{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"aops-ceres security update", "category":"general", "title":"Synopsis" }, { "text":"An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3.", "category":"general", "title":"Summary" }, { "text":"An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on.\n\nSecurity Fix(es):\nIn versions 1.3.0-1.4.1 of the ceres software package, the execute_shell_command function does not properly verify or filter the command or subcommand parameters entered by users. This allows an attacker to exploit the vulnerability by injecting malicious code and execute arbitrary commands locally. Attackers can exploit this vulnerability to perform unauthorized operations, which may cause severe security threats and losses to the system.(CVE-2021-33633)", "category":"general", "title":"Description" }, { "text":"An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"aops-ceres", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-1159", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1159" }, { "summary":"CVE-2021-33633", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2021-33633&packageName=aops-ceres" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33633" }, { "summary":"openEuler-SA-2024-1159 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1159.json" } ], "title":"An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3", "tracking":{ "initial_release_date":"2024-02-08T09:11:16+08:00", "revision_history":[ { "date":"2024-02-08T09:11:16+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:11:16+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:11:16+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:11:16+08:00", "id":"openEuler-SA-2024-1159", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"da-tool-v1.3.4-14.oe2003sp4.aarch64.rpm", "name":"da-tool-v1.3.4-14.oe2003sp4.aarch64.rpm" }, "name":"da-tool-v1.3.4-14.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64.rpm", "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64.rpm" }, "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"aops-ceres-v1.3.4-14.oe2003sp4.aarch64.rpm", "name":"aops-ceres-v1.3.4-14.oe2003sp4.aarch64.rpm" }, "name":"aops-ceres-v1.3.4-14.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"aops-ceres-v1.4.1-6.oe2203sp3.aarch64.rpm", "name":"aops-ceres-v1.4.1-6.oe2203sp3.aarch64.rpm" }, "name":"aops-ceres-v1.4.1-6.oe2203sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"da-tool-v1.4.1-6.oe2203sp3.aarch64.rpm", "name":"da-tool-v1.4.1-6.oe2203sp3.aarch64.rpm" }, "name":"da-tool-v1.4.1-6.oe2203sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64.rpm", "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64.rpm" }, "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"aops-ceres-v1.3.4-14.oe2003sp4.src.rpm", "name":"aops-ceres-v1.3.4-14.oe2003sp4.src.rpm" }, "name":"aops-ceres-v1.3.4-14.oe2003sp4.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"aops-ceres-v1.4.1-6.oe2203sp3.src.rpm", "name":"aops-ceres-v1.4.1-6.oe2203sp3.src.rpm" }, "name":"aops-ceres-v1.4.1-6.oe2203sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"da-tool-v1.3.4-14.oe2003sp4.x86_64.rpm", "name":"da-tool-v1.3.4-14.oe2003sp4.x86_64.rpm" }, "name":"da-tool-v1.3.4-14.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64.rpm", "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64.rpm" }, "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"aops-ceres-v1.3.4-14.oe2003sp4.x86_64.rpm", "name":"aops-ceres-v1.3.4-14.oe2003sp4.x86_64.rpm" }, "name":"aops-ceres-v1.3.4-14.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"aops-ceres-v1.4.1-6.oe2203sp3.x86_64.rpm", "name":"aops-ceres-v1.4.1-6.oe2203sp3.x86_64.rpm" }, "name":"aops-ceres-v1.4.1-6.oe2203sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"da-tool-v1.4.1-6.oe2203sp3.x86_64.rpm", "name":"da-tool-v1.4.1-6.oe2203sp3.x86_64.rpm" }, "name":"da-tool-v1.4.1-6.oe2203sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64.rpm", "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64.rpm" }, "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"da-tool-v1.3.4-14.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.aarch64", "name":"da-tool-v1.3.4-14.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64", "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"aops-ceres-v1.3.4-14.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.aarch64", "name":"aops-ceres-v1.3.4-14.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"aops-ceres-v1.4.1-6.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.aarch64", "name":"aops-ceres-v1.4.1-6.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"da-tool-v1.4.1-6.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.aarch64", "name":"da-tool-v1.4.1-6.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64", "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"aops-ceres-v1.3.4-14.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.src", "name":"aops-ceres-v1.3.4-14.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"aops-ceres-v1.4.1-6.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.src", "name":"aops-ceres-v1.4.1-6.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"da-tool-v1.3.4-14.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.x86_64", "name":"da-tool-v1.3.4-14.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64", "name":"dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"aops-ceres-v1.3.4-14.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.x86_64", "name":"aops-ceres-v1.3.4-14.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"aops-ceres-v1.4.1-6.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.x86_64", "name":"aops-ceres-v1.4.1-6.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"da-tool-v1.4.1-6.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.x86_64", "name":"da-tool-v1.4.1-6.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64", "name":"dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-33633", "notes":[ { "text":"In versions 1.3.0-1.4.1 of the ceres software package, the execute_shell_command function does not properly verify or filter the command or subcommand parameters entered by users. This allows an attacker to exploit the vulnerability by injecting malicious code and execute arbitrary commands locally. Attackers can exploit this vulnerability to perform unauthorized operations, which may cause severe security threats and losses to the system.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.aarch64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.src", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.src", "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.x86_64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.aarch64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.src", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.src", "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.x86_64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64" ], "details":"aops-ceres security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1159" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.3, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.aarch64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.src", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.src", "openEuler-20.03-LTS-SP4:da-tool-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:aops-ceres-v1.3.4-14.oe2003sp4.x86_64", "openEuler-22.03-LTS-SP3:aops-ceres-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:da-tool-v1.4.1-6.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-33633" } ] }