Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.SOLARIS_JAN2023_SRU11_4_53_132_2.NASL
HistoryJan 19, 2023 - 12:00 a.m.

Oracle Solaris Critical Patch Update : jan2023_SRU11_4_53_132_2

2023-01-1900:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
44
JSON

This Solaris system is missing necessary patches to address critical security updates :

  • Vulnerability in the Oracle Communications Session Border Controller product of Oracle Communications (component: Routing (glibc)). Supported versions that are affected are 8.4, 9.0 and 9.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Session Border Controller. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Session Border Controller as well as unauthorized update, insert or delete access to some of Oracle Communications Session Border Controller accessible data and unauthorized read access to a subset of Oracle Communications Session Border Controller accessible data. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
    (CVE-2022-23219)

  • Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Signaling (glibc)). The supported version that is affected is 22.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2022-23218)

  • Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component:
    Policy (GNU Libtasn1)). Supported versions that are affected are 22.4.0-22.4.4 and 23.1.0-23.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Communications Cloud Native Core Policy.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Policy accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
    (CVE-2021-46848)

  • Vulnerability in the Oracle Text (LibExpat) component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Index privilege with network access via Oracle Net to compromise Oracle Text (LibExpat). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Text (LibExpat). CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-43680)

  • Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Porting (Python)). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools.
    CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-45061)

  • Vulnerability in the Oracle Solaris product of Oracle Systems (component: NSSwitch). Supported versions that are affected are 10 and 11. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris. CVSS 3.1 Base Score 4.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L).
    (CVE-2023-21900)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Oracle CPU for jan2023.
#
include('deprecated_nasl_level.inc');
include("compat.inc");

if (description)
{
  script_id(170171);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/18");

  script_cve_id("CVE-2021-46848", "CVE-2022-23218", "CVE-2022-23219", "CVE-2022-3204", "CVE-2022-3276", "CVE-2022-37797", "CVE-2022-39253", "CVE-2022-39260", "CVE-2022-3970", "CVE-2022-41556", "CVE-2022-43680", "CVE-2022-44638", "CVE-2022-45061", "CVE-2022-45063", "CVE-2022-46872", "CVE-2022-46874", "CVE-2022-46875", "CVE-2022-46878", "CVE-2022-46880", "CVE-2022-46881", "CVE-2022-46882", "CVE-2023-21900");
  script_xref(name:"IAVA", value:"2023-A-0046");

  script_name(english:"Oracle Solaris Critical Patch Update : jan2023_SRU11_4_53_132_2");
  script_summary(english:"Check for the jan2023 CPU");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Solaris system is missing a security patch from CPU
jan2023."
  );
  script_set_attribute(
    attribute:"description",
    value:
"This Solaris system is missing necessary patches to address critical
security updates :

  - Vulnerability in the Oracle Communications Session
    Border Controller product of Oracle Communications
    (component: Routing (glibc)). Supported versions that
    are affected are 8.4, 9.0 and 9.1. Difficult to exploit
    vulnerability allows unauthenticated attacker with
    network access via HTTP to compromise Oracle
    Communications Session Border Controller. Successful
    attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash
    (complete DOS) of Oracle Communications Session Border
    Controller as well as unauthorized update, insert or
    delete access to some of Oracle Communications Session
    Border Controller accessible data and unauthorized read
    access to a subset of Oracle Communications Session
    Border Controller accessible data. CVSS 3.1 Base Score
    7.0 (Confidentiality, Integrity and Availability
    impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
    (CVE-2022-23219)

  - Vulnerability in the Oracle Communications Cloud Native
    Core Unified Data Repository product of Oracle
    Communications (component: Signaling (glibc)). The
    supported version that is affected is 22.1.1. Easily
    exploitable vulnerability allows unauthenticated
    attacker with network access via HTTP to compromise
    Oracle Communications Cloud Native Core Unified Data
    Repository. Successful attacks of this vulnerability can
    result in takeover of Oracle Communications Cloud Native
    Core Unified Data Repository. CVSS 3.1 Base Score 9.8
    (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2022-23218)

