RHEL 5 : qemu (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory qemu. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196234);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-1714",
    "CVE-2016-1981",
    "CVE-2016-2391",
    "CVE-2016-2841",
    "CVE-2016-2857",
    "CVE-2016-4001",
    "CVE-2016-4002",
    "CVE-2016-4453",
    "CVE-2016-4454",
    "CVE-2016-5403",
    "CVE-2016-7170",
    "CVE-2016-8669",
    "CVE-2016-8910",
    "CVE-2016-9921",
    "CVE-2016-9922",
    "CVE-2017-2615",
    "CVE-2017-2620",
    "CVE-2017-5525",
    "CVE-2017-5526",
    "CVE-2017-5579",
    "CVE-2017-6505",
    "CVE-2017-7718",
    "CVE-2017-7980",
    "CVE-2017-8309",
    "CVE-2017-8379",
    "CVE-2017-9330",
    "CVE-2017-11434",
    "CVE-2017-13672",
    "CVE-2017-13673",
    "CVE-2017-13711",
    "CVE-2017-15124",
    "CVE-2017-15289",
    "CVE-2018-5683",
    "CVE-2018-7858",
    "CVE-2018-11806",
    "CVE-2018-18849",
    "CVE-2019-9824",
    "CVE-2019-12068",
    "CVE-2019-12155",
    "CVE-2019-14378",
    "CVE-2019-15890",
    "CVE-2019-20808",
    "CVE-2020-1983",
    "CVE-2020-7039",
    "CVE-2020-8608",
    "CVE-2020-10756",
    "CVE-2020-11869",
    "CVE-2020-11947",
    "CVE-2020-13361",
    "CVE-2020-14364",
    "CVE-2020-14394",
    "CVE-2020-16092",
    "CVE-2020-25723",
    "CVE-2020-29129",
    "CVE-2020-29130",
    "CVE-2021-20196"
  );
  script_xref(name:"IAVB", value:"2020-B-0063-S");

  script_name(english:"RHEL 5 : qemu (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo (CVE-2017-2620)

  - The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built
    with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO
    privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly
    execute arbitrary code via an invalid current entry value in a firmware configuration. (CVE-2016-1714)

  - QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop
    issue. It could occur while processing data via transmit or receive descriptors, provided the initial
    receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged
    user inside guest could use this flaw to crash the QEMU instance resulting in DoS. (CVE-2016-1981)

  - The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local
    guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via
    vectors related to multiple eof_timers. (CVE-2016-2391)

  - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1
    allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash)
    via crafted values for the PSTART and PSTOP registers, involving ring buffer control. (CVE-2016-2841)

  - The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a
    denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
    (CVE-2016-2857)

  - Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the
    Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a
    denial of service (QEMU crash) via a large packet. (CVE-2016-4001)

  - Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is
    configured to accept large packets, allows remote attackers to cause a denial of service (memory
    corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
    (CVE-2016-4002)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to
    cause a denial of service (infinite loop and QEMU process crash) via a VGA command. (CVE-2016-4453)

  - The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators
    to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing
    FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. (CVE-2016-4454)

  - The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a
    denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for
    completion. (CVE-2016-5403)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS
    administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors
    related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.
    (CVE-2016-7170)

  - The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest
    OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors
    involving a value of divider greater than baud base. (CVE-2016-8669)

  - The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS
    administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to
    limit the ring descriptor count. (CVE-2016-8910)

  - Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by
    zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A
    privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting
    in DoS. (CVE-2016-9921)

  - The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics
    mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and
    QEMU process crash) via vectors involving blit pitch values. (CVE-2016-9922)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to
    cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
    (CVE-2017-11434)

  - QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS
    privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors
    involving display update. (CVE-2017-13672)

  - The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen
    mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty
    function. (CVE-2017-13673)

  - Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows
    attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear
    ifq_so from pending packets. (CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an
    unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If
    the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A
    malicious remote VNC client could use this flaw to cause DoS to the server host. (CVE-2017-15124)

  - The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to
    cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst
    calculation. (CVE-2017-15289)

  - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-
    bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged
    user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute
    arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)

  - Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to
    cause a denial of service (host memory consumption and QEMU process crash) via a large number of device
    unplug operations. (CVE-2017-5525)

  - Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to
    cause a denial of service (host memory consumption and QEMU process crash) via a large number of device
    unplug operations. (CVE-2017-5526)

  - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local
    guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash)
    via a large number of device unplug operations. (CVE-2017-5579)

  - The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows
    local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link
    endpoint list descriptors, a different vulnerability than CVE-2017-9330. (CVE-2017-6505)

  - hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a
    denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via
    the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions. (CVE-2017-7718)

  - Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier
    allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors
    related to a VNC client updating its display after a VGA operation. (CVE-2017-7980)

  - Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of
    service (memory consumption) by repeatedly starting and stopping audio capture. (CVE-2017-8309)

  - Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest
    OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large
    keyboard events. (CVE-2017-8379)

  - QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest
    OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different
    vulnerability than CVE-2017-6505. (CVE-2017-9330)

  - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
    (CVE-2018-11806)

  - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid
    msg_len value. (CVE-2018-18849)

  - The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service
    (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
    (CVE-2018-5683)

  - Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest
    OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by
    leveraging incorrect region calculation when updating VGA display. (CVE-2018-7858)

  - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2,
    and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter
    emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode
    is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
    (CVE-2019-12068)

  - interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
    (CVE-2019-12155)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it
    mishandles a case involving the first fragment. (CVE-2019-14378)

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  - In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the
    ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A
    malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
    (CVE-2019-20808)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an
    snprintf call, leading to Information disclosure. (CVE-2019-9824)

  - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known
    as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible
    information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

  - An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation.
    This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations
    through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process,
    resulting in a denial of service. (CVE-2020-11869)

  - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose
    unrelated information from process memory to an attacker. (CVE-2020-11947)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame
    count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
    (CVE-2020-13361)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before
    5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its
    'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the
    QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the
    privileges of the QEMU process on the host. (CVE-2020-14364)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of
    the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process
    on the host, resulting in a denial of service. (CVE-2020-14394)

  - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects
    the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the
    QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in
    hw/net/net_tx_pkt.c. (CVE-2020-16092)

  - A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows
    crafted packets to cause a denial of service. (CVE-2020-1983)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while
    processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user
    within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,
    resulting in a denial of service. (CVE-2020-25723)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of
    header data even if that exceeds the total packet length. (CVE-2020-29129)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of
    header data even if that exceeds the total packet length. (CVE-2020-29130)

  - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC
    DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which
    can lead to a DoS or potential execute arbitrary code. (CVE-2020-7039)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer
    overflow in later code. (CVE-2020-8608)

  - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while
    processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of
    service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2620");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ma");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slirp4netns");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xen");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'kvm', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kvm', 'cves':['CVE-2016-1714', 'CVE-2016-1981', 'CVE-2016-2391', 'CVE-2016-2841', 'CVE-2016-2857', 'CVE-2016-4001', 'CVE-2016-4002', 'CVE-2016-4453', 'CVE-2016-4454', 'CVE-2016-7170', 'CVE-2016-8669', 'CVE-2016-8910', 'CVE-2016-9921', 'CVE-2016-9922', 'CVE-2017-5525', 'CVE-2017-5579', 'CVE-2017-7718', 'CVE-2017-7980', 'CVE-2017-8309', 'CVE-2017-8379', 'CVE-2017-11434', 'CVE-2017-13672', 'CVE-2017-13673', 'CVE-2017-13711', 'CVE-2017-15124', 'CVE-2017-15289', 'CVE-2018-5683', 'CVE-2018-7858', 'CVE-2018-11806', 'CVE-2019-9824', 'CVE-2019-12155', 'CVE-2019-14378', 'CVE-2019-15890', 'CVE-2019-20808', 'CVE-2020-1983', 'CVE-2020-7039', 'CVE-2020-8608', 'CVE-2020-10756', 'CVE-2020-11869', 'CVE-2020-11947', 'CVE-2020-13361', 'CVE-2020-14364', 'CVE-2020-14394', 'CVE-2020-16092', 'CVE-2020-25723', 'CVE-2020-29129', 'CVE-2020-29130', 'CVE-2021-20196']},
      {'reference':'xen', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'xen', 'cves':['CVE-2016-1981', 'CVE-2016-2391', 'CVE-2016-2841', 'CVE-2016-5403', 'CVE-2016-8669', 'CVE-2016-8910', 'CVE-2016-9921', 'CVE-2016-9922', 'CVE-2017-2615', 'CVE-2017-2620', 'CVE-2017-5526', 'CVE-2017-5579', 'CVE-2017-6505', 'CVE-2017-7718', 'CVE-2017-7980', 'CVE-2017-8309', 'CVE-2017-8379', 'CVE-2017-9330', 'CVE-2017-13672', 'CVE-2017-13673', 'CVE-2017-15124', 'CVE-2017-15289', 'CVE-2018-5683', 'CVE-2018-7858', 'CVE-2018-18849', 'CVE-2019-12068', 'CVE-2019-20808', 'CVE-2020-11869', 'CVE-2020-14364', 'CVE-2020-14394', 'CVE-2020-16092', 'CVE-2020-25723', 'CVE-2021-20196']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kvm / xen');
}