AIX : Multiple Vulnerabilities (IJ58122)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(318321);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/03");

  script_cve_id(
    "CVE-2026-0989",
    "CVE-2026-0990",
    "CVE-2026-0992",
    "CVE-2026-6732"
  );

  script_name(english:"AIX : Multiple Vulnerabilities (IJ58122)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AIX host is missing a security patch.");
  script_set_attribute(attribute:"description", value:
"The version of AIX installed on the remote host is prior to APAR IJ58122. It is, therefore, affected by multiple
vulnerabilities as referenced in the IJ58122 advisory.

  - A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML
    Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could
    exploit this by providing a malicious document, leading to a type confusion error that causes the
    application to crash. This results in a denial of service (DoS), making the affected system or application
    unavailable. (CVE-2026-6732)

  - A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are
    handled. The parser does not enforce a limit on inclusion depth when resolving nested <include>
    directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This
    may lead to stack exhaustion and application crashes, creating a denial-of-service risk. (CVE-2026-0989)

  - A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in
    the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references
    itself. A remote attacker could exploit this configuration-dependent issue by providing a specially
    crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a
    segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. (CVE-2026-0990)

  - A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when
    processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream
    catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to
    redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application
    availability, resulting in a denial-of-service condition. (CVE-2026-0992)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/7274376");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/apar/IJ58122");
  script_set_attribute(attribute:"solution", value:
"Please apply the appropriate interim fix per APAR IJ58122.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-6732");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"AIX Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");

  exit(0);
}

include('aix.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if ( ! get_kb_item('Host/AIX/version') ) audit(AUDIT_OS_NOT, "AIX");
if ( ! get_kb_item('Host/AIX/lslpp') ) audit(AUDIT_PACKAGE_LIST_MISSING);

if ( get_kb_item('Host/AIX/emgr_failure') ) exit(0, 'This iFix check is disabled because : ' + get_kb_item('Host/AIX/emgr_failure') );

var constraints = [
    {'release': '4.1', 'ml': '02', 'sp': '00', 'patch': 'IJ58122m0a', 'package': 'bos.rte.control', 'minfilesetver': '7.3.4.0', 'maxfilesetver': '7.3.4.0'},
    {'release': '7.3', 'ml': '04', 'sp': '00', 'patch': 'IJ58122m0a', 'package': 'bos.rte.control', 'minfilesetver': '7.3.4.0', 'maxfilesetver': '7.3.4.0'}
];

var flag = 0;
foreach var constraint (constraints) {
    var release = constraint['release'];
    var ml = constraint['ml'];
    var sp = constraint['sp'];
    var patch = constraint['patch'];
    var package = constraint['package'];
    var minfilesetver = constraint['minfilesetver'];
    var maxfilesetver = constraint['maxfilesetver'];
    if(aix_check_ifix(release: release, ml: ml, sp: sp, patch: patch, package: package, minfilesetver: minfilesetver, maxfilesetver: maxfilesetver) < 0) flag++;
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : aix_report_get()
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected - AIX");