Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2014-0037.NASL
HistoryNov 08, 2014 - 12:00 a.m.

RHEL 6 : jasperreports-server-pro (RHSA-2014:0037)

2014-11-0800:00:00
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
JSON

An updated jasperreports-server-pro package that fixes two security issues, several bugs, and adds various enhancements is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports.

Apache Axis did not verify that the server hostname matched the domain name in the subject’s Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5784)

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle attacker could possibly use this flaw to unilaterally disable bidirectional authentication between a client and a server, forcing a downgrade to simple (unidirectional) authentication. This flaw only affects users who have enabled Hadoop’s Kerberos security features. (CVE-2013-2192)

This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

All jasperreports-server-pro users are advised to upgrade to this updated package, which contains backported patches to correct these issues and add these enhancements.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2014:0037. The text 
# itself is copyright (C) Red Hat, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(78992);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2012-5784", "CVE-2013-2192");
  script_bugtraq_id(56408, 61984);
  script_xref(name:"RHSA", value:"2014:0037");

  script_name(english:"RHEL 6 : jasperreports-server-pro (RHSA-2014:0037)");
  script_summary(english:"Checks the rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An updated jasperreports-server-pro package that fixes two security
issues, several bugs, and adds various enhancements is now available.

The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

The Red Hat Enterprise Virtualization reports package provides a suite
of pre-configured reports and dashboards that enable you to monitor
the system. The reports module is based on JasperReports and
JasperServer, and can also be used to create ad-hoc reports.

Apache Axis did not verify that the server hostname matched the domain
name in the subject's Common Name (CN) or subjectAltName field in
X.509 certificates. This could allow a man-in-the-middle attacker to
spoof an SSL server if they had a certificate that was valid for any
domain name. (CVE-2012-5784)

A flaw was found in the Apache Hadoop RPC protocol. A
man-in-the-middle attacker could possibly use this flaw to
unilaterally disable bidirectional authentication between a client and
a server, forcing a downgrade to simple (unidirectional)
authentication. This flaw only affects users who have enabled Hadoop's
Kerberos security features. (CVE-2013-2192)

This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the
Technical Notes document linked to in the References section.

All jasperreports-server-pro users are advised to upgrade to this
updated package, which contains backported patches to correct these
issues and add these enhancements."
  );
  # https://access.redhat.com/site/documentation/en-US/
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/documentation/en-US/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2014:0037"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2012-5784"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2013-2192"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected jasperreports-server-pro package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jasperreports-server-pro");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2014:0037";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL6", reference:"jasperreports-server-pro-5.5.0-4.el6ev")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jasperreports-server-pro");
  }
}
VendorProductVersionCPE
redhatenterprise_linuxjasperreports-server-prop-cpe:/a:redhat:enterprise_linux:jasperreports-server-pro
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6

Related

redhat 6
prion 3
github 3
osv 3
cvelist 3
cve 2
nessus 16
fedora 2
oraclelinux 2
f5 4
openvas 24
veracode 2
ibm 15
mageia 1
debiancve 2
amazon 1
centos 1
gitlab 1
ubuntucve 2
redhat
redhat
(RHSA-2014:0037) Moderate: jasperreports-server-pro security, bug fix, and enhancement update
2014-01-21 00:00:00
(RHSA-2013:0683) Moderate: axis security update
2013-03-25 00:00:00
(RHSA-2013:0269) Moderate: axis security update
2013-02-19 00:00:00
prion
prion
Authentication flaw
2014-01-24 18:55:00
Design/Logic Flaw
2012-11-04 22:55:00
Code injection
2014-08-27 00:55:00
github
github
Improper Authentication in Apache Hadoop
2022-05-17 02:54:07
Man-in-the-middle attack in Apache Axis
2020-10-07 17:51:02
Improper Validation of Certificates in apache axis
2018-10-16 20:50:58
osv
osv
Improper Authentication in Apache Hadoop
2022-05-17 02:54:07
Man-in-the-middle attack in Apache Axis
2020-10-07 17:51:02
Improper Validation of Certificates in apache axis
2018-10-16 20:50:58
cvelist
cvelist
CVE-2013-2192
2014-01-24 18:00:00
CVE-2012-5784
2012-11-04 22:00:00
CVE-2014-3596
2014-08-27 00:00:00
cve
cve
CVE-2013-2192
2014-01-24 18:55:04
CVE-2012-5784
2012-11-04 22:55:03
nessus
nessus
Oracle Linux 6 : axis (ELSA-2013-0269)
2013-07-12 00:00:00
Amazon Linux AMI : axis (ALAS-2013-164)
2013-09-04 00:00:00
Oracle Linux 5 : axis (ELSA-2013-0683)
2013-07-12 00:00:00
fedora
fedora
[SECURITY] Fedora 17 Update: axis-1.4-19.fc17
2013-02-01 17:16:41
[SECURITY] Fedora 18 Update: axis-1.4-19.fc18
2013-02-01 16:58:10
oraclelinux
oraclelinux
axis security update
2013-03-25 00:00:00
axis security update
2013-02-19 00:00:00
f5
f5
SOL14371 - Apache Axis vulnerability CVE-2012-5784
2013-05-06 00:00:00
K14371 : Apache Axis vulnerability CVE-2012-5784
2013-09-25 00:00:00
K16821 : Apache Axis vulnerability CVE-2014-3596
2015-11-11 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2013-0200)
2022-01-28 00:00:00
Amazon Linux: Security Advisory (ALAS-2013-164)
2015-09-08 00:00:00
Fedora Update for axis FEDORA-2013-1194
2013-02-04 00:00:00
veracode
veracode
Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
2019-01-15 09:00:12
Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
2019-01-15 09:01:11
ibm
ibm
Security Bulletin: Apache Axis as used in IBM QRadar SIEM is vulnerable to a possible man in the middle attack. (CVE-2012-5784)
2019-03-25 18:40:02
Security Bulletin: A vulnerability in Apache Axis affects IBM Cognos Metrics Manager (CVE-2012-5784)
2018-06-15 23:13:34
Security Bulletin: Multiple Security Vulnerabilities in Apache Axis Affect IBM Sterling B2B Integrator (CVE-2014-3596, CVE-2012-5784)
2020-02-05 00:53:36
mageia
mageia
Updated axis package fixes security vulnerability
2013-07-06 18:12:34
debiancve
debiancve
CVE-2012-5784
2012-11-04 22:55:03
CVE-2014-3596
2014-08-27 00:55:05
amazon
amazon
Medium: axis
2013-03-02 16:50:00
centos
centos
axis security update
2013-03-25 20:27:08
gitlab
gitlab
Improper Input Validation
2020-10-07 00:00:00
ubuntucve
ubuntucve
CVE-2012-5784
2012-11-04 00:00:00
CVE-2014-3596
2014-08-27 00:00:00
JSON
Related for REDHAT-RHSA-2014-0037.NASL
redhat6prion3github3osv3cvelist3cve2nessus16fedora2oraclelinux2f54openvas24veracode2ibm15mageia1debiancve2amazon1centos1gitlab1ubuntucve2