Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALASDOCKER-2023-031.NASL
HistoryOct 20, 2023 - 12:00 a.m.

Amazon Linux 2 : docker (ALASDOCKER-2023-031)

2023-10-2000:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21
amazon linux 2
docker
vulnerability
alas2docker-2023-031
http/2
resource consumption
golang.org/x/net/http2

8.4 High

AI Score

Confidence

High

JSON

The version of docker installed on the remote host is prior to 20.10.25-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2023-031 advisory.

  • A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  • Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. var a = {{.}}), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. (CVE-2023-24538)

  • Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 in JavaScript contexts that also contain actions may not be properly sanitized during execution. (CVE-2023-24540)

  • A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASDOCKER-2023-031.
##

include('compat.inc');

if (description)
{
  script_id(183448);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/10");

  script_cve_id(
    "CVE-2022-41723",
    "CVE-2023-24538",
    "CVE-2023-24540",
    "CVE-2023-39325"
  );
  script_xref(name:"IAVB", value:"2023-B-0080-S");

  script_name(english:"Amazon Linux 2 : docker (ALASDOCKER-2023-031)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of docker installed on the remote host is prior to 20.10.25-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2DOCKER-2023-031 advisory.

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient
    to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them
    as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template
    action within a Javascript template literal, the contents of the action can be used to terminate the
    literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather
    complex, and themselves can do string interpolation, the decision was made to simply disallow Go template
    actions from being used inside of them (e.g. var a = {{.}}), since there is no obviously safe way to
    allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse
    returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is
    currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous
    behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will
    now be escaped. This should be used with caution. (CVE-2023-24538)

  - Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing
    whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 in JavaScript contexts
    that also contain actions may not be properly sanitized during execution. (CVE-2023-24540)

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive
    server resource consumption. While the total number of requests is bounded by the
    http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create
    a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound
    the number of simultaneously executing handler goroutines to the stream concurrency limit
    (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client
    has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows
    too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2
    for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per
    HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the
    Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASDOCKER-2023-031.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-41723.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-24538.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-24540.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-39325.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update docker' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-24540");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:docker");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:docker-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'docker-20.10.25-1.amzn2.0.3', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'docker-20.10.25-1.amzn2.0.3', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'docker-debuginfo-20.10.25-1.amzn2.0.3', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'docker-debuginfo-20.10.25-1.amzn2.0.3', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker / docker-debuginfo");
}
VendorProductVersionCPE
amazonlinux2cpe:/o:amazon:linux:2
amazonlinuxdocker-debuginfop-cpe:/a:amazon:linux:docker-debuginfo
amazonlinuxdockerp-cpe:/a:amazon:linux:docker

