Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SUSE_SU-2016-2470-1.NASL
HistoryJan 02, 2019 - 12:00 a.m.

SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2016:2470-1)

2019-01-0200:00:00
This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29
JSON

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues :

  • Nodejs embedded openssl version update

  • upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)

  • remove support for dynamic 3rd party engine modules

  • http: Properly validate for allowable characters in input user data.
    This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here.
    (CVE-2016-5325, bsc#985201)

    • tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)

    • buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat()

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2016:2470-1.
# The text itself is copyright (C) SUSE.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(119982);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/01/27");

  script_cve_id(
    "CVE-2016-2178",
    "CVE-2016-2183",
    "CVE-2016-5325",
    "CVE-2016-6304",
    "CVE-2016-6306",
    "CVE-2016-7052",
    "CVE-2016-7099"
  );

  script_name(english:"SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2016:2470-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"This update brings the new upstream nodejs LTS version 4.6.0, fixing
bugs and security issues :

  - Nodejs embedded openssl version update

  + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183,
    CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)

  + remove support for dynamic 3rd party engine modules

- http: Properly validate for allowable characters in input user data.
This introduces a new case where throw may occur when configuring HTTP
responses, users should already be adopting try/catch here.
  (CVE-2016-5325, bsc#985201)

  - tls: properly validate wildcard certificates
    (CVE-2016-7099, bsc#1001652)

  - buffer: Zero-fill excess bytes in new Buffer objects
    created with Buffer.concat()

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1001652");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=985201");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2178/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2183/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5325/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-6304/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-6306/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-7052/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-7099/");
  # https://www.suse.com/support/update/announcement/2016/suse-su-20162470-1/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?20d40afc");
  script_set_attribute(attribute:"solution", value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch
SUSE-SLE-Module-Web-Scripting-12-2016-1439=1

To bring your system up-to-date, use 'zypper patch'.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2183");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:npm4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);


sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-4.6.0-8.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-debuginfo-4.6.0-8.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-debugsource-4.6.0-8.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-devel-4.6.0-8.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"npm4-4.6.0-8.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs4");
}
VendorProductVersionCPE
novellsuse_linuxnodejs4p-cpe:/a:novell:suse_linux:nodejs4
novellsuse_linuxnodejs4-debuginfop-cpe:/a:novell:suse_linux:nodejs4-debuginfo
novellsuse_linuxnodejs4-debugsourcep-cpe:/a:novell:suse_linux:nodejs4-debugsource
novellsuse_linuxnodejs4-develp-cpe:/a:novell:suse_linux:nodejs4-devel
novellsuse_linuxnpm4p-cpe:/a:novell:suse_linux:npm4
novellsuse_linux12cpe:/o:novell:suse_linux:12

