Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2025:0525-1)

medium Nessus Plugin ID 216389

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0525-1 advisory.

 dracut-saltboot was updated to version 0.1.1728559936.c16d4fb:

 - Added MAC based terminal naming option (jsc#SUMA-314)

 golang-github-prometheus-prometheus was updated from version 2.45.6 to 2.53.3 (jsc#PED-11649):

 - Security issues fixed:
 * CVE-2024-51744: Updated golang-jwt to version 5.0 to fix bad error handling (bsc#1232970)

 - Highlights of other changes:
 * Performance:
 - Significant enhancements to PromQL execution speed, TSDB operations (especially querying and compaction) and remote write operations.
 - Default GOGC value lowered to 75 for better memory management.
 - Option to limit memory usage from dropped targets added.
 * New Features:
 - Experimental OpenTelemetry ingestion.
 - Automatic memory limit handling.
 - Native histogram support, including new functions, UI enhancements, and improved scraping.
 - Improved alerting features, such as relabeling rules for AlertmanagerConfig and a new query_offset option.
 - Expanded service discovery options with added metadata and support for new services.
 - New promtool commands for PromQL formatting, label manipulation, metric pushing, and OpenMetrics dumping.
 * Bug Fixes:
 - Numerous fixes across scraping, API, TSDB, PromQL, and service discovery.
 * For a detailed list of changes consult the package changelog or https://github.com/prometheus/prometheus/compare/v2.45.6...v2.53.3

 grafana was updated from version 9.5.18 to 10.4.13 (jsc#PED-11591,jsc#PED-11649):

 - Security issues fixed:
 * CVE-2024-45337: Prevent possible misuse of ServerConfig.PublicKeyCallback by upgrading golang.org/x/crypto (bsc#1234554)
 * CVE-2023-3128: Fixed authentication bypass using Azure AD OAuth (bsc#1212641)
 * CVE-2023-6152: Add email verification when updating user email (bsc#1219912)
 * CVE-2024-6837: Fixed potential data source permission escalation (bsc#1236301)
 * CVE-2024-8118: Fixed permission on external alerting rule write endpoint (bsc#1231024)

 - Potential breaking changes in version 10:
 * In panels using the `extract fields` transformation, where one of the extracted names collides with one of the already existing ields, the extracted field will be renamed.
 * For the existing backend mode users who have table visualization might see some inconsistencies on their panels.
 We have updated the table column naming. This will potentially affect field transformations and/or field overrides. To resolve this either: update transformation or field override.
 * For the existing backend mode users who have Transformations with the `time` field, might see their transformations are not working. Those panels that have broken transformations will fail to render. This is because we changed the field key. To resolve this either: Remove the affected panel and re-create it; Select the `Time` field again; Edit the `time` field as `Time` for transformation in `panel.json` or `dashboard.json`
 * The following data source permission endpoints have been removed:
 `GET /datasources/:datasourceId/permissions` `POST /api/datasources/:datasourceId/permissions` `DELETE /datasources/:datasourceId/permissions` `POST /datasources/:datasourceId/enable-permissions` `POST /datasources/:datasourceId/disable-permissions`
 - Please use the following endpoints instead:
 `GET /api/access-control/datasources/:uid` for listing data source permissions `POST /api/access-control/datasources/:uid/users/:id`, `POST /api/access-control/datasources/:uid/teams/:id` and `POST /api/access-control/datasources/:uid/buildInRoles/:id` for adding or removing data source permissions
 * If you are using Terraform Grafana provider to manage data source permissions, you will need to upgrade your provider.
 * For the existing backend mode users who have table visualization might see some inconsistencies on their panels.
 We have updated the table column naming. This will potentially affect field transformations and/or field overrides.
 * The deprecated `/playlists/{uid}/dashboards` API endpoint has been removed.
 Dashboard information can be retrieved from the `/dashboard/...` APIs.
 * The `PUT /api/folders/:uid` endpoint no more supports modifying the folder's `UID`
 * Removed all components for the old panel header design.
 * Please review https://grafana.com/docs/grafana/next/breaking-changes/breaking-changes-v10-3/ for more details
 * OAuth role mapping enforcement: This change impacts GitHub, Gitlab, Okta, and Generic OAuth. To avoid overriding manually set roles, enable the skip_org_role_sync option in the Grafana configuration for your OAuth provider before upgrading
 * Angular has been deprecated
 * Grafana legacy alerting has been deprecated
 * API keys are migrating to service accounts
 * The experimental dashboard previews feature is removed
 * Usernames are now case-insensitive by default
 * Grafana OAuth integrations do not work anymore with email lookups
 * The Alias field in the CloudWatch data source is removed
 * Athena data source plugin must be updated to version >=2.9.3
 * Redshift data source plugin must be updated to version >=1.8.3
 * DoiT International BigQuery plugin no longer supported
 * Please review https://grafana.com/docs/grafana/next/breaking-changes/breaking-changes-v10-0 for more details

