Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALASECS-2024-035.NASL
HistoryMar 06, 2024 - 12:00 a.m.

Amazon Linux 2 : containerd (ALASECS-2024-035)

2024-03-0600:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
amazon linux 2
containerd
vulnerability
resource consumption
http
chunk extensions
xss attack
memory exhaustion

7.5 High

AI Score

Confidence

High

JSON

The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-035 advisory.

  • A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  • A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. (CVE-2023-39326)

  • Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)

  • OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASECS-2024-035.
##

include('compat.inc');

if (description)
{
  script_id(191658);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/08");

  script_cve_id(
    "CVE-2023-3978",
    "CVE-2023-39325",
    "CVE-2023-39326",
    "CVE-2023-47108"
  );
  script_xref(name:"IAVB", value:"2023-B-0080-S");
  script_xref(name:"IAVB", value:"2023-B-0096-S");

  script_name(english:"Amazon Linux 2 : containerd (ALASECS-2024-035)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2ECS-2024-035 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive
    server resource consumption. While the total number of requests is bounded by the
    http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create
    a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound
    the number of simultaneously executing handler goroutines to the stream concurrency limit
    (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client
    has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows
    too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2
    for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per
    HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the
    Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response
    body to read many more bytes from the network than are in the body. A malicious HTTP client can further
    exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a
    handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which
    permit including additional metadata in a request or response body sent using the chunked encoding. The
    net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large
    metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real
    body to encoded bytes grows too small. (CVE-2023-39326)

  - Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be
    escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version
    0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and
    `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion
    when many malicious requests are sent. An attacker can easily flood the peer address and port for
    requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view
    removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by
    passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASECS-2024-035.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-39325.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-39326.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-3978.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2023-47108.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update containerd' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-3978");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:containerd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:containerd-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:containerd-stress");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'containerd-1.7.11-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'containerd-1.7.11-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'containerd-debuginfo-1.7.11-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'containerd-debuginfo-1.7.11-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'containerd-stress-1.7.11-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'containerd-stress-1.7.11-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "containerd / containerd-debuginfo / containerd-stress");
}
VendorProductVersionCPE
amazonlinuxcontainerdp-cpe:/a:amazon:linux:containerd
amazonlinuxcontainerd-debuginfop-cpe:/a:amazon:linux:containerd-debuginfo
amazonlinuxcontainerd-stressp-cpe:/a:amazon:linux:containerd-stress
amazonlinux2cpe:/o:amazon:linux:2

