SUSE releases critical Go 1.22 OpenSSL security update patching CVE-2024-45336 (HTTP header leak), CVE-2024-45341 (certificate bypass), and CVE-2025-22866 (crypto timing attack). Learn patch commands for SUSE Linux Enterprise, HPC, and SAP systems.
SUSE has released a high-priority security update for go1.22-openssl, addressing three critical vulnerabilities that could expose systems to data leaks, bypassed security constraints, and variable-time cryptographic attacks. Enterprises relying on SUSE Linux distributions must apply this patch immediately to mitigate risks.
Key Security Fixes in Go 1.22.12
This update resolves the following CVEs (Common Vulnerabilities and Exposures):
CVE-2024-45336 (CVSS 6.1)
Risk: Sensitive HTTP headers sent after cross-domain redirects
Impact: Potential session hijacking or credential leakage
Affected:
net/httppackage
CVE-2024-45341 (CVSS 6.1)
Risk: IPv6 zone IDs bypass URI name constraints in
crypto/x509Impact: Man-in-the-middle (MITM) attacks or certificate spoofing
CVE-2025-22866 (CVSS 6.0)
Risk: Variable-time execution in
p256NegCond(PPC64LE architecture)Impact: Side-channel attacks compromising ECC cryptographic operations
🔹 Additional Fixes:
1 feature enhancement (undisclosed)
1 security hardening patch
Affected SUSE Products
This update applies to:
✔ SUSE Linux Enterprise Server (15 SP3-SP5)
✔ SUSE High Performance Computing (HPC) 15 SP3-SP5
✔ SUSE Enterprise Storage 7.1
✔ SUSE Linux Enterprise for SAP Applications (15 SP3-SP5)
📌 Long-Term Support (LTSS) & Extended Support (ESPOS) versions included.
How to Install the Security Patch
Recommended Methods
YaST Online Update (GUI)
Command Line:
zypper patchManual Patch Commands (Per Distribution)
| Product | Install Command |
|---|---|
| SUSE Linux Enterprise Server 15 SP5 | zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1555=1 |
| SUSE HPC 15 SP4 | zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1555=1 |
| SUSE SAP Applications 15 SP5 | zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1555=1 |
(Full command list available in SUSE Security Advisory SU-2025:1555-1)
Why This Update Matters for Enterprises
🚨 Unpatched systems risk:
Data breaches via HTTP header leaks
Bypassed TLS/SSL certificate checks
Cryptographic timing attacks on financial/healthcare systems
💡 Best Practices:
Schedule immediate patching for production servers.
Audit Go-based microservices for exposure.
Monitor NVD updates for emerging threats.
Additional References
🔗 CVE Details:
📜 Bug Reports:
FAQ
❓ Is this update backward compatible?
✅ Yes—no breaking changes reported.
❓ Does this affect non-SUSE Linux distributions?
⚠️ Potentially, if using Go 1.22 with OpenSSL. Check upstream advisories.
❔ How urgent is deployment?
⏱ Moderate urgency—exploits require specific conditions but pose enterprise risks.
Nenhum comentário:
Postar um comentário