 - This update brings many new features, enhancements and fixes highlighted at:
 * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-4/
 * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-3/
 * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-2/
 * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-1/
 * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-0/:

 spacecmd was updated to version 5.0.11-0:

 - Updated translation strings

 supportutils-plugin-salt was updated to version 1.2.3:

 - Adjusted requirements for plugin to allow compatibility with supportutils 3.2.9 release (bsc#1235145)
 - Provide backwards-compatible scripts version

 supportutils-plugin-susemanager-client was updated to version 5.0.4-0:

 - Adjusted requirements for plugin to allow compatibility with supportutils 3.2.9 release (bsc#1235145)

 uyuni-tools was updated from version 0.1.23-0 to 0.1.27-0:

 - Security issues fixed:
 * CVE-2024-22037: Use podman secret to store the database credentials (bsc#1231497)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1212641

https://bugzilla.suse.com/1219912

https://bugzilla.suse.com/1229079

https://bugzilla.suse.com/1229104

https://bugzilla.suse.com/1231024

https://bugzilla.suse.com/1231497

https://bugzilla.suse.com/1231568

https://bugzilla.suse.com/1231759

https://bugzilla.suse.com/1232575

https://bugzilla.suse.com/1232769

https://bugzilla.suse.com/1232817

https://bugzilla.suse.com/1232970

https://bugzilla.suse.com/1233202

https://bugzilla.suse.com/1233279

https://bugzilla.suse.com/1233630

https://bugzilla.suse.com/1233660

https://bugzilla.suse.com/1234123

https://bugzilla.suse.com/1234554

https://bugzilla.suse.com/1235145

https://bugzilla.suse.com/1236301

http://www.nessus.org/u?c31cffda

https://www.suse.com/security/cve/CVE-2023-3128

https://www.suse.com/security/cve/CVE-2023-6152

https://www.suse.com/security/cve/CVE-2024-22037

https://www.suse.com/security/cve/CVE-2024-45337

https://www.suse.com/security/cve/CVE-2024-51744

https://www.suse.com/security/cve/CVE-2024-6837

https://www.suse.com/security/cve/CVE-2024-8118

Plugin Details

Severity: Medium

ID: 216389

File Name: suse_SU-2025-0525-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2/17/2025

Updated: 2/19/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-3128

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.7

Threat Score: 4.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

CVSS Score Source: CVE-2024-22037

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:supportutils-plugin-salt, p-cpe:/a:novell:suse_linux:golang-github-prometheus-promu, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2025

Vulnerability Publication Date: 6/22/2023

Reference Information

CVE: CVE-2023-3128, CVE-2023-6152, CVE-2024-22037, CVE-2024-45337, CVE-2024-51744, CVE-2024-6837, CVE-2024-8118

SuSE: SUSE-SU-2025:0525-1