Headline
CVE-2022-21949: Multiple XXE vulnerabilities in OBS
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
Comment 9 Adrian Schröter 2022-04-05 06:15:52 UTC
it is not a bug in libxml2 per se, it is a long standing poor default. But you would break tooling (not OBS related) if behaving different now and disable external entities by default.
Comment 10 Stephan Kulow 2022-04-05 06:31:43 UTC
It’s not even the default - it’s very bad API documentation that not only I fell over.
Comment 11 Johannes Segitz 2022-04-05 06:56:39 UTC
Please use CVE-2022-21949. For now just one CVE, I might split this up later on to track individual cases.
Comment 12 Johannes Segitz 2022-04-05 14:34:25 UTC
I can extract the secret.key with this to alter the session cookies. Still working on a full exploit for this
Comment 13 Victor Pereira 2022-04-06 08:50:37 UTC
Could you please check if the issues are still present on master or production Johannes? With the patches applied with the commit 68a0e354193b3b9da513676d20fbf3a28ceac0ff all the issues reported in this bug are gone. The patches are already in production, and in the repository 2.10 (used by our appliance), however we still didn’t release a new version for that.
Comment 15 Johannes Segitz 2022-04-06 11:23:20 UTC
Who’s responsible for releasing the appliances? Also we should sent out an advisory to notify build service admins of the issue since it’s pretty severe. I can help draft it if needed
Comment 17 Adrian Schröter 2022-04-06 11:25:30 UTC
appliances get released together with the packages usually, they are part of testing and building inside of the same project.
Comment 19 Victor Pereira 2022-04-06 12:17:57 UTC
After some further research, the REXML doesn’t support expanding SYSTEM entity. So REXML doesn’t have vulnerability related external content.
Comment 20 Johannes Segitz 2022-04-07 13:09:49 UTC
(In reply to Adrian Schröter from comment #17) okay good thanks. Do we have a good communications channel to inform downstream users of the issue? I think we should do more instead of just mentioning this in the changes
Comment 21 Hendrik Vogelsang 2022-04-08 10:28:22 UTC
Downstream users are supposed to use our releases. We are going to do a release of 2.10. As usual they are announced on our blog & mailing list.
Comment 22 Johannes Segitz 2022-04-08 11:20:46 UTC
please make sure to make clear in the announcement how import this update is
Comment 25 Ruediger Oertel 2022-04-20 12:34:42 UTC
b.s.c updated.
Comment 26 Marcus Meissner 2022-04-20 15:39:10 UTC
I rated CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Comment 27 Johannes Segitz 2022-05-03 07:47:09 UTC
published the CVE
Related news
There is a stack overflow vulnerability in the /goform/setMacFilterCfg function in the httpd service of Tenda ax12 22.03.01.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload
There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload
IBM ICP4A - User Management System Component (IBM Cloud Pak for Business Automation V21.0.3 through V21.0.3-IF008, V21.0.2 through V21.0.2-IF009, and V21.0.1 through V21.0.1-IF007) could allow a user with physical access to the system to perform unauthorized actions or obtain sensitive information due to insufficient validation and recvocation another user logouting out. IBM X-Force ID: 206081.