Bug 1190265 - (CVE-2021-21996) VUL-0: CVE-2021-21996: salt: root exploit on minion when able to access a file source
(CVE-2021-21996)
VUL-0: CVE-2021-21996: salt: root exploit on minion when able to access a fil...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309231/
CVSSv3.1:SUSE:CVE-2021-21996:4.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-07 16:19 UTC by Marcus Meissner
Modified: 2022-07-01 08:37 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-07 16:19:11 UTC
CVE-2021-21996

https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/

CVE-2021-21996

    Impact: This requires a malicious user to have access to control a file source URL and its source_hash URL.
    Description: A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
    Solution: Code has been modified to exclude the full path of a download URL. Instead, we only use the base filename plus file extension. This prevents injection of malicious code into the full path string.
    How to Mitigate: Update to the latest versions of salt minion code.
    Attribution: Jonathan Schlue jonathan.schlue@aboutsource.net
    Severity Rating: 4.2
Comment 1 Pablo Suárez Hernández 2021-09-16 07:49:14 UTC
This is now fixed in our Salt packages by:

https://build.opensuse.org/request/show/919136 - 3002.2
https://build.opensuse.org/request/show/919137 - 3002.2 (to Factory)
https://build.opensuse.org/request/show/919138 - 3000
https://build.opensuse.org/request/show/919139 - 2016.11.10
https://build.opensuse.org/request/show/919140 - 3000.3 (py27-compat-salt)
https://build.opensuse.org/request/show/919141 - 2016.11.10 (py26-compat-salt)

The above fixes will be soon promoted and included in the submissions for next MU on SUSE Manager 4.2

I think there is nothing else to do from our side at this moment. I'm resetting the assignee to Security team.

Thanks!
Comment 2 OBSbugzilla Bot 2021-09-16 08:40:41 UTC
This is an autogenerated message for OBS integration:
This bug (1190265) was mentioned in
https://build.opensuse.org/request/show/919452 Factory / salt
Comment 11 Swamp Workflow Management 2021-10-27 19:18:15 UTC
SUSE-SU-2021:3555-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    salt-3002.2-48.4
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    salt-3002.2-48.4
SUSE Linux Enterprise Server 15-SP1-BCL (src):    salt-3002.2-48.4
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    salt-3002.2-48.4
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    salt-3002.2-48.4
SUSE Enterprise Storage 6 (src):    salt-3002.2-48.4
SUSE CaaS Platform 4.0 (src):    salt-3002.2-48.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-10-27 19:21:09 UTC
SUSE-SU-2021:3549-1: An update that solves one vulnerability, contains one feature and has three fixes is now available.

Category: security (moderate)
Bug References: 1181223,1188977,1190265,1190512
CVE References: CVE-2021-21996
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-10-27 19:24:30 UTC
SUSE-SU-2021:14832-1: An update that solves one vulnerability, contains one feature and has three fixes is now available.

Category: security (moderate)
Bug References: 1181223,1188977,1190265,1190512
CVE References: CVE-2021-21996
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-10-27 19:27:17 UTC
SUSE-SU-2021:3553-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    salt-3002.2-8.41.17.1
SUSE Linux Enterprise Server 15-LTSS (src):    salt-3002.2-8.41.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    salt-3002.2-8.41.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    salt-3002.2-8.41.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-10-27 19:33:05 UTC
SUSE-SU-2021:3547-1: An update that solves one vulnerability, contains one feature and has three fixes is now available.

Category: security (moderate)
Bug References: 1181223,1188977,1190265,1190512
CVE References: CVE-2021-21996
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-10-27 19:36:50 UTC
SUSE-SU-2021:3561-1: An update that solves two vulnerabilities, contains two features and has 31 fixes is now available.

Category: security (moderate)
Bug References: 1171520,1181223,1187572,1187998,1188315,1188977,1189260,1189422,1189609,1189799,1189818,1189933,1190040,1190123,1190151,1190164,1190166,1190265,1190275,1190276,1190300,1190396,1190405,1190455,1190512,1190602,1190751,1190820,1191123,1191139,1191348,1191551,1191898
CVE References: CVE-2021-21996,CVE-2021-40348
JIRA References: PM-2644,SUMA-61
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    cobbler-3.1.2-5.11.1, hub-xmlrpc-api-0.7-3.3.3, inter-server-sync-0.0.5-8.6.3, patterns-suse-manager-4.2-4.3.1, py26-compat-salt-2016.11.10-11.28.9.1, py26-compat-tornado-4.2.1-3.3.1, py27-compat-salt-3000.3-7.7.11.1, spacecmd-4.2.13-4.9.1, spacewalk-admin-4.2.9-3.6.2, spacewalk-backend-4.2.17-4.9.3, spacewalk-certs-tools-4.2.13-3.9.2, spacewalk-client-tools-4.2.14-4.9.3, spacewalk-java-4.2.30-3.14.4, spacewalk-utils-4.2.14-3.9.3, spacewalk-web-4.2.23-3.9.3, subscription-matcher-0.27-6.3.1, supportutils-plugin-susemanager-4.2.3-3.3.2, susemanager-4.2.25-3.13.1, susemanager-doc-indexes-4.2-12.11.3, susemanager-docs_en-4.2-12.11.1, susemanager-schema-4.2.18-3.9.3, susemanager-sls-4.2.18-3.11.1, susemanager-sync-data-4.2.9-3.9.1, virtualization-formulas-0.6.1-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-10-27 19:40:20 UTC
SUSE-SU-2021:14831-1: An update that solves one vulnerability, contains one feature and has three fixes is now available.

