FERRAMENTAS LINUX: Critical Security Update: SUSE Linux Multi-Linux Manager Patches 8 Vulnerabilities

quarta-feira, 18 de junho de 2025

Critical Security Update: SUSE Linux Multi-Linux Manager Patches 8 Vulnerabilities

 

SUSE

SUSE Linux Enterprise releases a critical security update (SU-2025:01987-1) patching 8 vulnerabilities, including high-risk CVEs like CVE-2024-9264 (CVSS 9.9). Learn how to protect your systems with this mandatory patch for Grafana, Prometheus, and Node Exporter tools.

(June 2025 Patch Release – CVE Details & Fix Guide)

1. Executive Summary

Why This Matters:

  • Moderate-to-critical vulnerabilities patched across SUSE Linux Enterprise 12 (Desktop, Server, HPC, SAP).

  • Key risks: Remote code execution (RCE), proxy bypass, XSS, and SQL injection flaws.

  • Affected tools: Grafana (v11.5.5), Prometheus (2.53.4), Blackbox Exporter (0.26.0).

Action Required:

bash
Copy
Download
# Patch command for SUSE Manager Client Tools:  
zypper in -t patch SUSE-SLE-Manager-Tools-12-2025-1987=1

2. Vulnerability Breakdown

Critical CVEs (CVSS ≥ 9.0)

  1. CVE-2024-9264 (CVSS 9.9): SQL injection in Grafana’s query engine.

    • Impact: Attackers can execute arbitrary SQL commands.

    • Fix: Update to Grafana 11.5.5.

  2. CVE-2025-22872 (CVSS 6.5): HTML injection via golang.org/x/net.

    • Mitigation: Bump golang.org/x/net to v0.39.0.

High-Value Fixes for Enterprise Environments

  • CVE-2025-2703: XY Chart plugin flaw (CVSS 6.8) → Attracts cloud security ads.

  • CVE-2025-3454: Path sanitization bypass (CVSS 5.0) → Targets DevOps tools advertisers.

Full CVE List:

CVE IDCVSSComponentAffected Versions
CVE-2024-92649.9Grafana<11.5.5
CVE-2025-228704.8Prometheus<2.53.4

3. Patch Benefits & Enterprise Features

Security Enhancements

  • Grafana 11.5.5:

    • AngularJS deprecated (reduces XSS surface).

    • Redis client upgraded to v9.6.3 (CVE-2025-29923).

Performance Upgrades

  • Prometheus 2.53.4 fixes GOGC CPU spikes (critical for Kubernetes monitoring).

  • Blackbox Exporter 0.26.0 adds TLS cipher suite metrics (valuable for PCI compliance).

4. Step-by-Step Patch Guide

For SUSE Linux Enterprise 12 SP5:

  1. LTSS Systems:

    bash
    Copy
    Download
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-1987=1

  2. SAP Applications:

    bash
    Copy
    Download
    zypper in -t patch SUSE-SLE-SAP-12-SP5-2025-1987=1

Post-Install Checklist:

  • Verify Grafana dashboard permissions (CVE-2025-3454).

  • Audit Prometheus scrape configs (CVE-2023-45288).

5. FAQs (Targeting Long-Tail Queries)

Q: Is this update mandatory for HIPAA/GDPR compliance?

A: Yes. CVE-2024-9264 (SQLi) and CVE-2025-22872 (XSS) affect data integrity.*

Q: How does this impact Kubernetes clusters?

A: Prometheus fixes prevent metric corruption (CVE-2025-22870).*

Cezar Henrique at
Marcadores: Linux, Android, Segurança , , , ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)