🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: SLES 12

📖 ~4 min read  •  Source: SUSE advisory RHSA-2026:10135 (see also SUSE bugzilla)

Related CVEs: CVE-2026-34986 CVE-2026-33186

Upstream summary: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic h

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On SLES 12 hosts that have google-cloud-sap-agent installed, administrators report behaviour consistent with SUSE advisory RHSA-2026:10135: zypper patch-check lists open patches, services backed by google-cloud-sap-agent fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever google-cloud-sap-agent sits on the serving path.

Environment & Reproduction

Reproduction targets SLES 12. Confirm release, registration, and installed package:

cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q google-cloud-sap-agent
zypper info google-cloud-sap-agent | head -20

Trigger the workflow that exposes google-cloud-sap-agent — multiple vulnerabilities (2 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u google-cloud-sap-agent -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B google-cloud-sap-agent

Root Cause Analysis

Root cause is documented in SUSE advisory RHSA-2026:10135. SUSE security maintainers shipped fixes in the corresponding google-cloud-sap-agent update for SLES 12; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep google-cloud-sap-agent
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on SLES 12 to capture the current state of google-cloud-sap-agent:

rpm -q google-cloud-sap-agent                              # installed NVR
rpm -V google-cloud-sap-agent                              # verify shipped files
sudo zypper patch-check                    # open patches
sudo zypper lp -r SUSE-SLE-Server-12-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all 2>/dev/null || sudo SuSEfirewall2 status 2>/dev/null
sudo aa-status                              # AppArmor profiles
# If google-cloud-sap-agent ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i google | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for google-cloud-sap-agent and the system bus.

    sudo journalctl -u google-cloud-sap-agent -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture. This release uses firewalld; SuSEfirewall2 may still be present on SLES 12 GA.

    sudo firewall-cmd --list-all-zones
sudo SuSEfirewall2 status 2>/dev/null   # legacy, only present on early SLES 12
sudo iptables -L -n -v | head -30

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
sudo aa-complain /etc/apparmor.d/usr.sbin.google-cloud-sap-agent 2>/dev/null || true

  5. Verify google-cloud-sap-agent integrity and reinstall if anything is altered.

    sudo rpm -V google-cloud-sap-agent
sudo zypper verify
sudo zypper install --force google-cloud-sap-agent

  6. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory RHSA-2026:10135 to pin the change that introduced google-cloud-sap-agent — multiple vulnerabilities (2 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory RHSA-2026:10135, then reload affected systemd units:

sudo zypper ref                        # refresh repos
sudo zypper -n patch                   # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update google-cloud-sap-agent
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i google | head
sudo systemctl restart google-cloud-sap-agent
rpm -q google-cloud-sap-agent                           # confirm new NVR
systemctl is-active google-cloud-sap-agent 2>/dev/null  # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):

sudo zypper ps -s                      # services using deleted libs
sudo systemctl reboot                  # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches                         # active livepatches

Need help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with SUSE Manager / RMT and Live Patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

  • Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 12):

    sudo snapper list
sudo snapper undochange <pre>..<post>  # diff between two snapshot numbers
sudo snapper rollback <pre>            # boot the host into the chosen snapshot

  • Lock the package so zypper cannot upgrade it:

    sudo zypper al google-cloud-sap-agent                   # add lock
zypper ll | grep google-cloud-sap-agent                 # list locks
sudo zypper rl google-cloud-sap-agent                   # remove lock

  • Install an older NVR if a regression is suspected:

    zypper se -s google-cloud-sap-agent                     # show all available versions
sudo zypper install --oldpackage google-cloud-sap-agent-<older-NVR>

  • If SuSEfirewall2 is still in use (rare on modern SLES 12), migrate to firewalld:

    sudo zypper install -y firewalld
sudo systemctl disable --now SuSEfirewall2
sudo systemctl enable --now firewalld

  • Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

    sudo aa-disable /etc/apparmor.d/usr.sbin.google-cloud-sap-agent
# reproduce, capture denials in the journal:
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.sbin.google-cloud-sap-agent

  • Where SLE Live Patching is licensed, apply kernel fixes without reboot:

    klp -v patches                         # active livepatches
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q google-cloud-sap-agent                                            # expected fixed NVR
sudo zypper patch-check                                  # 0 critical patches outstanding
systemctl is-active google-cloud-sap-agent 2>/dev/null
sudo journalctl -u google-cloud-sap-agent --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for google-cloud-sap-agent — multiple vulnerabilities (2 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-google-cloud-sap-agent'   # explicit named snapshot
sudo snapper list | head

To revert if the patch is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage google-cloud-sap-agent-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart google-cloud-sap-agent
# Custom security policy cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.google-cloud-sap-agent

Prevention & Hardening

Reduce the chance of this recurring on SLES 12:

  • Enable automatic patch installation:

    sudo zypper install -y zypper-automatic
sudo systemctl enable --now zypper-automatic.timer
# Or use YaST: yast2 online_update_configuration

  • Subscribe to sle-security-updates and watch suse.com/support/update.

  • Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:

    sudo zypper install -y rmt-server rmt-cli
sudo rmt-cli sync
sudo rmt-cli products enable SLES/12/x86_64

  • Lock sensitive packages so they cannot be auto-upgraded:

    sudo zypper al google-cloud-sap-agent

  • Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:

    sudo snapper -c root get-config | head
# Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin

  • Monitor file integrity with AIDE:

    sudo zypper install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:

    sudo SUSEConnect -p sle-module-live-patching/12.0/x86_64
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches

  • Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

  • Apply CIS SUSE Linux Enterprise Server Benchmark hardening.

Issues that commonly surface alongside google-cloud-sap-agent — multiple vulnerabilities (2 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted

View all sles-12 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory RHSA-2026:10135 (see also SUSE bugzilla). Manual pages useful on SLES 12:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status
man SUSEConnect
man klp

Other resources: SUSE Linux Enterprise Server 12 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/google-cloud-sap-agent/ for components implicated in google-cloud-sap-agent — multiple vulnerabilities (2 CVEs) — patch and remediation guide.