First Last Prev Next    This bug is not in your last search results.
Bug 1105988 - (CVE-2018-15869) VUL-1: CVE-2018-15869: aws-cli: The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlierversions) does not require the --owners flag when describing images, which makesit easier for remote attackers to trigger the loading o
(CVE-2018-15869)
VUL-1: CVE-2018-15869: aws-cli: The Amazon Web Services (AWS) CLI version 1.1...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: John Paul Adrian Glaubitz
Security Team bot
https://smash.suse.de/issue/213312/
CVSSv3:SUSE:CVE-2018-15869:8.6:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-25 09:51 UTC by Marcus Meissner
Modified: 2022-02-25 20:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-08-25 09:51:14 UTC 
CVE-2018-15869

The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlier
versions) does not require the --owners flag when describing images, which makes
it easier for remote attackers to trigger the loading of an undesired AMI by
setting similar image properties (i.e., name), as exploited in the wild during
August 2018 with a Monero miner AMI instead of the expected Ubuntu AMI.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15869
https://github.com/hashicorp/packer/issues/6584
Comment 1 John Paul Adrian Glaubitz 2018-12-03 11:14:15 UTC 
Shall I wait for SUSE:Maintenance:7842 to be accepted or shall I submit an updated aws-cli right away?
Comment 2 Marcus Meissner 2018-12-03 12:12:55 UTC 
please submit
Comment 3 John Paul Adrian Glaubitz 2018-12-03 12:19:08 UTC 
Working on it.
Comment 4 John Paul Adrian Glaubitz 2018-12-03 12:48:17 UTC 
Sorry, I just realized that fixing this bug is blocked by fate#326733 as the newer botocore versions require python-urllib3 >= 1.20.

I can have a look whether it's possible to backport the fix in question.
Comment 6 Swamp Workflow Management 2018-12-12 08:42:47 UTC 
SUSE-RU-2018:4074-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 1088310,1092493,1098125,1105988,1118021,1118027
CVE References: CVE-2018-15869
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    aws-cli-1.16.61-4.7.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-boto3-1.9.57-3.5.1, python-botocore-1.12.57-3.5.1, python-s3transfer-0.1.13-3.3.6
Comment 7 Swamp Workflow Management 2018-12-13 11:12:29 UTC 
openSUSE-RU-2018:4114-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 1088310,1092493,1098125,1105988,1118021,1118027
CVE References: CVE-2018-15869
Sources used:
openSUSE Leap 15.0 (src):    aws-cli-1.16.61-lp150.3.3.1, python-boto3-1.9.57-lp150.2.3.1, python-botocore-1.12.57-lp150.2.3.1, python-s3transfer-0.1.13-lp150.2.3.1
Comment 9 Swamp Workflow Management 2020-01-28 20:11:27 UTC 
SUSE-SU-2020:0251-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1092493,1105988,1118021,1118024,1118099
CVE References: CVE-2018-15869
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    aws-cli-1.16.297-22.11.1
SUSE OpenStack Cloud 8 (src):    aws-cli-1.16.297-22.11.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    aws-cli-1.16.297-22.11.1
HPE Helion Openstack 8 (src):    aws-cli-1.16.297-22.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 John Paul Adrian Glaubitz 2020-08-19 09:13:41 UTC 
I assume this can be closed as all relevant distributions have at least version 1.16.x (openSUSE Leap 15 Update) or 1.18.x (Tumbleweed, Leap 15.1, 15.2, SLE-12-SP1, SLE-15-SP1)?
Comment 11 Marcus Meissner 2020-09-15 09:01:26 UTC 
yes
First Last Prev Next    This bug is not in your last search results.