Related

suse 12
openvas 32
nessus 39
ibm 62
mageia 2
nodejsblog 1
threatpost 2
oraclelinux 2
aix 1
fedora 5
centos 1
redhat 4
f5 2
gentoo 1
cloudfoundry 1
archlinux 4
altlinux 1
osv 3
ubuntu 2
debian 2
huawei 1
cisco 1
prion 3
ubuntucve 2
veracode 2
cve 3
redhatcve 3
debiancve 2
openssl 1
slackware 1
alpinelinux 1
suse
suse
Security update for nodejs4 (important)
2016-11-01 16:19:35
Security update for nodejs4 (important)
2016-10-06 20:14:21
Security update for nodejs (important)
2016-10-11 19:20:03
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2016:2470-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:2470-2)
2021-06-09 00:00:00
openSUSE: Security Advisory for nodejs (openSUSE-SU-2016:2496-1)
2016-10-12 00:00:00
nessus
nessus
openSUSE Security Update : nodejs (openSUSE-2016-1172)
2016-10-12 00:00:00
Arista Networks EOS 4.17 Multiple Vulnerabilities (SA0024) (SWEET32)
2018-02-28 00:00:00
Arista Networks EOS Multiple Vulnerabilities (SA0024) (SWEET32)
2018-02-28 00:00:00
ibm
ibm
Security Bulletin: Multiple OpenSSL and Non-OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software
2020-02-05 00:09:48
Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor
2018-06-15 07:06:49
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™
2018-08-09 04:20:36
mageia
mageia
Updated nodejs packages fix security vulnerability
2017-07-13 12:10:46
Updated openssl packages fix security vulnerabilities
2016-10-12 01:12:20
nodejsblog
nodejsblog
Security updates for all active release lines, September 2016
2016-09-23 00:00:00
threatpost
threatpost
OpenSSL Patches High-Severity OCSP Bug, Mitigates SWEET32 Attack
2016-09-23 15:47:13
OpenSSL Fixes Critical Bug Introduced by Latest Update
2016-09-26 10:45:04
oraclelinux
oraclelinux
openssl security update
2016-10-13 00:00:00
openssl security update
2016-09-27 00:00:00
aix
aix
Vulnerabilities in OpenSSL affect AIX
2016-11-14 13:29:26
fedora
fedora
[SECURITY] Fedora 25 Update: openssl-1.0.2j-1.fc25
2016-10-09 03:28:42
[SECURITY] Fedora 24 Update: openssl-1.0.2j-1.fc24
2016-09-28 01:57:16
[SECURITY] Fedora 23 Update: openssl-1.0.2j-1.fc23
2016-10-11 23:24:05
centos
centos
openssl security update
2016-09-28 14:48:04
redhat
redhat
(RHSA-2017:0002) Important: rh-nodejs4-nodejs and rh-nodejs4-http-parser security update
2017-01-02 15:33:44
(RHSA-2016:1940) Important: openssl security update
2016-09-27 11:50:45
(RHSA-2017:1659) Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update
2017-06-28 19:59:12
f5
f5
K24444803 : Node.js vulnerabilities CVE-2015-8860, CVE-2015-8856, CVE-2016-7099, and CVE-2016-5325
2018-10-17 00:00:00
SOL39272405 - OpenSSL vulnerability CVE-2016-7052
2016-10-10 00:00:00
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2016-12-07 00:00:00
cloudfoundry
cloudfoundry
USN-3087-2 OpenSSL Regression | Cloud Foundry
2016-09-28 00:00:00
archlinux
archlinux
[ASA-201609-24] lib32-openssl: multiple issues
2016-09-26 00:00:00
[ASA-201609-23] openssl: multiple issues
2016-09-26 00:00:00
[ASA-201609-30] openssl: denial of service
2016-09-28 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 7 package openssl10 version 1.0.1u-alt0.M70P.1
2016-09-23 00:00:00
osv
osv
openssl - security update
2016-09-22 00:00:00
openssl - security update
2016-09-25 00:00:00
openssl - regression update
2016-09-22 00:00:00
ubuntu
ubuntu
OpenSSL regression
2016-09-23 00:00:00
OpenSSL vulnerabilities
2016-09-22 00:00:00
debian
debian
[SECURITY] [DLA 637-1] openssl security update
2016-09-25 11:55:01
[SECURITY] [DSA 3673-1] openssl security update
2016-09-22 16:50:14
huawei
huawei
Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products
2017-03-22 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
2016-09-27 22:40:00
prion
prion
Design/Logic Flaw
2016-10-10 16:59:00
Crlf injection
2016-10-10 16:59:00
Null pointer dereference
2016-09-26 19:59:00
ubuntucve
ubuntucve
CVE-2016-7099
2016-10-10 00:00:00
CVE-2016-5325
2016-10-10 00:00:00
veracode
veracode
Man-in-the-Middle (MitM)
2018-09-24 07:23:39
HTTP Response Splitting
2018-09-24 05:08:11
cve
cve
CVE-2016-5325
2016-10-10 16:59:00
CVE-2016-7099
2016-10-10 16:59:00
CVE-2016-7052
2016-09-26 19:59:00
redhatcve
redhatcve
CVE-2016-7099
2016-09-28 06:47:27
CVE-2016-5325
2016-06-15 16:19:00
CVE-2016-7052
2016-09-26 11:17:23
debiancve
debiancve
CVE-2016-7099
2016-10-10 16:59:00
CVE-2016-5325
2016-10-10 16:59:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-7052
2016-09-26 00:00:00
slackware
slackware
[slackware-security] openssl
2016-09-26 18:59:48
alpinelinux
alpinelinux
CVE-2016-7052
2016-09-26 19:59:00
JSON
Related for SUSE_SU-2016-2470-1.NASL
suse12openvas32nessus39ibm62mageia2nodejsblog1threatpost2oraclelinux2aix1fedora5centos1redhat4f52gentoo1cloudfoundry1archlinux4altlinux1osv3ubuntu2debian2huawei1cisco1prion3ubuntucve2veracode2cve3redhatcve3debiancve2openssl1slackware1alpinelinux1