Critical security update for Yelp-XSL (CVE-2025-3155) affecting SUSE Linux & openSUSE. Learn how to patch this high-risk vulnerability (CVSS 6.9-7.4) to prevent remote code execution & unauthorized file access. Includes patch commands & FAQs.
🚨 Immediate Action Required: Moderate-Risk Security Flaw Discovered
A newly identified vulnerability (CVE-2025-3155) in Yelp-XSL could allow arbitrary JavaScript execution and unauthorized file access via malicious help files. This security update is critical for SUSE Linux Enterprise, openSUSE Leap, and Desktop Applications Module users.
🔍 Why This Matters:
CVSS Score: 6.9 (High Severity) – Exploitable remotely with user interaction.
Affected Systems: SUSE Linux Enterprise 15 SP6/SP7, openSUSE Leap 15.4/15.6.
Risk: Attackers could execute malicious scripts or steal sensitive data through crafted help files.
📌 Patch Details & Installation Guide
🔧 How to Apply the Security Update
To mitigate CVE-2025-3155, apply the latest patch using one of these methods:
✅ Recommended:
YaST Online Update (GUI)
Zypper Patch (CLI)
📌 Manual Patch Commands (Per Distribution):
| Distribution | Installation Command |
|---|---|
| openSUSE Leap 15.4 | zypper in -t patch SUSE-2025-2168=1 |
| openSUSE Leap 15.6 | zypper in -t patch openSUSE-SLE-15.6-2025-2168=1 |
| SUSE Linux Enterprise Desktop 15 SP6 | zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-2168=1 |
| SUSE Linux Enterprise Desktop 15 SP7 | zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2168=1 |
📜 Vulnerability Breakdown
📂 What is CVE-2025-3155?
A security flaw in Yelp-XSL allows:
Remote Code Execution (RCE) via crafted help documents.
Arbitrary File Read through manipulated
ghelpscheme URLs.
📊 CVSS v4.0 vs. v3.1 Comparison
| Source | CVSS v4.0 Score | CVSS v3.1 Score |
|---|---|---|
| SUSE | 6.9 (AV:N/AC:L/PR:N/UI:A/VC:H) | 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) |
| NVD | – | 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) |
🔹 Key Takeaway: The NVD rates this as a higher risk (7.4) due to potential broader system impact.
🚀 Why Update Now?
✅ Prevent Exploits: Block attackers from leveraging this flaw.
✅ Compliance: Stay aligned with enterprise security policies.
✅ System Integrity: Avoid unauthorized data leaks.
📌 Frequently Asked Questions (FAQ)
❓ Who is affected?
All users of:
SUSE Linux Enterprise (Desktop/Server/Real Time/SAP) 15 SP6/SP7
openSUSE Leap 15.4/15.6
Desktop Applications Module 15-SP6/15-SP7
❓ Is there a workaround if I can’t patch immediately?
⚠️ No official workaround exists. The only secure solution is applying the patch ASAP.
❓ How was this vulnerability discovered?
Reported via Bugzilla (bsc#1240688)
Assigned CVE-2025-3155 by SUSE Security Team
Nenhum comentário:
Postar um comentário