Security update for cobbler SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2590-1 Final 1 1 2018-09-03T07:34:02Z current 2018-09-03T07:34:02Z 2018-09-03T07:34:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cobbler This update for cobbler fixes the following issues: Security issues fixed: - Forbid exposure of private methods in the API (CVE-2018-10931, CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442) - Check access token when calling 'modify_setting' API endpoint (bsc#1104190, bsc#1105440, CVE-2018-1000226) Other bugs fixed: - Do not try to hardlink to a symlink. The result will be a dangling symlink in the general case. (bsc#1097733) - fix kernel options when generating bootiso (bsc#1101670) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00001.html E-Mail link for openSUSE-SU-2018:2590-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 cobbler-2.6.6-17.1 cobbler-tests-2.6.6-17.1 cobbler-web-2.6.6-17.1 koan-2.6.6-17.1 cobbler-2.6.6-17.1 as a component of openSUSE Leap 42.3 cobbler-tests-2.6.6-17.1 as a component of openSUSE Leap 42.3 cobbler-web-2.6.6-17.1 as a component of openSUSE Leap 42.3 koan-2.6.6-17.1 as a component of openSUSE Leap 42.3 Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api). CVE-2018-1000225 openSUSE Leap 42.3:cobbler-2.6.6-17.1 openSUSE Leap 42.3:cobbler-tests-2.6.6-17.1 openSUSE Leap 42.3:cobbler-web-2.6.6-17.1 openSUSE Leap 42.3:koan-2.6.6-17.1 critical Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00001.html https://www.suse.com/security/cve/CVE-2018-1000225.html CVE-2018-1000225 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. CVE-2018-1000226 openSUSE Leap 42.3:cobbler-2.6.6-17.1 openSUSE Leap 42.3:cobbler-tests-2.6.6-17.1 openSUSE Leap 42.3:cobbler-web-2.6.6-17.1 openSUSE Leap 42.3:koan-2.6.6-17.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00001.html https://www.suse.com/security/cve/CVE-2018-1000226.html CVE-2018-1000226 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105440 SUSE Bug 1105440 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 https://bugzilla.suse.com/1131852 SUSE Bug 1131852 It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. CVE-2018-10931 openSUSE Leap 42.3:cobbler-2.6.6-17.1 openSUSE Leap 42.3:cobbler-tests-2.6.6-17.1 openSUSE Leap 42.3:cobbler-web-2.6.6-17.1 openSUSE Leap 42.3:koan-2.6.6-17.1 critical Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00001.html https://www.suse.com/security/cve/CVE-2018-10931.html CVE-2018-10931 https://bugzilla.suse.com/1104189 SUSE Bug 1104189 https://bugzilla.suse.com/1104190 SUSE Bug 1104190 https://bugzilla.suse.com/1104287 SUSE Bug 1104287 https://bugzilla.suse.com/1105440 SUSE Bug 1105440 https://bugzilla.suse.com/1105442 SUSE Bug 1105442 https://bugzilla.suse.com/1130105 SUSE Bug 1130105