Oracle Linux 8 : pcs (ELSA-2024-2953)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2024-2953.
##

include('compat.inc');

if (description)
{
  script_id(198015);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/28");

  script_cve_id("CVE-2024-25126", "CVE-2024-26141", "CVE-2024-26146");

  script_name(english:"Oracle Linux 8 : pcs (ELSA-2024-2953)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2024-2953 advisory.

    [0.10.18-2.0.1]
    - Replace HAM-logo.png with a generic one

    [0.10.18-2]
    - Fixed CVE-2024-25126, CVE-2024-26141, CVE-2024-26146 in bundled dependency rack
      Resolves: RHEL-26445, RHEL-26447, RHEL-26449

    [0.10.18-1]
    - Rebased to the latest sources (see CHANGELOG.md)
      Resolves: RHEL-7741

    [0.10.17-6]
    - Rebased to the latest upstream sources (see CHANGELOG.md)
    - Remove the preview of the new pcs web interface
      Resolves: RHEL-17280

    [0.10.17-5]
    - Rebased to the latest upstream sources (see CHANGELOG.md)
      Resolves: RHEL-7584, RHEL-7668, RHEL-7729, RHEL-7731, RHEL-7732, RHEL-7741, RHEL-7742, RHEL-7743,
    RHEL-7745, RHEL-8467
    - Tightened permissions of bundled rubygems to be 755 or stricter
      Resolves: RHEL-7715

    [0.10.17-4]
    - No changes, fixed an error in the new quality control process
    - Resolves: RHEL-15218

    [0.10.17-3]
    - No changes, testing a new quality control process
    - Resolves: RHEL-15218

    [0.10.17-2]
    - Make use of filters when extracting tarballs to enhance security if provided by Python (pcs config
    restore command)
    - Do not display duplicate records in commands pcs property [config] --all and pcs property describe
    - Resolves: rhbz#2218841 rhbz#2219388

    [0.10.17-1]
    - Rebased to the latest upstream sources (see CHANGELOG.md)
    - Updated bundled rubygems: tilt, puma
    - Resolves: rhbz#2112259 rhbz#2163439 rhbz#2166289

    [0.10.16-1]
    - Rebased to the latest upstream sources (see CHANGELOG.md)
    - Updated bundled dependencies: dacite
    - Added bundled rubygems: nio4r, puma
    - Removed bundled rubygems: daemons, eventmachine, thin
    - Updated bundled rubygems: backports, rack, rack-test, tilt
    - Resolves: rhbz#1957591 rhbz#2022748 rhbz#2160555 rhbz#2163439 rhbz#2166289 rhbz#2166294 rhbz#2176490
    rhbz#2178700 rhbz#2178707 rhbz#2179010 rhbz#2180378 rhbz#2189958

    [0.10.15-4]
    - Fixed enabling/disabling sbd when cluster is not running
    - Added BuildRequires: pam - needed for tier0 tests during build
    - Resolves: rhbz#2166243

    [0.10.15-3]
    - Allow time values in stonith-watchdog-time property
    - Resource/stonith agent self-validation of instance attributes is now disabled by default, as many agents
    do not work with it properly
    - Updated bundled rubygems: rack, rack-protection, sinatra
    - Added license for ruby2_keywords
    - Resolves: rhbz#2158804 rhbz#2159455

    [0.10.15-2]
    - Added warning when omitting validation of misconfigured resource
    - Fixed displaying of bool and integer values in pcs resource config command
    - Updated bundled rubygems: ethon, json, rack-protection, sinatra
    - Resolves: rhbz#2151166 rhbz#2151511

    [0.10.15-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated Python bundled dependency dateutil
    - Resolves: rhbz#2112002 rhbz#2112263 rhbz#2112291 rhbz#2132582

    [0.10.14-6]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated rubygem bundled packages: mustermann, rack, rack-protection, rack-test, sinatra, tilt
    - Resolves: rhbz#1816852 rhbz#1918527 rhbz#2112267 rhbz#2112291

