This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2020-5765.NASLOracle Linux 7 : Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne (ELSA-2020-5765)
8 High
AI Score
Confidence
High
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5765 advisory.
-
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. (CVE-2020-11080) -
An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container teardown, a malicious guest can trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host DoS. (CVE-2020-2024)
-
Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests. (CVE-2020-2025)
-
A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions. (CVE-2020-2026)
-
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod.
If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. (CVE-2020-8557) -
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration. (CVE-2020-1764)
-
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. (CVE-2020-8559)
-
Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service. (CVE-2020-10739)
-
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0. (CVE-2020-15104)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2020-5765.
##
include('compat.inc');
if (description)
{
script_id(180974);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/08");
script_cve_id(
"CVE-2020-1764",
"CVE-2020-2024",
"CVE-2020-2025",
"CVE-2020-2026",
"CVE-2020-8557",
"CVE-2020-8559",
"CVE-2020-10739",
"CVE-2020-11080",
"CVE-2020-15104"
);
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne (ELSA-2020-5765)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2020-5765 advisory.
- In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of
14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at
100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement
nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of
settings entries are large (e.g., > 32), then drop the connection. (CVE-2020-11080)
- An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container
teardown, a malicious guest can trick the kata-runtime into unmounting any mount point on the host and all
mount points underneath it, potentiality resulting in a host DoS. (CVE-2020-2024)
- Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying
image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent
guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect
QEMU and Firecracker based guests. (CVE-2020-2025)
- A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running
multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any
host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11
versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and
earlier versions. (CVE-2020-2026)
- The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account
for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by
kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod.
If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node
and cause the node to fail. (CVE-2020-8557)
- A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all
versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens
and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio
configuration. (CVE-2020-1764)
- The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6
are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to
escalate privileges from a node compromise to a full cluster compromise. (CVE-2020-8559)
- Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry
v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception
resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a
null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a
null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default
in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy
sidecar, triggering a denial of service. (CVE-2020-10739)
- In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would
incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with
a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only
allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and
validating a server TLS certificate for upstream connections. This vulnerability is only applicable to
situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which
you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com,
and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are
vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use
match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6,
1.13.4, 1.14.4, 1.15.0. (CVE-2020-15104)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2020-5765.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1764");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-2026");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/26");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-citadel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-galley");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-istioctl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-mixc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-mixs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-node-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-pilot-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-pilot-discovery");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-proxy-init");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:istio-sidecar-injector");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kata");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kata-image");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kata-runtime");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-container");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubeadm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubectl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubelet");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-api-server");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-istio-chart");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-nginx");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-prometheus-chart");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcne-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:olcnectl");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("linux_alt_patch_detect.nasl", "ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('ksplice.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);
var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
var fixed_uptrack_levels = ['4.14.35-1902.303.5.3.el7'];
foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2020-5765');
}
}
__rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}
var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.14';
if (kernel_major_minor != expected_kernel_major_minor)
audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);
var pkgs = [
{'reference':'istio-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-citadel-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-galley-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-istioctl-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-mixc-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-mixs-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-node-agent-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-pilot-agent-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-pilot-discovery-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-proxy-init-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'istio-sidecar-injector-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kata-1.7.3-1.0.7.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kata-image-1.7.3-1.0.5.1.ol7_202007011859', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kata-runtime-1.7.3-1.0.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-uek-container-4.14.35-1902.303.5.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-4.14.35'},
{'reference':'kubeadm-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubeadm-1.14.9'},
{'reference':'kubeadm-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubeadm-1.17.9'},
{'reference':'kubectl-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubectl-1.14.9'},
{'reference':'kubectl-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubectl-1.17.9'},
{'reference':'kubelet-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubelet-1.14.9'},
{'reference':'kubelet-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubelet-1.17.9'},
{'reference':'olcne-agent-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcne-api-server-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcne-istio-chart-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcne-nginx-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcne-prometheus-chart-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcne-utils-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'olcnectl-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'istio / istio-citadel / istio-galley / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
| oracle | linux | istio | p-cpe:/a:oracle:linux:istio |
| oracle | linux | istio-citadel | p-cpe:/a:oracle:linux:istio-citadel |
| oracle | linux | istio-galley | p-cpe:/a:oracle:linux:istio-galley |
| oracle | linux | istio-istioctl | p-cpe:/a:oracle:linux:istio-istioctl |
| oracle | linux | istio-mixc | p-cpe:/a:oracle:linux:istio-mixc |
| oracle | linux | istio-mixs | p-cpe:/a:oracle:linux:istio-mixs |
| oracle | linux | istio-node-agent | p-cpe:/a:oracle:linux:istio-node-agent |
| oracle | linux | istio-pilot-agent | p-cpe:/a:oracle:linux:istio-pilot-agent |
| oracle | linux | istio-pilot-discovery | p-cpe:/a:oracle:linux:istio-pilot-discovery |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15104
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2025
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8557
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8559
linux.oracle.com/errata/ELSA-2020-5765.html
Related
