TencentOS Server 3: edk2 (TSSA-2023:0078)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 3 versions before the tested update are vulnerable as per TSSA-2023:0078 advisory.

Reporter	Title	Published	Views	Family All 1154
IBM Security Bulletins	Security Bulletin: IBM Events Operator is affected by a denial of service in OpenSSL (CVE-2023-0215).	21 Sep 202314:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ for HP NonStop Server is affected by multiple OpenSSL vulnerabilities	7 Mar 202316:55	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in cryptography affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2023-0286]	19 Jun 202508:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple OpenSSl denial of service vulnerabilities.	5 Jul 202320:58	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450)	7 Mar 202313:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities	4 May 202320:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Events Operator is affected by a denial of service in OpenSSL (CVE-2022-4450).	21 Sep 202314:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor	1 Mar 202309:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Access Appliance has multiple security vulnerabilities	14 Oct 202305:03	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System [CVE-2022-4304, CVE-2023-0215, CVE-2023-0286]	27 Sep 202411:53	–	ibm

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20230078.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2023:0078.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239716);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2022-4304",
    "CVE-2022-4450",
    "CVE-2023-0215",
    "CVE-2023-0286"
  );

  script_name(english:"TencentOS Server 3: edk2 (TSSA-2023:0078)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0078 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

      CVE-2023-0286:
      A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an
    X.509 GeneralName. When CRL checking is enabled (for example, the application sets the
    X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a
    memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack
    requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid
    signature. If the attacker only controls one of these inputs, the other input must already contain an
    X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely
    only to affect applications that have implemented their own functionality for retrieving CRLs over a
    network.
      CVE-2022-4304:
      A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be
    sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a
    successful decryption, an attacker would have to be able to send a very large number of trial messages for
    decryption. This issue affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP, and RSASVE.
      CVE-2023-0215:
      A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function
    BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally
    by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be called directly
    by end-user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
    BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the
    caller. Under certain conditions. For example, if a CMS recipient public key is invalid, the new filter
    BIO is freed, and the function returns a NULL result indicating a failure. However, in this case, the BIO
    chain is not properly cleaned up, and the BIO passed by the caller still retains internal pointers to the
    previously freed filter BIO. If the caller then calls BIO_pop() on the BIO, a use-after-free will occur,
    possibly resulting in a crash.
      CVE-2022-4450:
      A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function
    PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the name (for example,
    CERTIFICATE), any header data, and the payload data. If the function succeeds, then the name_out,
    header, and data arguments are populated with pointers to buffers containing the relevant decoded
    data. The caller is responsible for freeing those buffers. Constructing a PEM file that results in 0 bytes
    of payload data is possible. In this case, PEM_read_bio_ex() will return a failure code but will populate
    the header argument with a pointer to a freed buffer. A double-free will occur if the caller also frees
    this buffer. This will most likely lead to a crash. This could be exploited by an attacker who can supply
    malicious PEM files for parsing to achieve a denial of service attack.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20230078.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-0286");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:edk2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'edk2-aarch64-20220126gitbb1bba3d77-4.tl3', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-debugsource-20220126gitbb1bba3d77-4.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-debugsource-20220126gitbb1bba3d77-4.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-ovmf-20220126gitbb1bba3d77-4.tl3', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-tools-20220126gitbb1bba3d77-4.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-tools-20220126gitbb1bba3d77-4.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-tools-debuginfo-20220126gitbb1bba3d77-4.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-tools-debuginfo-20220126gitbb1bba3d77-4.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'edk2-tools-doc-20220126gitbb1bba3d77-4.tl3', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'edk2-aarch64 / edk2-debugsource / edk2-ovmf / etc');
}

20 Nov 2025 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 3.17.5

EPSS0.88334

SSVC