Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.AL2022_ALAS2022-2023-274.NASL
HistoryJan 25, 2023 - 12:00 a.m.

Amazon Linux 2022 : (ALAS2022-2023-274)

2023-01-2500:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
JSON

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2023-274 advisory.

  • Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non- default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code.
    Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9. (CVE-2022-42919)

  • An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname.
    For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. (CVE-2022-45061)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2022 Security Advisory ALAS2022-2023-274.
##

include('compat.inc');

if (description)
{
  script_id(170594);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/06");

  script_cve_id("CVE-2022-42919", "CVE-2022-45061");
  script_xref(name:"IAVA", value:"2023-A-0061-S");

  script_name(english:"Amazon Linux 2022 :  (ALAS2022-2023-274)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2022 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2023-274 advisory.

  - Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-
    default configuration. The Python multiprocessing library, when used with the forkserver start method on
    Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which
    in many system configurations means any user on the same machine. Pickles can execute arbitrary code.
    Thus, this allows for local user privilege escalation to the user that any forkserver process is running
    as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start
    method for multiprocessing is not the default start method. This issue is Linux specific because only
    Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract
    namespace sockets by default. Support for users manually specifying an abstract namespace socket was added
    as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do
    that in CPython before 3.9. (CVE-2022-42919)

  - An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path
    when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name
    being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by
    remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger
    excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname.
    For example, the attack payload could be placed in the Location header of an HTTP response with status
    code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. (CVE-2022-45061)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2022/ALAS-2023-274.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-42919.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-45061.html");
  script_set_attribute(attribute:"solution", value:
"Run 'dnf update python3.10' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-42919");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-idle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-test");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python3.10-tkinter");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2022");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "-2022")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2022", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'python3.10-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debug-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debug-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debug-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debuginfo-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debuginfo-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debuginfo-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debugsource-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debugsource-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-debugsource-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-devel-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-devel-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-devel-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-idle-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-idle-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-idle-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-libs-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-libs-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-libs-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-test-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-test-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-test-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-tkinter-3.10.9-1.amzn2022.0.1', 'cpu':'aarch64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-tkinter-3.10.9-1.amzn2022.0.1', 'cpu':'i686', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3.10-tkinter-3.10.9-1.amzn2022.0.1', 'cpu':'x86_64', 'release':'AL-2022', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3.10 / python3.10-debug / python3.10-debuginfo / etc");
}
VendorProductVersionCPE
amazonlinuxpython3.10p-cpe:/a:amazon:linux:python3.10
amazonlinuxpython3.10-debugp-cpe:/a:amazon:linux:python3.10-debug
amazonlinuxpython3.10-debuginfop-cpe:/a:amazon:linux:python3.10-debuginfo
amazonlinuxpython3.10-debugsourcep-cpe:/a:amazon:linux:python3.10-debugsource
amazonlinuxpython3.10-develp-cpe:/a:amazon:linux:python3.10-devel
amazonlinuxpython3.10-idlep-cpe:/a:amazon:linux:python3.10-idle
amazonlinuxpython3.10-libsp-cpe:/a:amazon:linux:python3.10-libs
amazonlinuxpython3.10-testp-cpe:/a:amazon:linux:python3.10-test
amazonlinuxpython3.10-tkinterp-cpe:/a:amazon:linux:python3.10-tkinter
amazonlinux2022cpe:/o:amazon:linux:2022

