Bugzilla – Bug 1214796
VUL-0: CVE-2023-20897: salt: DOS in minion return
Last modified: 2024-06-18 12:03:46 UTC
CVE-2023-20897 Description: DOS in minion return. Impact: After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted. Solution: Properly handle errors in decoded messages in request server. How to Mitigate: Upgrade Salt masters to 3005.2 or 3006.2 Alternatively, firewall port 4506 from access from untrusted sources and security scanning software. Attribution: https://github.com/dwoz Severity Rating: 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
This only affects the Salt Master stack. We only maintain it for Salt 3006.0. Tracking as affected: - SUSE:ALP:Source:Standard:1.0/salt - SUSE:SLE-15-SP1:Update/salt - SUSE:SLE-15-SP2:Update/salt - SUSE:SLE-15-SP3:Update/salt - SUSE:SLE-15-SP4:Update/salt - SUSE:SLE-15-SP5:Update/salt - SUSE:Debian-10:Update:Products:ManagerTools:Update/salt - SUSE:RES-8:Update:Products:ManagerTools:Update/salt - SUSE:Ubuntu-18.04:Update/salt - SUSE:Ubuntu-20.04:Update:Products:ManagerTools:Update/salt
salt-master is not shipped in the last 4 codestreams listed in comment 1, so only this codestreams are affected: - SUSE:ALP:Source:Standard:1.0/salt - SUSE:SLE-15-SP1:Update/salt - SUSE:SLE-15-SP2:Update/salt - SUSE:SLE-15-SP3:Update/salt - SUSE:SLE-15-SP4:Update/salt - SUSE:SLE-15-SP5:Update/salt
This should be fixed now by: SUSE:ALP:Source:Standard:1.0 - https://build.suse.de/request/show/307891 SUSE:SLE-15-SP1:Update/salt - https://build.suse.de/request/show/307877 SUSE:SLE-15-SP2:Update/salt - https://build.suse.de/request/show/307872 SUSE:SLE-15-SP3:Update/salt - https://build.suse.de/request/show/307875 SUSE:SLE-15-SP4:Update/salt - https://build.suse.de/request/show/307874 SUSE:SLE-15-SP5:Update/salt - https://build.suse.de/request/show/307876 I'm setting assignee back to Security Team. Thanks!
SUSE-SU-2023:3885-1: An update that solves six vulnerabilities, contains seven features and has 74 security fixes can now be installed. Category: security (important) Bug References: 1193948, 1193948, 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213441, 1213441, 1213445, 1213445, 1213445, 1213469, 1213469, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214796, 1214796, 1214797, 1214797, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756 CVE References: CVE-2023-20897, CVE-2023-20897, CVE-2023-20898, CVE-2023-20898, CVE-2023-29409, CVE-2023-29409 Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280 Sources used: openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2, release-notes-susemanager-4.3.8-150400.3.77.1 SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.8-150400.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3884-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3881-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202308:15234-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202309:15233-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3877-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3876-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3871-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202309:15230-1: An update that solves three vulnerabilities, contains two features and has 11 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213691, 1213880, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898, CVE-2023-29409 Jira References: ECO-3319, MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3866-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.107.1 SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.107.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3865-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3864-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Manager Proxy 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Manager Retail Branch Server 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Manager Server 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.60.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3863-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.44.1 openSUSE Leap 15.4 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.44.1 Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.44.1 Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3862-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: openSUSE Leap 15.5 (src): salt-3006.0-150500.4.19.1 Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.19.1 Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.19.1 Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2023:4408-1: An update that solves eight vulnerabilities, contains two features and has 48 fixes can now be installed. Category: recommended (important) Bug References: 1097531, 1182851, 1186738, 1190781, 1193357, 1193948, 1194632, 1195624, 1195895, 1196050, 1196432, 1197288, 1197417, 1197533, 1197637, 1198489, 1198556, 1198744, 1199149, 1199372, 1199562, 1200566, 1200596, 1201082, 1202165, 1202631, 1203685, 1203834, 1203886, 1204206, 1204939, 1205687, 1207071, 1208691, 1209233, 1210954, 1210994, 1211591, 1211612, 1211741, 1211754, 1212516, 1212517, 1212794, 1212844, 1212855, 1213257, 1213293, 1213441, 1213518, 1213630, 1213926, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967, CVE-2023-20897, CVE-2023-20898, CVE-2023-28370 Jira References: MSQA-706, PED-3139 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.