  - Vulnerability in the Oracle Communications Cloud Native
    Core Policy product of Oracle Communications (component:
    Policy (GNU Libtasn1)). Supported versions that are
    affected are 22.4.0-22.4.4 and 23.1.0-23.1.1. Easily
    exploitable vulnerability allows unauthenticated
    attacker with network access via HTTPS to compromise
    Oracle Communications Cloud Native Core Policy.
    Successful attacks of this vulnerability can result in
    unauthorized access to critical data or complete access
    to all Oracle Communications Cloud Native Core Policy
    accessible data and unauthorized ability to cause a hang
    or frequently repeatable crash (complete DOS) of Oracle
    Communications Cloud Native Core Policy. CVSS 3.1 Base
    Score 9.1 (Confidentiality and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
    (CVE-2021-46848)

  - Vulnerability in the Oracle Text (LibExpat) component of
    Oracle Database Server. Supported versions that are
    affected are 19.3-19.19 and 21.3-21.10. Easily
    exploitable vulnerability allows low privileged attacker
    having Create Session, Create Index privilege with
    network access via Oracle Net to compromise Oracle Text
    (LibExpat). Successful attacks of this vulnerability can
    result in unauthorized ability to cause a hang or
    frequently repeatable crash (complete DOS) of Oracle
    Text (LibExpat). CVSS 3.1 Base Score 6.5 (Availability
    impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-43680)

  - Vulnerability in the PeopleSoft Enterprise PeopleTools
    product of Oracle PeopleSoft (component: Porting
    (Python)). Supported versions that are affected are 8.59
    and 8.60. Easily exploitable vulnerability allows
    unauthenticated attacker with network access via HTTP to
    compromise PeopleSoft Enterprise PeopleTools. Successful
    attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash
    (complete DOS) of PeopleSoft Enterprise PeopleTools.
    CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS
    Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-45061)

  - Vulnerability in the Oracle Solaris product of Oracle
    Systems (component: NSSwitch). Supported versions that
    are affected are 10 and 11. Difficult to exploit
    vulnerability allows high privileged attacker with
    network access via multiple protocols to compromise
    Oracle Solaris. Successful attacks require human
    interaction from a person other than the attacker and
    while the vulnerability is in Oracle Solaris, attacks
    may significantly impact additional products (scope
    change). Successful attacks of this vulnerability can
    result in unauthorized update, insert or delete access
    to some of Oracle Solaris accessible data and
    unauthorized ability to cause a partial denial of
    service (partial DOS) of Oracle Solaris. CVSS 3.1 Base
    Score 4.0 (Integrity and Availability impacts). CVSS
    Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L).
    (CVE-2023-21900)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.oracle.com/epmos/faces/DocumentDisplay?id=2920776.1"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2023cvrf.xml"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.oracle.com/security-alerts/cpujan2023.html"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Install the jan2023 CPU from the Oracle support website."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-23219");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/19");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Solaris Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("solaris.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Solaris11/release");
if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");


fix_release = "11.4-11.4.53.0.1.132.2";

flag = 0;

if (solaris_check_release(release:"11.4-11.4.53.0.1.132.2", sru:"11.4.53.132.2") > 0) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report2());
  else security_hole(0);
  exit(0);
}
audit(AUDIT_OS_RELEASE_NOT, "Solaris", fix_release, release);
VendorProductVersionCPE
oraclesolariscpe:/o:oracle:solaris