Category: security (moderate)
Bug References: 1181223,1188977,1190265,1190512
CVE References: CVE-2021-21996
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-10-27 19:41:49 UTC
SUSE-SU-2021:3550-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Manager Tools 12 (src):    salt-3000-46.151.2
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-3000-46.151.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-10-27 19:45:22 UTC
SUSE-RU-2021:3551-1: An update that solves two vulnerabilities and has 30 fixes is now available.

Category: recommended (low)
Bug References: 1171520,1181223,1187572,1187998,1188315,1188977,1189260,1189422,1189609,1189799,1189818,1189933,1190040,1190123,1190151,1190164,1190166,1190265,1190275,1190276,1190300,1190396,1190405,1190455,1190512,1190602,1190751,1190820,1191123,1191139,1191348,1191551
CVE References: CVE-2021-21996,CVE-2021-40348
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.3-3.19.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.3-3.15.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.3-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-10-27 19:48:45 UTC
SUSE-SU-2021:14833-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1181223,1188977,1190265,1190512
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    salt-2016.11.10-43.84.1, spacecmd-4.2.13-18.93.1, spacewalk-client-tools-4.2.14-27.59.1
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    salt-2016.11.10-43.84.1, spacecmd-4.2.13-18.93.1, spacewalk-client-tools-4.2.14-27.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-10-27 19:54:32 UTC
SUSE-SU-2021:3557-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    salt-3002.2-50.1.15.1
SUSE Linux Enterprise Module for Transactional Server 15-SP3 (src):    salt-3002.2-50.1.15.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    salt-3002.2-50.1.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    salt-3002.2-50.1.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-10-27 19:55:53 UTC
SUSE-SU-2021:3556-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    salt-3002.2-49.2
SUSE Linux Enterprise Module for Transactional Server 15-SP2 (src):    salt-3002.2-49.2
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    salt-3002.2-49.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    salt-3002.2-49.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-10-27 19:57:06 UTC
openSUSE-SU-2021:3557-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    salt-3002.2-50.1.15.1
Comment 25 Swamp Workflow Management 2021-11-02 17:17:26 UTC
openSUSE-SU-2021:1443-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190265
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    salt-3002.2-lp152.3.45.1
Comment 26 Swamp Workflow Management 2021-11-05 20:18:14 UTC
SUSE-SU-2021:3621-1: An update that solves one vulnerability and has 20 fixes is now available.

