Bug 1201495 - (CVE-2022-2031) VUL-0: CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords
(CVE-2022-2031)
VUL-0: CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions as...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/337266/
CVSSv3.1:SUSE:CVE-2022-2031:8.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-14 07:19 UTC by Robert Frohl
Modified: 2022-09-01 15:09 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Thomas Leroy 2022-07-26 07:29:17 UTC
Thanks for the submissions! However we also need submission for
SUSE:SLE-11-SP3:Update
SUSE:SLE-12-SP3:Update
SUSE:SLE-15:Update 	
SUSE:SLE-15-SP1:Update 
SUSE:SLE-15-SP2:Update	
SUSE:SLE-15-SP2:Update:Products:SES7:Update
Comment 7 Thomas Leroy 2022-07-26 07:31:05 UTC
(In reply to Thomas Leroy from comment #6)
> Thanks for the submissions! However we also need submission for
> SUSE:SLE-11-SP3:Update
> SUSE:SLE-12-SP3:Update

These 2 above had a submission, so no need. Sorry

> SUSE:SLE-15:Update 	
> SUSE:SLE-15-SP1:Update 
> SUSE:SLE-15-SP2:Update	
> SUSE:SLE-15-SP2:Update:Products:SES7:Update
Comment 8 James McDonough 2022-07-26 13:42:59 UTC
(In reply to Thomas Leroy from comment #7)
> (In reply to Thomas Leroy from comment #6)
> > Thanks for the submissions! However we also need submission for
> > SUSE:SLE-11-SP3:Update
> > SUSE:SLE-12-SP3:Update
> 
> These 2 above had a submission, so no need. Sorry
> 
> > SUSE:SLE-15:Update 	
This one definitely did not have the AD domain controller shipped

> > SUSE:SLE-15-SP1:Update 
> > SUSE:SLE-15-SP2:Update	
These two had AD domain controller but only as a tech preview, and it would be risky to backport a massive changeset to LTSS-only releases for a tech preview.

> > SUSE:SLE-15-SP2:Update:Products:SES7:Update
This one definitely did not have the AD domain controller shipped
Comment 9 Thomas Leroy 2022-07-28 07:19:00 UTC
public: https://www.samba.org/samba/security/CVE-2022-2031.html
Comment 10 Swamp Workflow Management 2022-07-29 13:17:12 UTC
SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.1 (src):    ldb-2.4.3-150300.3.20.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-07-29 13:20:15 UTC
SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-08-03 22:18:21 UTC
SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.8+git.500.d5910280cc7-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-09-01 15:09:29 UTC
SUSE-SU-2022:2586-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.