MiracleLinux 7 : pacemaker-1.1.13-10.el7 (AXSA:2015-850:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2015-850:01.
##

include('compat.inc');

if (description)
{
  script_id(291597);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/19");

  script_cve_id("CVE-2015-1867");

  script_name(english:"MiracleLinux 7 : pacemaker-1.1.13-10.el7 (AXSA:2015-850:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the
AXSA:2015-850:01 advisory.

    Pacemaker is an advanced, scalable High-Availability cluster resource
    manager for Corosync, CMAN and/or Linux-HA.
    It supports more than 16 node clusters with significant capabilities
    for managing resources and dependencies.
    It will run scripts at initialization, when machines go up or down,
    when related resources fail and can be configured to periodically check
    resource health.
    Available rpmbuild rebuild options:
      --with(out) : cman stonithd doc coverage profiling pre_release upstart_job
    Security issues fixed with this release:
    CVE-2015-1867
    Pacemaker before 1.1.13 does not properly evaluate added nodes, which
    allows remote read-only users to gain privileges via an acl command.
    Fixed bugs:
    * When a Pacemaker cluster included an Apache resource, and Apache's mod_systemd module was enabled,
    systemd rejected notifications sent by Apache. As a consequence, a large number of errors in the following
    format appeared in the system log:
    * Previously, specifying a remote guest node as a part of a group resource in a Pacemaker cluster caused
    the node to stop working. This update adds support for remote guests in Pacemaker group resources, and the
    described problem no longer occurs.
    * When a resource in a Pacemaker cluster failed to start, Pacemaker updated the resource's last failure
    time and incremented its fail count even if the on-fail=ignore option was used. This in some cases
    caused unintended resource migrations when a resource start failure occurred. Now, Pacemaker does not
    update the fail count when on-fail=ignore is used. As a result, the failure is displayed in the cluster
    status output, but is properly ignored and thus does not cause resource migration.
    * Previously, Pacemaker supported semicolon characters (;) as delimiters when parsing the pcmk_host_map
    string, but not when parsing the pcmk_host_list string. To ensure consistent user experience, semicolons
    are now supported as delimiters for parsing pcmk_host_list, as well.
    Enhancements:
    * If a Pacemaker location constraint has the resource-discovery=never option, Pacemaker now does not
    attempt to determine whether a specified service is running on the specified node. In addition, if
    multiple location constraints for a given resource specify resource-discovery=exclusive, then Pacemaker
    attempts resource discovery only on the nodes specified in those constraints. This allows Pacemaker to
    skip resource discovery on nodes where attempting the operation would lead to error or other undesirable
    behavior.
    * The procedure of configuring fencing for redundant power supplies has been simplified in order to
    prevent multiple nodes accessing cluster resources at the same time and thus causing data corruption. For
    further information, see the Fencing: Configuring STONITH chapter of the High Availability Add-On
    Reference manual.
    * The output of the crm_mon and pcs_status commands has been modified to be clearer and more concise,
    and thus easier to read when reporting the status of a Pacemaker cluster with a large number of remote
    nodes and cloned resources.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/6238");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1867");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"Moderate");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-cluster-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-cts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:pacemaker-remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'pacemaker-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-cli-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-cluster-libs-1.1.13-10.el7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-cluster-libs-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-cts-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-doc-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-libs-1.1.13-10.el7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-libs-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-libs-devel-1.1.13-10.el7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-libs-devel-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'pacemaker-remote-1.1.13-10.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pacemaker / pacemaker-cli / pacemaker-cluster-libs / pacemaker-cts / etc');
}