Bug 1105988 - (CVE-2018-15869) VUL-1: CVE-2018-15869: aws-cli: The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlierversions) does not require the --owners flag when describing images, which makesit easier for remote attackers to trigger the loading o
(CVE-2018-15869)
VUL-1: CVE-2018-15869: aws-cli: The Amazon Web Services (AWS) CLI version 1.1...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: John Paul Adrian Glaubitz
Security Team bot
https://smash.suse.de/issue/213312/
CVSSv3:SUSE:CVE-2018-15869:8.6:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-25 09:51 UTC by Marcus Meissner
Modified: 2022-02-25 20:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-08-25 09:51:14 UTC
CVE-2018-15869

The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlier
versions) does not require the --owners flag when describing images, which makes
it easier for remote attackers to trigger the loading of an undesired AMI by
setting similar image properties (i.e., name), as exploited in the wild during
August 2018 with a Monero miner AMI instead of the expected Ubuntu AMI.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15869
https://github.com/hashicorp/packer/issues/6584
Comment 1 John Paul Adrian Glaubitz 2018-12-03 11:14:15 UTC
Shall I wait for SUSE:Maintenance:7842 to be accepted or shall I submit an updated aws-cli right away?
Comment 2 Marcus Meissner 2018-12-03 12:12:55 UTC
please submit
Comment 3 John Paul Adrian Glaubitz 2018-12-03 12:19:08 UTC
Working on it.
Comment 4 John Paul Adrian Glaubitz 2018-12-03 12:48:17 UTC
Sorry, I just realized that fixing this bug is blocked by fate#326733 as the newer botocore versions require python-urllib3 >= 1.20.

I can have a look whether it's possible to backport the fix in question.
Comment 6 Swamp Workflow Management 2018-12-12 08:42:47 UTC
SUSE-RU-2018:4074-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 1088310,1092493,1098125,1105988,1118021,1118027
CVE References: CVE-2018-15869
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    aws-cli-1.16.61-4.7.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
Comment 7 Swamp Workflow Management 2018-12-13 11:12:29 UTC
openSUSE-RU-2018:4114-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 1088310,1092493,1098125,1105988,1118021,1118027
CVE References: CVE-2018-15869
Sources used:
openSUSE Leap 15.0 (src):    aws-cli-1.16.61-lp150.3.3.1, python-boto3-1.9.57-lp150.2.3.1, python-botocore-1.12.57-lp150.2.3.1, python-s3transfer-0.1.13-lp150.2.3.1
Comment 9 Swamp Workflow Management 2020-01-28 20:11:27 UTC
SUSE-SU-2020:0251-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1092493,1105988,1118021,1118024,1118099
CVE References: CVE-2018-15869
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    aws-cli-1.16.297-22.11.1
SUSE OpenStack Cloud 8 (src):    aws-cli-1.16.297-22.11.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    aws-cli-1.16.297-22.11.1
HPE Helion Openstack 8 (src):    aws-cli-1.16.297-22.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 John Paul Adrian Glaubitz 2020-08-19 09:13:41 UTC
I assume this can be closed as all relevant distributions have at least version 1.16.x (openSUSE Leap 15 Update) or 1.18.x (Tumbleweed, Leap 15.1, 15.2, SLE-12-SP1, SLE-15-SP1)?
Comment 11 Marcus Meissner 2020-09-15 09:01:26 UTC
yes