    [0.10.14-4]
    - Fixed enable sbd from webui
    - Resolves: rhbz#2117650

    [0.10.14-3]
    - Fixed pcs quorum device remove
    - Resolves: rhbz#2115326

    [0.10.14-2]
    - Fixed booth ticket mode value case insensitive
    - Fixed booth sync check whether /etc/booth exists
    - Resolves: rhbz#1786964 rhbz#1791670

    [0.10.14-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated bundled rubygems: rack
    - Resolves: rhbz#2059500 rhbz#2096787 rhbz#2097383 rhbz#2097391 rhbz#2097392 rhbz#2097393

    [0.10.13-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Updated bundled rubygems: backports, daemons, ethon ffi, json, ruby2_keywords, thin
    - Resolves: rhbz#1730232 rhbz#1786964 rhbz#1791661 rhbz#1791670 rhbz#1874624 rhbz#1909904 rhbz#1950551
    rhbz#1954099 rhbz#2019894 rhbz#2023845 rhbz#2059500 rhbz#2064805 rhbz#2068456

    [0.10.12-7]
    - Updated bundled rubygems: sinatra, rack-protection
    - Resolves: rhbz#2081332

    [0.10.12-6]
    - Fixed processing agents not conforming to OCF schema
    - Resolves: rhbz#2050274

    [0.10.12-5]
    - Fixed snmp client
    - Resolves: rhbz#2047983

    [0.10.12-4]
    - Fixed cluster destroy in web ui
    - Fixed covscan issue in web ui
    - Resolves: rhbz#1970508

    [0.10.12-3]
    - Fixed 'pcs resource move --autodelete' command
    - Fixed removing of unavailable fence-scsi storage device
    - Fixed ocf validation of ocf linbit drdb agent
    - Fixed creating empty cib
    - Updated pcs-web-ui
    - Resolves: rhbz#1990784 rhbz#2022463 rhbz#2032997 rhbz#2036633

    [0.10.12-2]
    - Fixed rsc update cmd when unable to get agent metadata
    - Fixed enabling corosync-qdevice
    - Resolves: rhbz#1384485 rhbz#2028902

    [0.10.12-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Resolves: rhbz#1552470 rhbz#1997011 rhbz#2017311 rhbz#2017312 rhbz#2024543 rhbz#2012128

    [0.10.11-2]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Removed 'export PYTHONCOERCECLOCALE=0'
    - Resolves: rhbz#1384485 rhbz#1936833 rhbz#1968088 rhbz#1990784 rhbz#2012128

    [0.10.11-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Enabled wui patching
    - Resolves: rhbz#1533090 rhbz#1970508 rhbz#1997011 rhbz#2003066 rhbz#2003068 rhbz#2012128

    [0.10.10-2]
    - Fixed create resources with depth operation attribute
    - Resolves: rhbz#1998454

    [0.10.10-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Resolves: rhbz#1885293 rhbz#1847102 rhbz#1935594

    [0.10.9-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Resolves: rhbz#1432097 rhbz#1847102 rhbz#1935594 rhbz#1984901

    [0.10.8-4]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Resolves: rhbz#1759995 rhbz#1872378 rhbz#1935594

    [0.10.8-3]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Gating changes
    - Resolves: rhbz#1678273 rhbz#1690419 rhbz#1750240 rhbz#1759995 rhbz#1872378 rhbz#1909901 rhbz#1935594

    [0.10.8-2]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Resolves: rhbz#1285269 rhbz#1290830 rhbz#1720221 rhbz#1841019 rhbz#1854238 rhbz#1882291 rhbz#1885302
    rhbz#1886342 rhbz#1896458 rhbz#1922996 rhbz#1927384 rhbz#1927394 rhbz#1930886 rhbz#1935594

    [0.10.8-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Updated pcs-web-ui
    - Updated python bundled dependencies: dacite, dataclasses
    - Resolves: rhbz#1457314 rhbz#1619818 rhbz#1667066 rhbz#1762816 rhbz#1794062 rhbz#1845470 rhbz#1856397
    rhbz#1877762 rhbz#1917286