Category: security (moderate)
Bug References: 1185951,1187998,1188315,1189609,1189643,1189818,1190151,1190166,1190265,1190276,1190512,1190665,1190751,1191144,1191222,1191274,1191444,1191495,1191538,1191643,1191898
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    grafana-formula-0.4.2-3.12.2, prometheus-formula-0.3.4-3.12.2, py26-compat-salt-2016.11.10-17.2, py26-compat-tornado-4.2.1-3.3.2, py27-compat-salt-3000.3-6.15.2, spacecmd-4.1.15-4.30.2, spacewalk-backend-4.1.29-4.44.2, spacewalk-certs-tools-4.1.19-3.22.2, spacewalk-java-4.1.41-3.58.2, spacewalk-reports-4.1.4-3.6.2, spacewalk-web-4.1.30-3.36.1, subscription-matcher-0.27-3.12.2, susemanager-4.1.31-3.39.2, susemanager-doc-indexes-4.1-11.46.2, susemanager-docs_en-4.1-11.46.2, susemanager-sls-4.1.31-3.51.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-11-05 20:21:48 UTC
SUSE-RU-2021:3622-1: An update that has 21 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1185951,1187998,1188315,1189609,1189643,1189818,1190151,1190166,1190265,1190276,1190512,1190665,1190751,1191144,1191222,1191274,1191444,1191495,1191538,1191643,1191898
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.12-3.64.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.12-3.47.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.12-3.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2021-12-03 14:22:28 UTC
SUSE-SU-2021:3901-1: An update that solves one vulnerability, contains four features and has 26 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1173103,1173692,1180650,1181223,1184659,1185131,1186287,1186310,1186581,1186674,1186738,1187787,1187813,1188042,1188170,1188259,1188647,1188977,1189040,1190265,1190446,1190512,1191412,1191431
CVE References: CVE-2021-21996
JIRA References: ECO-3212,ECO-3319,SLE-18028,SLE-18033
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2021-12-03 14:34:14 UTC
SUSE-SU-2021:3906-1: An update that solves one vulnerability and has 19 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1180650,1184659,1185131,1186287,1186310,1186674,1187787,1187813,1188170,1188641,1188647,1189040,1189043,1190114,1190265,1190446,1191412
CVE References: CVE-2021-21996
JIRA References: 
Sources used:
SUSE Manager Tools 12-BETA (src):    python-Jinja2-2.8-22.5.1, python-MarkupSafe-0.23-6.5.1, python-PyYAML-5.1.2-29.5.1, python-msgpack-python-0.4.6-11.5.1, python-psutil-5.2.2-18.5.1, python-pycrypto-2.6.1-13.5.1, python-pyzmq-14.0.0-12.5.1, python-singledispatch-3.4.0.3-4.8.1, salt-3000-49.38.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2021-12-03 14:46:12 UTC
SUSE-SU-2021:3903-1: An update that solves one vulnerability, contains four features and has 26 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1173103,1173692,1180650,1181223,1184659,1185131,1186287,1186310,1186581,1186674,1186738,1187787,1187813,1188042,1188170,1188259,1188647,1188977,1189040,1190265,1190446,1190512,1191412,1191431
CVE References: CVE-2021-21996
JIRA References: ECO-3212,ECO-3319,SLE-18028,SLE-18033
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Swamp Workflow Management 2021-12-03 14:58:38 UTC
SUSE-SU-2021:3902-1: An update that solves one vulnerability, contains four features and has 26 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1173103,1173692,1180650,1181223,1184659,1185131,1186287,1186310,1186581,1186674,1186738,1187787,1187813,1188042,1188170,1188259,1188647,1188977,1189040,1190265,1190446,1190512,1191412,1191431
CVE References: CVE-2021-21996
JIRA References: ECO-3212,ECO-3319,SLE-18028,SLE-18033
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2021-12-03 15:04:17 UTC
SUSE-SU-2021:3908-1: An update that solves 6 vulnerabilities, contains four features and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1170823,1173103,1173692,1175478,1180650,1181223,1184659,1185131,1186242,1186287,1186310,1186508,1186581,1186650,1186674,1186738,1187787,1187813,1188042,1188170,1188259,1188647,1188846,1188977,1189040,1190265,1190446,1190512,1191412,1191448
CVE References: CVE-2021-21996,CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622
JIRA References: ECO-3212,SLE-18028,SLE-18033,SLE-18254
Sources used:
SUSE Manager Tools 15-BETA (src):    dracut-saltboot-0.1.1628156312.dbd0dec-3.27.1, golang-github-prometheus-prometheus-2.27.1-6.21.2, grafana-7.5.7-4.15.3, hwdata-0.334-6.5.1, koan-3.0.1-7.12.1, mgr-cfg-4.3.2-4.15.1, mgr-custom-info-4.3.2-4.9.1, mgr-daemon-4.3.2-4.15.2, mgr-osad-4.3.2-4.18.2, mgr-push-4.3.1-4.9.3, mgr-virtualization-4.3.1-4.9.3, prometheus-blackbox_exporter-0.19.0-3.3.2, python-contextvars-2.4-3.3.1, python-hwdata-2.3.5-5.7.1, python-immutables-0.11-3.3.1, python-jabberpy-0.5-5.5.1, rhnlib-4.3.1-6.18.2, salt-3003.3-8.44.1, spacecmd-4.3.4-6.27.1, spacewalk-client-tools-4.3.4-6.33.3, spacewalk-koan-4.3.1-6.9.2, spacewalk-oscap-4.3.1-6.9.2, spacewalk-remote-utils-4.3.1-6.9.2, supportutils-plugin-susemanager-client-4.3.1-6.12.2, suseRegisterInfo-4.3.1-6.15.2, system-user-grafana-1.0.0-3.5.1, system-user-prometheus-1.0.0-3.5.1, uyuni-common-libs-4.3.1-3.21.2, zypp-plugin-spacewalk-1.0.10-6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2021-12-03 15:08:52 UTC
SUSE-SU-2021:3904-1: An update that solves one vulnerability, contains one feature and has 26 fixes is now available.

Category: security (moderate)
Bug References: 1164192,1167586,1168327,1173692,1180650,1181223,1184659,1185131,1186287,1186310,1186581,1186674,1187787,1187813,1188042,1188170,1188641,1188647,1188977,1189040,1189043,1190114,1190265,1190446,1190512,1191412,1191431
CVE References: CVE-2021-21996
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Marcus Meissner 2022-07-01 08:37:02 UTC
done