AlmaLinux 9 : python-lxml (ALSA-2022:8226)

🗓️ 19 Nov 2022 00:00:00Reported by TenableType

The remote AlmaLinux 9 host is vulnerable to a denial of service via NULL Pointer Dereference in python-lxml when used with libxml2 2.9.10 through 2.9.14 (ALSA-2022:8226)

Reporter	Title	Published	Views	Family All 154
IBM Security Bulletins	Security Bulletin: A vulnerability in libxml2 affects Tivoli Netcool/OMNIbus (CVE-2022-2309)	24 Oct 202308:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7	24 Oct 202411:46	–	ibm
Huntr	NULL Pointer Dereference in function _appendStartNsEvents	19 Jun 202202:34	–	huntr
Tenable Nessus	Amazon Linux 2022 : python3-lxml (ALAS2022-2023-264)	25 Jan 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : python3-lxml (ALAS2023-2023-034)	21 Mar 202300:00	–	nessus
Tenable Nessus	CentOS 9 : python-lxml-4.6.5-3.el9	29 Feb 202400:00	–	nessus
Tenable Nessus	Debian dla-3878 : libxml2 - security update	5 Sep 202400:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP9 : python-lxml (EulerOS-SA-2022-2303)	14 Sep 202200:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP9 : python-lxml (EulerOS-SA-2022-2332)	14 Sep 202200:00	–	nessus
Tenable Nessus	EulerOS Virtualization 2.9.1 : python-lxml (EulerOS-SA-2022-2363)	23 Sep 202200:00	–	nessus

Source	Link
errata	www.errata.almalinux.org/9/ALSA-2022-8226.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# AlmaLinux Security Advisory ALSA-2022:8226.
##

include('compat.inc');

if (description)
{
  script_id(167999);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/03");

  script_cve_id("CVE-2022-2309");
  script_xref(name:"ALSA", value:"2022:8226");

  script_name(english:"AlmaLinux 9 : python-lxml (ALSA-2022:8226)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AlmaLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the
ALSA-2022:8226 advisory.

  - NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only
    applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not
    affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the
    application. The vulnerability is caused by the iterwalk function (also used by the canonicalize
    function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be
    replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N
    would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If
    untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
    (CVE-2022-2309)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://errata.almalinux.org/9/ALSA-2022-8226.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected python3-lxml package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-2309");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(476);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/11/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-lxml");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::appstream");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alma Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AlmaLinux/release", "Host/AlmaLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/AlmaLinux/release');
if (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');
var os_ver = pregmatch(pattern: "AlmaLinux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);

if (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);

var pkgs = [
    {'reference':'python3-lxml-4.6.5-3.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'python3-lxml-4.6.5-3.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-lxml');
}

03 Oct 2023 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 25

CVSS 3.17.5

CVSS 35.3

EPSS0.01251

almalinux 9 python-lxml vulnerability denial of service null pointer dereference libxml2 2.9.10 2.9.14 cve-2022-2309