    [0.10.7-3]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Add BuildRequires: make
    - Resolves: rhbz#1667061 rhbz#1667066 rhbz#1774143 rhbz#1885658

    [0.10.7-2]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Changed BuildRequires from git to git-core
    - Resolves: rhbz#1869399 rhbz#1885658 rhbz#1896379

    [0.10.7-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Added python bundled dependency dateutil
    - Fixed virtual bundle provides for ember, handelbars, jquery and jquery-ui
    - Resolves: rhbz#1222691 rhbz#1741056 rhbz#1851335 rhbz#1862966 rhbz#1869399 rhbz#1873691 rhbz#1875301
    rhbz#1883445 rhbz#1885658 rhbz#1885841

    [0.10.6-4]
    - Fixed invalid CIB error caused by resource and operation defaults with mixed and-or rules
    - Updated pcs-web-ui
    - Resolves: rhbz#1867516

    [0.10.6-3]
    - Added Upgrade CIB if user specifies on-fail=demote
    - Fixed rpmdiff issue with binary stripping checker
    - Fixed removing non-empty tag by removing tagged resource group or clone
    - Resolves: rhbz#1843079 rhbz#1857295

    [0.10.6-2]
    - Added resource and operation defaults that apply to specific resource/operation types
    - Added Requires/BuildRequires: python3-pyparsing
    - Added Requires: logrotate
    - Fixed resource and stonith documentation
    - Fixed rubygem licenses
    - Fixed update_times()
    - Updated rubygem rack to version 2.2.3
    - Removed BuildRequires execstack (it is not needed)
    - Resolves: rhbz#1805082 rhbz#1817547

    [0.10.6-1]
    - Rebased to latest upstream sources (see CHANGELOG.md)
    - Added python bundled dependencies: dacite, dataclasses
    - Added new bundled rubygem ruby2_keywords
    - Updated rubygem bundled packages: backports, ethon, ffi, json, mustermann, rack, rack_protection,
    rack_test, sinatra, tilt
    - Updated pcs-web-ui
    - Updated test run, only tier0 tests are running during build
    - Removed BuildRequires needed for tier1 tests which were removed for build (pacemaker-cli,
    fence_agents-*, fence_virt, booth-site)
    - Resolves: rhbz#1387358 rhbz#1684676 rhbz#1722970 rhbz#1778672 rhbz#1782553 rhbz#1790460 rhbz#1805082
    rhbz#1810017 rhbz#1817547 rhbz#1830552 rhbz#1832973 rhbz#1833114 rhbz#1833506 rhbz#1838853 rhbz#1839637

    [0.10.4-6]
    - Fixed communication between python and ruby daemons
    - Resolves: rhbz#1783106

    [0.10.4-5]
    - Fixed link to sbd man page from sbd enable doc
    - Fixed safe-disabling clones, groups, bundles
    - Fixed sinatra wrapper performance issue
    - Fixed detecting fence history support
    - Fixed cookie options
    - Updated hint for 'resource create ... master'
    - Updated gating tests execution, smoke tests run from upstream sources
    - Resolves: rhbz#1750427 rhbz#1781303 rhbz#1783106 rhbz#1793574

    [0.10.4-4]
    - Fix testsuite for pacemaker-2.0.3-4
    - Resolves: rhbz#1792946

    [0.10.4-3]
    - Added basic resource views in new webUI

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2024-2953.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected pcs and / or pcs-snmp packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26141");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:8::addons");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pcs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pcs-snmp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);

var pkgs = [
    {'reference':'pcs-0.10.18-2.0.1.el8_10', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'pcs-snmp-0.10.18-2.0.1.el8_10', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'pcs-0.10.18-2.0.1.el8_10', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'pcs-snmp-0.10.18-2.0.1.el8_10', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pcs / pcs-snmp');
}