Related

nessus 52
amazon 7
ibm 12
openvas 26
redhat 11
fedora 22
cgr 4
cbl_mariner 18
redhatcve 3
osv 13
almalinux 2
wolfi 2
prion 3
cvelist 3
oraclelinux 2
rocky 1
freebsd 1
cve 2
debiancve 3
ubuntucve 3
alpinelinux 3
veracode 4
redos 1
github 1
nessus
nessus
Amazon Linux 2 : docker (ALASNITRO-ENCLAVES-2023-030)
2023-10-20 00:00:00
Amazon Linux 2 : docker (ALASECS-2023-019)
2023-11-01 00:00:00
Amazon Linux AMI : amazon-ssm-agent (ALAS-2023-1866)
2023-10-25 00:00:00
amazon
amazon
Important: amazon-ssm-agent
2023-10-12 15:48:00
Important: amazon-ssm-agent
2023-10-12 15:09:00
Important: amazon-ssm-agent
2023-10-12 15:09:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities have been identified in Golang Go used with IBM Storage Scale Data Access Services (DAS) which can cause denial of service.
2023-12-12 09:34:21
Security Bulletin: Operations Dashboard is vulnerable to multiple vulnerabilities in Golang
2023-06-23 10:27:16
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Golang Go [CVE-2023-24538]
2023-07-27 17:07:58
openvas
openvas
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1269)
2024-03-12 00:00:00
Fedora: Security Advisory for podman-tui (FEDORA-2023-a5a5542890)
2023-11-20 00:00:00
Fedora: Security Advisory for podman-tui (FEDORA-2023-327346caa5)
2023-11-20 00:00:00
redhat
redhat
(RHSA-2023:7823) Important: OpenShift Container Platform 4.12.46 bug fix and security update
2024-01-04 14:38:25
(RHSA-2023:3323) Important: go-toolset-1.19 and go-toolset-1.19-golang security update
2023-05-25 12:17:40
(RHSA-2023:4420) Important: OpenShift Virtualization 4.12.5 RPMs security and bug fix update
2023-08-01 14:32:33
fedora
fedora
[SECURITY] Fedora 38 Update: podman-tui-0.12.0-1.fc38
2023-11-20 01:30:16
[SECURITY] Fedora 39 Update: podman-tui-0.12.0-1.fc39
2023-11-20 01:22:12
[SECURITY] Fedora 37 Update: podman-tui-0.12.0-1.fc37
2023-11-20 00:51:55
cgr
cgr
CVE-2023-24538 vulnerabilities
2024-05-19 03:07:16
CVE-2023-24540 vulnerabilities
2024-05-19 03:07:16
CVE-2023-39325 vulnerabilities
2024-05-19 03:07:16
cbl_mariner
cbl_mariner
CVE-2023-24538 affecting package golang for versions less than 1.19.8-1
2024-05-28 09:07:35
CVE-2023-24538 affecting package golang for versions less than 1.19.8-1
2024-05-28 09:07:28
CVE-2023-24540 affecting package golang for versions less than 1.21.6-1
2024-05-28 09:07:34
redhatcve
redhatcve
CVE-2023-24540
2023-05-08 09:52:44
CVE-2023-24538
2023-04-04 20:43:30
CVE-2022-41723
2023-03-14 23:43:00
osv
osv
CVE-2023-24540
2023-05-11 16:15:09
BIT-golang-2023-24540
2024-03-06 10:56:09
Important: go-toolset and golang security update
2023-05-25 00:00:00
almalinux
almalinux
Important: go-toolset and golang security update
2023-05-25 00:00:00
Important: go-toolset:rhel8 security update
2023-05-25 00:00:00
wolfi
wolfi
CVE-2023-24540 vulnerabilities
2024-05-28 15:40:08
CVE-2023-24538 vulnerabilities
2024-05-28 15:40:08
prion
prion
Code injection
2023-05-11 16:15:00
Design/Logic Flaw
2023-04-06 16:15:00
Design/Logic Flaw
2023-10-11 22:15:00
cvelist
cvelist
CVE-2023-24540 Improper handling of JavaScript whitespace in html/template
2023-05-11 15:29:31
CVE-2023-24538 Backticks not treated as string delimiters in html/template
2023-04-06 15:50:48
CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http
2023-10-11 21:15:02
oraclelinux
oraclelinux
go-toolset and golang security update
2023-05-25 00:00:00
go-toolset:ol8 security update
2023-05-25 00:00:00
rocky
rocky
go-toolset:Rocky Linux8 security update
2023-05-25 17:22:28
freebsd
freebsd
Grafana -- Critical vulnerability in golang
2023-04-19 00:00:00
cve
cve
CVE-2023-24538
2023-04-06 16:15:07
CVE-2023-24540
2023-05-11 16:15:09
debiancve
debiancve
CVE-2023-24540
2023-05-11 16:15:09
CVE-2023-24538
2023-04-06 16:15:07
CVE-2022-41723
2023-02-28 18:15:00
ubuntucve
ubuntucve
CVE-2023-24540
2023-05-11 00:00:00
CVE-2023-24538
2023-04-06 00:00:00
CVE-2022-41723
2023-02-28 00:00:00
alpinelinux
alpinelinux
CVE-2023-24540
2023-05-11 16:15:09
CVE-2023-24538
2023-04-06 16:15:07
CVE-2023-39325
2023-10-11 22:15:09
veracode
veracode
Arbitrary Code Execution
2023-04-18 12:46:23
Arbitrary Code Execution
2023-04-11 23:30:32
Improper Sanitization
2023-05-14 11:44:15
redos
redos
ROS-20231030-04
2023-10-30 00:00:00
github
github
HTTP/2 rapid reset can cause excessive work in net/http
2023-10-11 20:35:43

8.4 High

AI Score

Confidence

High

JSON
Related for AL2_ALASDOCKER-2023-031.NASL
nessus52amazon7ibm12openvas26redhat11fedora22cgr4cbl_mariner18redhatcve3osv13almalinux2wolfi2prion3cvelist3oraclelinux2rocky1freebsd1cve2debiancve3ubuntucve3alpinelinux3veracode4redos1github1