Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.ALA_ALAS-2015-466.NASL
HistoryJan 09, 2015 - 12:00 a.m.

Amazon Linux AMI : jasper (ALAS-2015-466)

2015-01-0900:00:00
This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
www.tenable.com
13
JSON

Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-9029)

A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138)

A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8137)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2015-466.
#

include("compat.inc");

if (description)
{
  script_id(80417);
  script_version("1.3");
  script_cvs_date("Date: 2018/04/18 15:09:35");

  script_cve_id("CVE-2014-8137", "CVE-2014-8138", "CVE-2014-9029");
  script_xref(name:"ALAS", value:"2015-466");
  script_xref(name:"RHSA", value:"2014:2021");

  script_name(english:"Amazon Linux AMI : jasper (ALAS-2015-466)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple off-by-one flaws, leading to heap-based buffer overflows,
were found in the way JasPer decoded JPEG 2000 image files. A
specially crafted file could cause an application using JasPer to
crash or, possibly, execute arbitrary code. (CVE-2014-9029)

A heap-based buffer overflow flaw was found in the way JasPer decoded
JPEG 2000 image files. A specially crafted file could cause an
application using JasPer to crash or, possibly, execute arbitrary
code. (CVE-2014-8138)

A double free flaw was found in the way JasPer parsed ICC color
profiles in JPEG 2000 image files. A specially crafted file could
cause an application using JasPer to crash or, possibly, execute
arbitrary code. (CVE-2014-8137)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2015-466.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update jasper' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jasper");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jasper-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jasper-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jasper-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jasper-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"jasper-1.900.1-16.7.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"jasper-debuginfo-1.900.1-16.7.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"jasper-devel-1.900.1-16.7.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"jasper-libs-1.900.1-16.7.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"jasper-utils-1.900.1-16.7.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jasper / jasper-debuginfo / jasper-devel / jasper-libs / etc");
}
VendorProductVersionCPE
amazonlinuxjasperp-cpe:/a:amazon:linux:jasper
amazonlinuxjasper-debuginfop-cpe:/a:amazon:linux:jasper-debuginfo
amazonlinuxjasper-develp-cpe:/a:amazon:linux:jasper-devel
amazonlinuxjasper-libsp-cpe:/a:amazon:linux:jasper-libs
amazonlinuxjasper-utilsp-cpe:/a:amazon:linux:jasper-utils
amazonlinuxcpe:/o:amazon:linux

Related

veracode 3
nessus 43
fedora 13
redhat 3
openvas 29
amazon 1
centos 1
oraclelinux 2
debian 6
osv 4
gentoo 1
securityvulns 3
mageia 2
freebsd 1
archlinux 1
ubuntu 4
prion 4
cvelist 4
ubuntucve 4
cve 3
slackware 1
oracle 1
veracode
veracode
Heap-Based Buffer Overflow
2019-05-02 05:06:17
Denial Of Service (DoS)
2019-05-02 05:06:17
Denial Of Service (DoS)
2019-01-15 09:03:37
nessus
nessus
Scientific Linux Security Update : jasper on SL6.x, SL7.x i386/x86_64 (20141218)
2014-12-19 00:00:00
Oracle Linux 6 / 7 : jasper (ELSA-2014-2021)
2014-12-19 00:00:00
RHEL 6 / 7 : jasper (RHSA-2014:2021)
2014-12-19 00:00:00
fedora
fedora
[SECURITY] Fedora 19 Update: jasper-1.900.1-26.fc19
2015-01-06 06:07:04
[SECURITY] Fedora 20 Update: jasper-1.900.1-27.fc20
2015-01-06 06:04:24
[SECURITY] Fedora 21 Update: jasper-1.900.1-29.fc21
2015-01-06 06:10:16
redhat
redhat
(RHSA-2014:2021) Important: jasper security update
2014-12-18 00:00:00
(RHSA-2015:1713) Important: rhev-hypervisor security, bug fix, and enhancement update
2015-09-03 00:00:00
(RHSA-2015:0698) Important: rhevm-spice-client security, bug fix, and enhancement update
2015-03-18 00:00:00
openvas
openvas
Oracle: Security Advisory (ELSA-2014-2021)
2015-10-06 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0016-1)
2021-04-19 00:00:00
Amazon Linux: Security Advisory (ALAS-2015-466)
2015-09-08 00:00:00
amazon
amazon
Important: jasper
2015-01-08 11:36:00
centos
centos
jasper security update
2014-12-18 22:11:55
oraclelinux
oraclelinux
jasper security update
2014-12-18 00:00:00
jasper security update
2017-05-09 00:00:00
debian
debian
[SECURITY] [DSA 3106-1] jasper security update
2014-12-20 13:45:18
[SECURITY] [DLA 121-1] jasper security update
2014-12-22 18:45:30
[SECURITY] [DSA 3106-1] jasper security update
2014-12-20 13:45:18
osv
osv
jasper - security update
2014-12-20 00:00:00
jasper - security update
2014-12-22 00:00:00
jasper - security update
2014-12-06 00:00:00
gentoo
gentoo
JasPer: Multiple Vulnerabilities
2015-03-06 00:00:00
securityvulns
securityvulns
[oCERT-2014-012] JasPer input sanitization errors
2014-12-22 00:00:00
jasper library multiple security vulnerabilities
2015-01-25 00:00:00
[oCERT-2014-009] JasPer input sanitization errors
2014-12-08 00:00:00
mageia
mageia
Updated jasper packages fix security vulnerabilities
2014-12-19 18:06:35
Updated jasper packages fix CVE-2014-9029
2014-12-05 19:59:28
freebsd
freebsd
jasper -- multiple vulnerabilities
2014-12-10 00:00:00
archlinux
archlinux
jasper: arbitrary code execution
2014-12-19 00:00:00
ubuntu
ubuntu
JasPer vulnerabilities
2015-01-26 00:00:00
Ghostscript vulnerabilities
2015-01-26 00:00:00
JasPer vulnerability
2014-12-08 00:00:00
prion
prion
Heap overflow
2014-12-08 16:59:00
Double free
2014-12-24 18:59:00
Heap overflow
2014-12-24 18:59:00
cvelist
cvelist
CVE-2014-9029
2014-12-08 16:00:00
CVE-2014-8137
2014-12-24 18:00:00
CVE-2014-8138
2014-12-24 18:00:00
ubuntucve
ubuntucve
CVE-2014-9029
2014-12-04 00:00:00
CVE-2014-8137
2014-12-24 00:00:00
CVE-2014-8138
2014-12-24 00:00:00
cve
cve
CVE-2014-9029
2014-12-08 16:59:03
CVE-2014-8137
2014-12-24 18:59:01
CVE-2014-8138
2014-12-24 18:59:02
slackware
slackware
[slackware-security] jasper
2015-10-29 22:48:48
oracle
oracle
CPU July 2018
2018-07-17 00:00:00
JSON
Related for ALA_ALAS-2015-466.NASL
veracode3nessus43fedora13redhat3openvas29amazon1centos1oraclelinux2debian6osv4gentoo1securityvulns3mageia2freebsd1archlinux1ubuntu4prion4cvelist4ubuntucve4cve3slackware1oracle1