References

Related

altlinux 3
openvas 40
nessus 79
kaspersky 3
slackware 2
ibm 1
mozilla 3
oraclelinux 8
almalinux 4
redhat 16
osv 11
mageia 4
debian 5
rocky 2
gentoo 2
photon 1
fedora 6
cloudlinux 1
ubuntu 1
freebsd 1
f5 1
amazon 4
github 1
altlinux
altlinux
Security fix for the ALT Linux 10 package firefox-esr version 102.6.0-alt1
2022-12-22 00:00:00
Security fix for the ALT Linux 10 package thunderbird version 102.6.0-alt1
2022-12-23 00:00:00
Security fix for the ALT Linux 10 package git version 2.33.5-alt1
2022-10-22 00:00:00
openvas
openvas
Slackware: Security Advisory (SSA:2022-348-02)
2022-12-15 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:4579-1)
2022-12-21 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:4462-1)
2022-12-14 00:00:00
nessus
nessus
Slackware Linux 15.0 / current mozilla-thunderbird Multiple Vulnerabilities (SSA:2022-348-02)
2022-12-14 00:00:00
SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2022:4462-1)
2022-12-14 00:00:00
SUSE SLED15 / SLES15 Security Update : MozillaThunderbird (SUSE-SU-2022:4579-1)
2022-12-21 00:00:00
kaspersky
kaspersky
KLA20114 Multiple vulnerabilities in Mozilla Firefox ESR
2022-12-13 00:00:00
KLA20115 Multiple vulnerabilities in Mozilla Thunderbird
2022-12-13 00:00:00
KLA20184 Multiple vulnerabilities in Git for Windows
2022-10-18 00:00:00
slackware
slackware
[slackware-security] mozilla-thunderbird
2022-12-14 21:30:37
[slackware-security] mozilla-firefox
2022-12-14 21:30:17
ibm
ibm
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.6ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16
2023-02-15 10:00:54
mozilla
mozilla
Security Vulnerabilities fixed in Thunderbird 102.6 — Mozilla
2022-12-13 00:00:00
Security Vulnerabilities fixed in Firefox ESR 102.6 — Mozilla
2022-12-13 00:00:00
Security Vulnerabilities fixed in Firefox 108 — Mozilla
2022-12-13 00:00:00
oraclelinux
oraclelinux
firefox security update
2022-12-16 00:00:00
firefox security update
2022-12-16 00:00:00
firefox security update
2022-12-15 00:00:00
almalinux
almalinux
Important: firefox security update
2022-12-15 00:00:00
Important: firefox security update
2022-12-15 00:00:00
Important: thunderbird security update
2022-12-15 00:00:00
redhat
redhat
(RHSA-2022:9072) Important: firefox security update
2022-12-15 15:41:01
(RHSA-2022:9067) Important: firefox security update
2022-12-15 15:32:10
(RHSA-2022:9066) Important: firefox security update
2022-12-15 15:31:40
osv
osv
Important: firefox security update
2022-12-15 00:00:00
firefox-esr - security update
2022-12-14 00:00:00
Important: firefox security update
2022-12-15 15:32:10
mageia
mageia
Updated thunderbird packages fix security vulnerability
2022-12-17 23:37:44
Updated firefox packages fix security vulnerability
2022-12-17 23:37:44
Updated lighttpd packages fix security vulnerability
2022-10-13 23:05:19
debian
debian
[SECURITY] [DLA 3242-1] thunderbird security update
2022-12-15 18:22:21
[SECURITY] [DLA 3241-1] firefox-esr security update
2022-12-15 18:16:56
[SECURITY] [DSA 5301-1] firefox-esr security update
2022-12-14 18:15:26
rocky
rocky
firefox security update
2022-12-15 15:32:10
thunderbird security update
2023-01-14 01:54:53
gentoo
gentoo
Lighttpd: Denial of Service
2022-10-31 00:00:00
Mozilla Thunderbird: Multiple Vulnerabilities
2023-05-03 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2022-0155
2022-02-17 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: mingw-pixman-0.42.2-1.fc37
2022-11-14 01:14:12
[SECURITY] Fedora 36 Update: mingw-pixman-0.42.2-1.fc36
2022-11-13 01:19:37
[SECURITY] Fedora 36 Update: git-2.38.1-1.fc36
2022-10-28 11:15:54
cloudlinux
cloudlinux
Fix of CVE: CVE-2022-23218, CVE-2022-23219
2022-02-02 16:15:16
ubuntu
ubuntu
Git vulnerabilities
2022-10-18 00:00:00
freebsd
freebsd
git -- Multiple vulnerabilities
2022-06-09 00:00:00
f5
f5
K52308021 : GNU C Library (glibc) vulnerabilities CVE-2022-23218 and CVE-2022-23219
2022-04-29 00:00:00
amazon
amazon
Important: git
2022-12-01 17:34:00
Important: git
2022-12-01 20:31:00
Medium: glibc
2022-04-04 23:46:00
github
github
Git security vulnerabilities announced
2022-10-18 17:11:45
JSON
Related for SOLARIS_JAN2023_SRU11_4_53_132_2.NASL
altlinux3openvas40nessus79kaspersky3slackware2ibm1mozilla3oraclelinux8almalinux4redhat16osv11mageia4debian5rocky2gentoo2photon1fedora6cloudlinux1ubuntu1freebsd1f51amazon4github1