Related

nessus 62
openvas 48
photon 2
fedora 33
oraclelinux 4
osv 12
veracode 2
prion 1
cbl_mariner 5
almalinux 4
rocky 3
redhat 3
debiancve 2
ibm 4
cve 2
alpinelinux 2
slackware 1
ubuntucve 2
ubuntu 2
redhatcve 2
f5 1
aix 1
amazon 1
nessus
nessus
Amazon Linux 2022 : (ALAS2022-2023-273)
2023-01-25 00:00:00
EulerOS 2.0 SP11 : python3 (EulerOS-SA-2023-1429)
2023-03-07 00:00:00
EulerOS 2.0 SP11 : python3 (EulerOS-SA-2023-1414)
2023-03-07 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2023-1429)
2023-03-07 00:00:00
Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2023-1414)
2023-03-07 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:4071-1)
2022-11-21 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2022-0283
2022-11-16 00:00:00
Important Photon OS Security Update - PHSA-2022-4.0-0283
2022-11-16 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: pypy3.9-7.3.11-1.3.9.fc36
2023-01-13 01:21:37
[SECURITY] Fedora 37 Update: pypy3.9-7.3.11-1.3.9.fc37
2023-01-12 01:53:36
[SECURITY] Fedora 35 Update: python3.9-3.9.15-2.fc35
2022-11-18 01:06:51
oraclelinux
oraclelinux
python39:3.9 security update
2022-11-22 00:00:00
python3.9 security update
2022-11-24 00:00:00
python27:2.7 security update
2023-05-24 00:00:00
osv
osv
Important: python3.9 security update
2022-11-16 10:26:42
CVE-2022-42919
2022-11-07 00:15:09
Linux specific local privilege escalation via the multiprocessing forkserver start method
2022-11-06 00:00:00
veracode
veracode
Privilege Escalation
2022-11-16 20:35:10
Denial Of Service (DoS)
2022-12-12 08:25:10
prion
prion
Default configuration
2022-11-07 00:15:00
cbl_mariner
cbl_mariner
CVE-2022-42919 affecting package python3 3.7.13-6
2023-06-13 20:02:41
CVE-2022-42919 affecting package python3 3.9.19-1
2022-12-19 20:12:40
CVE-2022-45061 affecting package python3 3.9.14-2
2022-12-19 20:12:40
almalinux
almalinux
Important: python3.9 security update
2022-11-16 00:00:00
Important: python39:3.9 security update
2022-11-16 00:00:00
Moderate: python27:2.7 security update
2023-05-16 00:00:00
rocky
rocky
python3.9 security update
2022-11-16 10:26:42
python39:3.9 security update
2022-11-16 10:10:13
python3.9 security update
2023-04-06 15:53:31
redhat
redhat
(RHSA-2022:8493) Important: python3.9 security update
2022-11-16 10:26:42
(RHSA-2022:8492) Important: python39:3.9 security update
2022-11-16 10:10:13
(RHSA-2023:2860) Moderate: python27:2.7 security update
2023-05-16 05:56:37
debiancve
debiancve
CVE-2022-42919
2022-11-07 00:15:00
CVE-2022-45061
2022-11-09 07:15:00
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919]
2023-01-26 15:18:13
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Python ( CVE-2022-45061)
2023-05-03 14:10:35
Security Bulletin: Data Privacy on Cloud Pak for Data is Vulnerable to Python DoS error (CVE-2022-45061)
2023-06-06 16:31:59
cve
cve
CVE-2022-42919
2022-11-07 00:15:00
CVE-2022-45061
2022-11-09 07:15:00
alpinelinux
alpinelinux
CVE-2022-42919
2022-11-07 00:15:00
CVE-2022-45061
2022-11-09 07:15:00
slackware
slackware
[slackware-security] python3
2022-12-07 18:52:09
ubuntucve
ubuntucve
CVE-2022-42919
2022-11-02 00:00:00
CVE-2022-45061
2022-11-09 00:00:00
ubuntu
ubuntu
Python vulnerability
2022-11-03 00:00:00
Python vulnerabilities
2023-02-27 00:00:00
redhatcve
redhatcve
CVE-2022-42919
2022-10-31 04:25:52
CVE-2022-45061
2022-11-18 21:55:58
f5
f5
K000134706 : Python IDNA vulnerability CVE-2022-45061
2023-05-20 00:00:00
aix
aix
AIX is affected by a denial of service due to Python
2023-03-14 13:01:15
amazon
amazon
Important: python3
2023-01-18 00:17:00
JSON
Related for AL2022_ALAS2022-2023-274.NASL
nessus62openvas48photon2fedora33oraclelinux4osv12veracode2prion1cbl_mariner5almalinux4rocky3redhat3debiancve2ibm4cve2alpinelinux2slackware1ubuntucve2ubuntu2redhatcve2f51aix1amazon1