Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 Tenable Network Security, Inc.PUPPET_ENTERPRISE_331.NASL
HistoryAug 20, 2014 - 12:00 a.m.

Puppet Enterprise 3.3.0 Bundled Oracle Java Vulnerabilities

2014-08-2000:00:00
This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.
www.tenable.com
18
JSON

According to its self-reported version number, the Puppet Enterprise application installed on the remote host is version 3.3.0. Therefore, it contains a bundled version of Oracle Java that is affected by multiple vulnerabilities.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(77282);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id(
    "CVE-2014-2483",
    "CVE-2014-2490",
    "CVE-2014-4208",
    "CVE-2014-4209",
    "CVE-2014-4216",
    "CVE-2014-4218",
    "CVE-2014-4219",
    "CVE-2014-4220",
    "CVE-2014-4221",
    "CVE-2014-4223",
    "CVE-2014-4227",
    "CVE-2014-4244",
    "CVE-2014-4247",
    "CVE-2014-4252",
    "CVE-2014-4262",
    "CVE-2014-4263",
    "CVE-2014-4264",
    "CVE-2014-4265",
    "CVE-2014-4266",
    "CVE-2014-4268"
  );
  script_bugtraq_id(
  68562,
  68571,
  68576,
  68580,
  68583,
  68590,
  68596,
  68599,
  68603,
  68608,
  68612,
  68615,
  68620,
  68624,
  68626,
  68632,
  68636,
  68639,
  68642,
  68645
  );

  script_name(english:"Puppet Enterprise 3.3.0 Bundled Oracle Java Vulnerabilities");
  script_summary(english:"Checks the Puppet Enterprise version.");

  script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Puppet Enterprise
application installed on the remote host is version 3.3.0. Therefore,
it contains a bundled version of Oracle Java that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/oracle-july-2014-vulnerability-fix");
  # http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4743a1ef");
  script_set_attribute(attribute:"solution", value:"Upgrade to Puppet Enterprise 3.3.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.");

  script_dependencies("puppet_rest_detect.nasl");
  script_require_keys("puppet/rest_port");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

##
# checks if the given version falls between the given bounds, and
# generates plugin output if it does
#
# @anonparam ver version to check
# @anonparam fix first fixed version
# @anonparam min_ver the lowest/earliest vulnerable version, relative to 'fix' (optional)
#
# @return plugin output if 'ver' is vulnerable relative to 'fix' and/or 'min_ver',
#         NULL otherwise
##
function _check_version(ver, fix, min_ver, enterprise)
{
  local_var report;

  if (
    # no lower bound
    (isnull(min_ver) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0) ||

    # lower bound
    (
      !isnull(min_ver) &&
      ver_compare(ver:ver, fix:fix, strict:FALSE) < 0 &&
      ver_compare(ver:ver, fix:min_ver, strict:FALSE) >= 0
    )
  )
  {
    if (enterprise)
    {
      report =
        '\n  Installed version : Puppet Enterprise ' + ver +
        '\n  Fixed version     : Puppet Enterprise 3.3.1\n';
    }
    else report = NULL;
  }
  else report = NULL;

  return report;
}

port = get_kb_item_or_exit('puppet/rest_port');
ver = get_kb_item_or_exit('puppet/' + port + '/version');
report = NULL;
vuln = FALSE;

if ('Enterprise' >< ver)
{
  # convert something like
  #   2.7.19 (Puppet Enterprise 2.7.0)
  # to
  #   2.7.0
  match = eregmatch(string:ver, pattern:"Enterprise ([0-9.]+)\)");
  if (isnull(match)) audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Puppet Enterprise', build_url(port:port));
  ver = match[1];

  if (ver =~ "^3\.3\.")
  {
    report = _check_version(ver:ver, fix:'3.3.1', min_ver:'3.3.0', enterprise:TRUE);
    if (!isnull(report))
      vuln = TRUE;
  }
}

if (!vuln) audit(AUDIT_LISTEN_NOT_VULN, 'Puppet', port, ver);

if (report_verbosity > 0) security_hole(port:port, extra:report);
else security_hole(port);
VendorProductVersionCPE
puppetlabspuppetcpe:/a:puppetlabs:puppet

