Lucene search
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2014-1846.NASLHistoryNov 13, 2014 - 12:00 a.m.
Oracle Linux 7 : gnutls (ELSA-2014-1846)
2014-11-1300:00:00
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
From Red Hat Security Advisory 2014:1846 :
Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions.
An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application.
(CVE-2014-8564)
Red Hat would like to thank GnuTLS upstream for reporting this issue.
Upstream acknowledges Sean Burford as the original reporter.
All gnutls users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2014:1846 and
# Oracle Linux Security Advisory ELSA-2014-1846 respectively.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(79227);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2014-8564");
script_bugtraq_id(71003);
script_xref(name:"RHSA", value:"2014:1846");
script_name(english:"Oracle Linux 7 : gnutls (ELSA-2014-1846)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Oracle Linux host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"From Red Hat Security Advisory 2014:1846 :
Updated gnutls packages that fix one security issue are now available
for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.
The GnuTLS library provides support for cryptographic algorithms and
for protocols such as Transport Layer Security (TLS). The gnutls
packages also include the libtasn1 library, which provides Abstract
Syntax Notation One (ASN.1) parsing and structures management, and
Distinguished Encoding Rules (DER) encoding and decoding functions.
An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR). A malicious user could create a specially
crafted ECC certificate or a certificate signing request that, when
processed by an application compiled against GnuTLS (for example,
certtool), could cause that application to crash or execute arbitrary
code with the permissions of the user running the application.
(CVE-2014-8564)
Red Hat would like to thank GnuTLS upstream for reporting this issue.
Upstream acknowledges Sean Burford as the original reporter.
All gnutls users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. For the update
to take effect, all applications linked to the GnuTLS or libtasn1
library must be restarted."
);
script_set_attribute(
attribute:"see_also",
value:"https://oss.oracle.com/pipermail/el-errata/2014-November/004631.html"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected gnutls packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnutls");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnutls-c++");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnutls-dane");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnutls-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnutls-utils");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/13");
script_set_attribute(attribute:"patch_publication_date", value:"2014/11/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/13");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Oracle Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
flag = 0;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"gnutls-3.1.18-10.el7_0")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"gnutls-c++-3.1.18-10.el7_0")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"gnutls-dane-3.1.18-10.el7_0")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"gnutls-devel-3.1.18-10.el7_0")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"gnutls-utils-3.1.18-10.el7_0")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnutls / gnutls-c++ / gnutls-dane / gnutls-devel / gnutls-utils");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | gnutls | p-cpe:/a:oracle:linux:gnutls |
| oracle | linux | gnutls-c%2b%2b | p-cpe:/a:oracle:linux:gnutls-c%2b%2b |
| oracle | linux | gnutls-dane | p-cpe:/a:oracle:linux:gnutls-dane |
| oracle | linux | gnutls-devel | p-cpe:/a:oracle:linux:gnutls-devel |
| oracle | linux | gnutls-utils | p-cpe:/a:oracle:linux:gnutls-utils |
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
Related
nessus
nessus
Scientific Linux Security Update : gnutls on SL7.x x86_64 (20141112)
2014-11-13 00:00:00
Mandriva Linux Security Advisory : gnutls (MDVSA-2014:215)
2014-11-20 00:00:00
Fedora 21 : gnutls-3.3.10-1.fc21 (2014-14734)
2014-11-17 00:00:00
securityvulns
securityvulns
GnuTLS memory corruption
2014-11-24 00:00:00
[ MDVSA-2014:215 ] gnutls
2014-11-24 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-2403-1)
2014-11-12 00:00:00
Mageia: Security Advisory (MGASA-2014-0458)
2022-01-28 00:00:00
Oracle: Security Advisory (ELSA-2014-1846)
2015-10-06 00:00:00
cve
cve
CVE-2014-8564
2014-11-13 21:32:13
fedora
fedora
[SECURITY] Fedora 21 Update: gnutls-3.3.10-1.fc21
2014-11-16 14:40:54
[SECURITY] Fedora 20 Update: gnutls-3.1.28-1.fc20
2014-11-13 18:22:50
cvelist
cvelist
CVE-2014-8564
2014-11-13 15:00:00
f5
f5
K15970 : GnuTLS 3.x vulnerability CVE-2014-8564
2015-01-09 00:00:00
SOL15970 - GnuTLS 3.x vulnerability CVE-2014-8564
2015-01-08 00:00:00
redhat
redhat
(RHSA-2014:1846) Moderate: gnutls security update
2014-11-12 00:00:00
ubuntucve
ubuntucve
CVE-2014-8564
2014-11-10 00:00:00
archlinux
archlinux
gnutls: out-of-bounds memory write
2014-11-12 00:00:00
debiancve
debiancve
CVE-2014-8564
2014-11-13 21:32:13
mageia
mageia
Updated gnutls package fix security vulnerability
2014-11-15 21:31:46
centos
centos
gnutls security update
2014-11-12 12:50:47
oraclelinux
oraclelinux
gnutls security update
2014-11-12 00:00:00
prion
prion
Out-of-bounds
2014-11-13 21:32:00
ubuntu
ubuntu
GnuTLS vulnerability
2014-11-11 00:00:00
Related for ORACLELINUX_ELSA-2014-1846.NASL