Related

nessus 65
amazon 8
redhat 25
ibm 5
cbl_mariner 18
cgr 4
github 2
osv 12
cvelist 3
cve 4
redhatcve 3
wolfi 3
veracode 3
gitlab 1
f5 1
prion 4
oraclelinux 10
openvas 9
alpinelinux 2
ubuntucve 2
debiancve 2
almalinux 1
redos 1
fedora 11
nessus
nessus
Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2024-037)
2024-02-06 00:00:00
Amazon Linux 2 : containerd (ALASDOCKER-2024-037)
2024-02-06 00:00:00
Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2424)
2024-01-23 00:00:00
amazon
amazon
Important: amazon-cloudwatch-agent
2024-01-19 01:51:00
Important: nerdctl
2023-11-09 19:19:00
Important: cri-tools
2024-02-01 19:57:00
redhat
redhat
(RHSA-2023:7831) Important: OpenShift Container Platform 4.14.7 bug fix and security update
2024-01-03 20:01:37
(RHSA-2024:1449) Important: OpenShift Container Platform 4.15.5 bug fix and security update
2024-03-27 11:15:45
(RHSA-2023:7200) Important: OpenShift Container Platform 4.15.z security update
2024-02-27 22:43:05
ibm
ibm
Security Bulletin: Multiple vulnerabilities affect IBM CICS TX Advanced 11.1 and IBM CICS TX Standard 11.1 (CVE-2023-3978, CVE-2023-44487 and CVE-2023-39325).
2023-12-06 09:46:53
Security Bulletin: Due to the use of OpenTelemetry gRPC, IBM CICS TX Standard is vulnerable to an Denial of Service vulnerability (CVE-2023-47108).
2024-03-11 14:37:52
Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality due to [CVE-2023-39326]
2024-03-05 16:16:50
cbl_mariner
cbl_mariner
CVE-2023-47108 affecting package moby-containerd-cc for versions less than 1.7.2-3
2024-01-14 22:46:30
CVE-2023-47108 affecting package docker-compose for versions less than 2.27.0-1
2024-05-17 21:38:35
CVE-2023-47108 affecting package moby-containerd-cc for versions less than 1.7.7-3
2024-04-19 22:15:55
cgr
cgr
CVE-2023-47108 vulnerabilities
2024-05-19 03:07:16
CVE-2023-39326 vulnerabilities
2024-05-19 03:07:16
CVE-2023-3978 vulnerabilities
2024-05-19 03:07:16
github
github
otelgrpc DoS vulnerability due to unbound cardinality metrics
2023-11-12 15:55:39
Improper rendering of text nodes in golang.org/x/net/html
2023-08-02 21:30:20
osv
osv
otelgrpc DoS vulnerability due to unbound cardinality metrics
2023-11-12 15:55:39
CVE-2023-47108
2023-11-10 19:15:16
BIT-golang-2023-39326
2024-03-06 10:53:23
cvelist
cvelist
CVE-2023-47108 DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
2023-11-10 18:31:33
CVE-2023-39326 Denial of service via chunk extensions in net/http
2023-12-06 16:27:53
CVE-2023-3978 Improper rendering of text nodes in golang.org/x/net/html
2023-08-02 19:48:56
cve
cve
CVE-2023-47108
2023-11-10 19:15:16
CVE-2023-39326
2023-12-06 17:15:07
CVE-2023-3978
2023-08-02 20:15:12
redhatcve
redhatcve
CVE-2023-47108
2023-11-23 12:21:08
CVE-2023-39326
2023-12-07 12:35:00
CVE-2023-3978
2023-08-07 05:49:01
wolfi
wolfi
CVE-2023-47108 vulnerabilities
2024-06-01 15:24:07
CVE-2023-39326 vulnerabilities
2024-06-01 15:24:07
CVE-2023-3978 vulnerabilities
2024-06-01 15:24:07
veracode
veracode
Denial Of Service
2023-11-13 11:23:08
Denial Of Service (DoS)
2023-12-12 07:10:29
Cross-Site Scripting (XSS)
2023-08-04 04:52:36
gitlab
gitlab
otelgrpc DoS vulnerability due to unbound cardinality metrics
2023-11-12 00:00:00
f5
f5
K000138255 : Go OpenTelemetry Contrib vulnerability CVE-2023-47108
2024-01-16 00:00:00
prion
prion
Code injection
2023-11-10 19:15:00
Design/Logic Flaw
2023-12-06 17:15:00
Design/Logic Flaw
2023-08-02 20:15:00
oraclelinux
oraclelinux
olcne security update
2024-04-02 00:00:00
conmon security update
2024-03-01 00:00:00
conmon security update
2024-03-01 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1194)
2024-02-09 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1174)
2024-02-09 00:00:00
Fedora: Security Advisory for golang-github-google-dap (FEDORA-2023-fa2ec3d3e0)
2023-12-02 00:00:00
alpinelinux
alpinelinux
CVE-2023-39326
2023-12-06 17:15:07
CVE-2023-39325
2023-10-11 22:15:09
ubuntucve
ubuntucve
CVE-2023-39326
2023-12-06 00:00:00
CVE-2023-3978
2023-08-02 00:00:00
debiancve
debiancve
CVE-2023-39326
2023-12-06 17:15:07
CVE-2023-3978
2023-08-02 20:15:12
almalinux
almalinux
Moderate: skopeo security update
2024-03-05 00:00:00
redos
redos
ROS-20240408-02
2024-04-08 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: prometheus-podman-exporter-1.5.0-1.fc38
2023-11-20 01:30:10
[SECURITY] Fedora 37 Update: golang-github-google-dap-0.11.0-1.fc37
2023-12-01 01:09:24
[SECURITY] Fedora 39 Update: golang-github-google-dap-0.11.0-1.fc39
2023-12-01 01:23:35

7.5 High

AI Score

Confidence

High

JSON
Related for AL2_ALASECS-2024-035.NASL
nessus65amazon8redhat25ibm5cbl_mariner18cgr4github2osv12cvelist3cve4redhatcve3wolfi3veracode3gitlab1f51prion4oraclelinux10openvas9alpinelinux2ubuntucve2debiancve2almalinux1redos1fedora11