A series of Cobbler vulnerabilities have been addressed in Ubuntu 16.04 ESM in the recent security updates. Ubuntu 16.04 ESM (Expanded Security Maintenance) is the extended version of end-of-life Ubuntu 16.04 LTS with extra security patching beyond the end dates. ESM versions are available through Ubuntu Pro subscription, which is relatively expensive for security patching.
Alternatively, you can go with an affordable option, TuxCare’s Extended Lifecycle Support, which provides five years of vendor-grade security patches after the end-of-life period.
The vulnerabilities, along with their respective Common Vulnerabilities and Exposures (CVE) identifiers, are outlined below:
Cobbler Vulnerabilities Fixed in Ubuntu 16.04 ESM
CVE-2014-3225
Cobbler was found to mishandle user input, potentially leading to absolute path traversal. This vulnerability could be exploited by an attacker to read arbitrary files.
CVE-2017-1000469, CVE-2021-45082
Cobbler’s improper handling of user input could result in command injection, allowing an attacker to execute arbitrary code with elevated privileges.
CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226
Cobbler did not adequately hide private functions in a class, posing a risk of remote attackers gaining high privileges and uploading files to arbitrary locations.
CVE-2021-40323, CVE-2021-40324, CVE-2021-40325
The mishandling of user input in Cobbler could lead to log poisoning. A remote attacker might exploit this to bypass authorization, write to arbitrary files, or execute arbitrary code.
CVE-2021-45083
Cobbler did not correctly handle file permissions during package install or update operations, potentially enabling an attacker to perform a privilege escalation attack.
CVE-2022-0860
Cobbler was found to have an issue processing credentials for expired accounts, opening the door for an attacker to log in with an expired account or password.
Conclusion
To address these vulnerabilities, it is strongly recommended to update your Cobbler packages to the latest versions. A standard system update will be required to implement the necessary changes.
Contact TuxCare Linux security expert to get started with Extended Lifecycle Support and protect your Ubuntu 16.04 servers.
The sources for this article can be found on USN-6475-1.
The post Several Cobbler Vulnerabilities Fixed in Ubuntu 16.04 appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/several-cobbler-vulnerabilities-fixed-in-ubuntu-16-04/