The version of AOS installed on the remote host is prior to 5.17.1.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.17.1.3 advisory.
An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)
In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub- buffer). (CVE-2019-19768)
A NULL pointer dereference flaw was found in the Linux kernel’s SELinux subsystem in versions before 5.7.
This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol’s category bitmap into the SELinux extensible bitmap via the’ ebitmap_netlbl_import’ routine. While processing the CIPSO restricted bitmap tag in the ‘cipso_v4_parsetag_rbm’ routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus- daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service’s private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)
The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim’s ntpd instance. (CVE-2020-13817)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14556)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14577)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14578, CVE-2020-14579)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14583)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14593)
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
(CVE-2020-14621)
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A’s request.
(CVE-2021-25122)
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(164604);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/13");
script_cve_id(
"CVE-2017-18595",
"CVE-2019-19768",
"CVE-2020-10711",
"CVE-2020-11868",
"CVE-2020-12049",
"CVE-2020-12888",
"CVE-2020-13817",
"CVE-2020-14556",
"CVE-2020-14577",
"CVE-2020-14578",
"CVE-2020-14579",
"CVE-2020-14583",
"CVE-2020-14593",
"CVE-2020-14621",
"CVE-2021-25122",
"CVE-2021-25329"
);
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1.3)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 5.17.1.3. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AOS-5.17.1.3 advisory.
- An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function
allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)
- In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in
kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-
buffer). (CVE-2019-19768)
- A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.
This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into
the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO
restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate
that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer
dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network
user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)
- ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated
synchronization via a server mode packet with a spoofed source IP address, because transmissions are
rescheduled even when a packet lacks a valid origin timestamp. (CVE-2020-11868)
- An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-
daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local
attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use
this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus
clients. (CVE-2020-12049)
- The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory
space. (CVE-2020-12888)
- ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service
(daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The
victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can
query time from the victim's ntpd instance. (CVE-2020-13817)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported
versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client
and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as
through a web service. (CVE-2020-14556)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported
versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server
deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and
sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component
without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web
service. (CVE-2020-14577)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported
versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and
server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as
through a web service. (CVE-2020-14578, CVE-2020-14579)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported
versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in takeover
of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability
does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code
installed by an administrator). (CVE-2020-14583)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported
versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily
exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other
than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code (e.g., code installed by an
administrator). (CVE-2020-14593)
- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported
versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily
exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This
vulnerability can only be exploited by supplying data to APIs in the specified Component without using
Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
(CVE-2020-14621)
- When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to
9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one
request to another meaning user A and user B could both see the results of user A's request.
(CVE-2021-25122)
- The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to
9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be
used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published
prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to
this issue. (CVE-2021-25329)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.17.1.3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1109d655");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18595");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-14583");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/04");
script_set_attribute(attribute:"patch_publication_date", value:"2022/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '5.17.1.3', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.17.1.3 or higher.', 'lts' : FALSE },
{ 'fixed_version' : '5.17.1.3', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.17.1.3 or higher.', 'lts' : FALSE }
];
vcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18595
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10711
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11868
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12888
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14556
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14579
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14583
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329
www.nessus.org/u?1109d655