2018.3.0-5.20.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    salt-2018.3.0-5.20.1
Comment 12 Swamp Workflow Management 2018-11-20 14:10:35 UTC
SUSE-SU-2018:3816-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1113698,1113699
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Manager Server 3.2 (src):    py26-compat-salt-2016.11.10-6.15.1
Comment 13 Swamp Workflow Management 2018-11-22 20:10:52 UTC
SUSE-SU-2018:3862-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1110938,1113698,1113699,1113784,1114197
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Manager Tools 12 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.2 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.1 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.0 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.2 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.1 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.0 (src):    salt-2018.3.0-46.44.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2018.3.0-46.44.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2018.3.0-46.44.1
SUSE CaaS Platform 3.0 (src):    salt-2018.3.0-46.44.1
OpenStack Cloud Magnum Orchestration 7 (src):    salt-2018.3.0-46.44.1
Comment 14 Swamp Workflow Management 2018-12-17 17:40:20 UTC
This is an autogenerated message for OBS integration:
This bug (1113699) was mentioned in
https://build.opensuse.org/request/show/658952 15.0 / salt
Comment 15 Swamp Workflow Management 2018-12-18 11:43:01 UTC
This is an autogenerated message for OBS integration:
This bug (1113699) was mentioned in
https://build.opensuse.org/request/show/659069 42.3 / salt
Comment 16 Swamp Workflow Management 2018-12-18 14:09:45 UTC
openSUSE-SU-2018:4174-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1110938,1112874,1113698,1113699,1113784,1114197,1114824
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
openSUSE Leap 15.0 (src):    salt-2018.3.0-lp150.3.17.1
Comment 17 Swamp Workflow Management 2018-12-19 20:11:29 UTC
openSUSE-SU-2018:4197-1: An update that solves two vulnerabilities and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1104491,1107333,1108557,1108834,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114197,1114824
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
openSUSE Leap 42.3 (src):    salt-2018.3.0-23.1
Comment 19 Swamp Workflow Management 2019-02-27 17:24:04 UTC
SUSE-OU-2019:13965-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:
Comment 20 Swamp Workflow Management 2019-02-27 17:55:59 UTC
SUSE-OU-2019:13964-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:
Comment 23 Julio González Gil 2019-07-23 10:22:17 UTC
I am not sure of what happened here. Do we need two different MRs? I a was not aware of SUSE:SLE-12:Update:Products:Update at all, but it seems that having an old version impacts SES4 and SES5 as well.

Pinging Maintenance to see what we need to do.
Comment 24 Mihai Dincă 2019-08-07 13:24:11 UTC
What do we need to check here? Thanks
Comment 29 Swamp Workflow Management 2020-06-23 16:32:53 UTC
SUSE-SU-2020:14402-1: An update that solves 11 vulnerabilities and has 245 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135732,1135881,1137642,1138454,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1159284,1162327,1162504,1163871,1163981,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2020-07-21 04:30:42 UTC
SUSE-SU-2020:14431-1: An update that solves 11 vulnerabilities and has 251 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1135881,1137642,1138454,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1158940,1159118,1159284,1160931,1162327,1162504,1163871,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Jochen Breuer 2020-11-12 09:55:09 UTC
Can this be closed?
Comment 38 Swamp Workflow Management 2021-02-08 14:50:16 UTC
SUSE-SU-2021:0315-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Swamp Workflow Management 2021-02-08 15:25:22 UTC
SUSE-SU-2021:0316-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Pablo Suárez Hernández 2021-05-05 11:07:07 UTC
Setting back assignee to Security team since I think we're already done here.
Comment 46 Alexander Bergmann 2023-01-09 13:34:08 UTC
Fixed and released.