Alibaba Cloud Linux 3 : 0179: osbuild-composer (ALINUX3-SA-2025:0179)

🗓️ 17 Nov 2025 00:00:00Reported by TenableType

Alibaba Cloud Linux 3 updates fix CVE-2025-27144 in Go JOSE causing memory exhaustion during JWS/JWE parsing.

Reporter	Title	Published	Views	Family All 654
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates	26 Mar 202518:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2025-27144 in different components	25 Jun 202516:28	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion	19 Dec 202520:44	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation	27 Apr 202610:31	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to libxml2, Go JOSE and FreeType	1 May 202515:16	–	ibm
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2025-914)	1 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2025-930)	14 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2025-931)	14 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nerdctl (ALAS-2025-2821)	17 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : runfinch-finch (ALASDOCKER-2025-053)	1 Apr 202500:00	–	nessus

Source	Link
mirrors	www.mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20250179.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Alibaba Cloud Linux Security Advisory ALINUX3-SA-2025:0179.
##

include('compat.inc');

if (description)
{
  script_id(275557);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/17");

  script_cve_id("CVE-2025-27144");

  script_name(english:"Alibaba Cloud Linux 3 : 0179: osbuild-composer  (ALINUX3-SA-2025:0179)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Alibaba Cloud Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the
ALINUX3-SA-2025:0179 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2025-27144:
    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go,
    including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT)
    standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go
    JOSE could use excessive memory. The code used strings.Split(token, .) to split JWT tokens, which is
    vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number
    of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory
    exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could
    pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20250179.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-27144");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-core-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-tests");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-tests-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-worker");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-worker-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alibabacloud:alibaba_cloud_linux_3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alibaba Cloud Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Alibaba/release", "Host/Alibaba/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Alibaba Cloud Linux' >!< os_product) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Alibaba Cloud Linux');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux 3.x', 'Alibaba Cloud Linux ' + os_version);

if (!get_kb_item('Host/Alibaba/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Alibaba Cloud Linux', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'osbuild-composer-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-core-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-core-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-core-debuginfo-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-core-debuginfo-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-debuginfo-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-debuginfo-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-debugsource-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-debugsource-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-tests-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-tests-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-tests-debuginfo-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-tests-debuginfo-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-worker-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-worker-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-worker-debuginfo-132.2-3.0.1.al8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'osbuild-composer-worker-debuginfo-132.2-3.0.1.al8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'osbuild-composer / osbuild-composer-core / etc');
}

17 Nov 2025 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 48.7

EPSS0.00152

SSVC