SUSE has released an important security update for the Amazon Systems Manager (SSM) Agent, addressing a critical vulnerability (CVE-2025-21613) in the go-git library.
This vulnerability could allow attackers to manipulate git-upload-pack flags under specific circumstances.
go-git is a highly extensible Git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags.
.png
)
The update is applicable to several SUSE Linux Enterprise products and Public Cloud Module 12 environments. Users are strongly urged to apply the patch promptly to safeguard their systems.
This only occurs when the file transport protocol is used, as it is the only protocol that shells out to Git binaries.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Key Details of the Security Update
This flaw arises from improper processing of the URL field, creating an opening for argument injection attacks that could compromise system integrity.
The affected Amazon SSM Agent has been updated to version 3.3.1611.0, which resolves the vulnerability. The update ensures secure handling of inputs, mitigating the risk of exploitation.
List of Released Packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 | amazon-ssm-agent >= 3.3.1611.0-4.36.1 | Patchnames: SUSE-SLE-Module-Public-Cloud-12-2025-191 |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | govulncheck-vulndb >= 0.0.20250108T191942-150000.1.26.1 | Patchnames: SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-60 |
| openSUSE Leap 15.6 | govulncheck-vulndb >= 0.0.20250108T191942-150000.1.26.1 | Patchnames: openSUSE-SLE-15.6-2025-60 |
| openSUSE Tumbleweed | amazon-ssm-agent >= 3.3.1611.0-1.1govulncheck-vulndb >= 0.0.20250108T191942-1.1grafana >= 11.3.0-5.1 | Patchnames: openSUSE-Tumbleweed-2025-14624 openSUSE-Tumbleweed-2025-14654 openSUSE-Tumbleweed-2025-14658 |
List of Affected Products
| Product(s) | Package(s) |
|---|---|
| SUSE Linux Enterprise Module for Public Cloud 15 SP3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server 15 SP3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Server 4.2 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Proxy 4.2 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Retail Branch Server 4.2 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Enterprise Storage 7.1 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Module for Public Cloud 15 SP4 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server 15 SP4 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Server 4.3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Proxy 4.3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Manager Retail Branch Server 4.3 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Module for Public Cloud 15 SP5 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server 15 SP5 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Module for Public Cloud 15 SP6 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server 15 SP6 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | amazon-ssm-agent >= 3.3.1611.0-150000.5.20.1 |
This update applies to the following versions of SUSE Linux Enterprise products:
- Public Cloud Module 12
- SUSE Linux Enterprise High Performance Computing: Versions 12 SP2 through SP5
- SUSE Linux Enterprise Server: Versions 12, 12 SP1 through SP5
- SUSE Linux Enterprise Server for SAP Applications: Versions 12, 12 SP1 through SP5
Update Instructions
SUSE recommends using YaST or the zypper patch command to apply the update. For specific product instructions, execute the following:
- Public Cloud Module 12
zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2025-191=1Make sure to restart any services or processes dependent on the Amazon SSM agent after the update is applied.
For Public Cloud Module 12 (aarch64, x86_64):
- Updated Package:
amazon-ssm-agent-3.3.1611.0-4.36.1
To maintain the security and stability of your environment, it’s crucial to update the Amazon SSM Agent immediately. This patch mitigates security vulnerabilities and ensures your infrastructure remains protected against exploitation.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
