TencentOS Server 3: container-tools:rhel8 (TSSA-2022:0110)

🗓️ 20 Nov 2025 00:00:00Reported by TenableType

TencentOS Server 3 fixes vulnerabilities in runc and ip_reass.

Reporter	Title	Published	Views	Family All 2181
IBM Security Bulletins	Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM)	14 Sep 202215:02	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in HTTP/2 implementation used by Watson Knowledge Catalog for IBM Cloud Pak for Data	11 Mar 202015:28	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities	26 Mar 202012:19	–	ibm
IBM Security Bulletins	Security Bulletin: Rational Asset Analyzer (RAA) is affected by several WebSphere Application Server vulnerabilities.	31 Jan 202017:21	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go	29 Aug 202008:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Private for Data is affected by an issue with runc used by Docker	3 Oct 201922:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM API Connect is vulnerable to denial of service attacks via HTTP/2.	2 Jan 202017:21	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in netty affect IBM Operations Analytics Predictive Insights (CVE-2019-9514, CVE-2019-9512, CVE-2019-9518, CVE-2019-9515)	28 Feb 202017:05	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Docker affects PowerKVM	17 May 201916:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management	24 Oct 201911:45	–	ibm

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20220110.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2022:0110.
##

include('compat.inc');

if (description)
{
  script_id(276379);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/10");

  script_cve_id(
    "CVE-2019-5736",
    "CVE-2019-9514",
    "CVE-2019-14378",
    "CVE-2019-16884",
    "CVE-2019-19921",
    "CVE-2020-1983",
    "CVE-2020-7039",
    "CVE-2020-8608",
    "CVE-2020-10756",
    "CVE-2021-3595",
    "CVE-2021-20188"
  );
  script_xref(name:"CEA-ID", value:"CEA-2019-0643");
  script_xref(name:"IAVA", value:"2024-A-0071-S");

  script_name(english:"TencentOS Server 3: container-tools:rhel8 (TSSA-2022:0110)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0110 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2019-5736:
    runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite
    the host runc binary (and consequently obtain host root access) by leveraging the abilityto execute a
    command as root within one of these types of containers: (1) a new container with an attacker-controlled
    image, or (2) an existing container, to which the attacker previously had write access, that can be
    attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

    CVE-2019-9514:
    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.
    The attacker opens a number of streams and sends an invalid request over each stream that should solicit a
    stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this
    can consume excess memory, CPU, or both.

    CVE-2019-14378:
    ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it
    mishandles a case involving the first fragment.

    CVE-2019-16884:
    runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor
    restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
    malicious Docker image can mount over a /proc directory.

    CVE-2019-19921:
    runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to
    libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with
    custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect
    Docker due to an implementation detail that happens to block the attack.)

    CVE-2020-1983:
    A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows
    crafted packets to cause a denial of service.

    CVE-2020-7039:
    tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC
    DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which
    can lead to a DoS or potential execute arbitrary code.

    CVE-2020-8608:
    In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer
    overflow in later code.

    CVE-2020-10756:
    An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known
    as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible
    information disclosure. This flaw affects versions of libslirp before4.3.1.

    CVE-2021-3595:
    An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw
    exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the
    size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory
    disclosure to the guest. The highest threat from this vulnerability isto data confidentiality. This flaw
    affects libslirp versions prior to 4.6.0.

    CVE-2021-20188:
    A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged
    container are not correctly checked. This flaw can be abused by a low-privileged user inside the container
    to access any other file in the container, even if owned by the root user inside the container. It does
    not allow to directly escape the container, though being a privileged container means that a lot of
    security features are disabled when running the container. The highest threat from this vulnerability is
    to data confidentiality and integrity as well as system availability.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20220110.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5736");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-14378");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Docker Container Escape Via runC Overwrite');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:libslirp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:runc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:slirp4netns");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'libslirp-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-debuginfo-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-debuginfo-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-debugsource-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-debugsource-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-devel-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libslirp-devel-4.4.0-1.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-debuginfo-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-debuginfo-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-debugsource-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'runc-debugsource-1.1.3-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-debuginfo-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-debuginfo-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-debugsource-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'slirp4netns-debugsource-1.2.0-2.module+el8.6.0+45+9ab1da0f', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libslirp / libslirp-debuginfo / libslirp-debugsource / etc');
}

10 Mar 2026 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 29.3

CVSS 37.5 - 8.8

CVSS 3.17.5 - 8.6

EPSS0.59178