References

Related

redhat 9
nessus 40
ibm 42
kaspersky 1
suse 4
openvas 40
ubuntu 4
debian 3
centos 3
mageia 1
oraclelinux 3
amazon 2
aix 1
osv 1
cvelist 9
cve 9
ubuntucve 11
prion 11
thn 1
veracode 3
zdi 1
redhat
redhat
(RHSA-2014:0902) Critical: java-1.7.0-oracle security update
2014-07-18 01:28:56
(RHSA-2014:0890) Important: java-1.7.0-openjdk security update
2014-07-16 00:00:00
(RHSA-2014:0889) Critical: java-1.7.0-openjdk security update
2014-07-16 00:00:00
nessus
nessus
Debian DSA-2987-1 : openjdk-7 - security update
2014-07-26 00:00:00
SuSE 11.3 Security Update : openjdk (SAT Patch Number 9543)
2014-08-05 00:00:00
Oracle Java SE Multiple Vulnerabilities (July 2014 CPU) (Unix)
2014-07-16 00:00:00
ibm
ibm
Security Bulletin: July 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products
2018-06-18 00:32:15
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Support Assistant Team Server July 2014 CPU
2018-06-15 07:01:18
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Asset and Service Management
2022-09-22 03:02:31
kaspersky
kaspersky
KLA10507 Multiple vulnerabilities in Oracle products
2014-07-17 00:00:00
suse
suse
Security update for openjdk (important)
2014-08-04 19:04:23
Security update for java-1_7_0-ibm (important)
2015-02-21 01:05:45
Security update for java-1_5_0-ibm (important)
2015-02-25 19:05:32
openvas
openvas
SUSE: Security Advisory for openjdk (SUSE-SU-2014:0961-1)
2015-10-16 00:00:00
Debian Security Advisory DSA 2987-1 (openjdk-7 - security update)
2014-07-23 00:00:00
Ubuntu: Security Advisory (USN-2319-2)
2014-08-26 00:00:00
ubuntu
ubuntu
OpenJDK 7 regression
2014-08-26 00:00:00
OpenJDK 7 vulnerabilities
2014-08-20 00:00:00
OpenJDK 7 update
2014-09-17 00:00:00
debian
debian
[SECURITY] [DSA 2987-1] openjdk-7 security update
2014-07-23 19:51:55
[SECURITY] [DSA 2980-1] openjdk-6 security update
2014-07-17 16:00:25
[SECURITY] [DLA 96-1] openjdk-6 security update
2014-11-28 10:26:06
centos
centos
java security update
2014-07-16 10:46:11
java security update
2014-07-16 10:53:36
java security update
2014-07-21 18:20:14
mageia
mageia
Updated java-1.7.0-openjdk packages fix multiple vulnerabilities
2014-07-26 15:03:50
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2014-07-16 00:00:00
java-1.7.0-openjdk security update
2014-07-16 00:00:00
java-1.6.0-openjdk security and bug fix update
2014-07-21 00:00:00
amazon
amazon
Critical: java-1.7.0-openjdk
2014-07-23 14:01:00
Important: java-1.6.0-openjdk
2014-07-31 13:52:00
aix
aix
Multiple vulnerabilities in current releases of the IBM SDK Java Technology Edition
2014-08-18 14:04:26
osv
osv
openjdk-6 - security update
2014-11-28 00:00:00
cvelist
cvelist
CVE-2014-2483
2014-07-17 02:36:00
CVE-2014-4208
2014-07-17 02:36:00
CVE-2014-4223
2014-07-17 02:36:00
cve
cve
CVE-2014-4223
2014-07-17 05:10:00
CVE-2014-2483
2014-07-17 05:10:00
CVE-2014-4208
2014-07-17 05:10:00
ubuntucve
ubuntucve
CVE-2014-4223
2014-07-17 00:00:00
CVE-2014-4220
2014-07-17 00:00:00
CVE-2014-2483
2014-07-17 00:00:00
prion
prion
Design/Logic Flaw
2014-07-17 05:10:00
Design/Logic Flaw
2014-07-17 05:10:00
Buffer overflow
2014-07-17 05:10:00
thn
thn
Update Your Java to Patch 20 Vulnerabilities Or Just Disable it
2014-07-15 23:03:00
veracode
veracode
Arbitrary Code Execution
2019-01-15 08:56:47
Authorization Bypass
2019-05-02 05:08:04
Authentication Bypass
2019-05-02 05:03:23
zdi
zdi
Oracle Java ResourceBundle Format String Remote Code Execution Vulnerability
2014-07-18 00:00:00
JSON
Related for PUPPET_ENTERPRISE_331.NASL
redhat9nessus40ibm42kaspersky1suse4openvas40ubuntu4debian3centos3mageia1oraclelinux3amazon2aix1osv1cvelist9cve9ubuntucve11prion11thn1veracode3zdi1