TencentOS Server 3: pcs (TSSA-2025:0818)

🗓️ 22 Oct 2025 00:00:00Reported by TenableType

TencentOS Server 3 has Rack and Tornado flaws; updates fix CVE-2025-46727 and CVE-2025-47287.

Reporter	Title	Published	Views	Family All 357
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps	25 Jun 202513:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Aspera Faspex is affected by open-source related vulnerabilities and unauthorized actions from authenticated users	29 Jul 202522:45	–	ibm
IBM Security Bulletins	Security Bulletin: Tornado multipart/form-data Parser Vulnerability Enables Log-Based DoS Attack (Pre-6.5.0), which affects IBM watsonx.data	1 Sep 202514:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities affecting IBM Watson Studio in Cloud Pak for Data Are Addressed	28 Aug 202509:51	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2025-47287	1 Sep 202513:06	–	ibm
Tenable Nessus	Amazon Linux 2023 : python3-tornado (ALAS2023-2025-1002)	12 Jun 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : pcs (ALAS-2025-2856)	29 May 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python-tornado (ALAS-2025-2888)	12 Jun 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python3-tornado (ALAS-2025-2889)	12 Jun 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : python-tornado (ALSA-2025:8136)	27 May 202500:00	–	nessus

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20250818.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0818.
##

include('compat.inc');

if (description)
{
  script_id(271139);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/04");

  script_cve_id("CVE-2025-46727", "CVE-2025-47287");

  script_name(english:"TencentOS Server 3: pcs (TSSA-2025:0818)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0818 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2025-46727:
    Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14,
    Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data
    structures without imposing any limit on the number of parameters, allowing attackers to send requests
    with extremely large numbers of parameters. The vulnerability arises because Rack::QueryParser iterates
    over each &-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total
    number of parameters. This allows an attacker to send a single request containing hundreds of thousands
    (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger
    denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin
    CPU resources, stalling or crashing the Rack server. This results in full service disruption until the
    affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations
    are available. One may use middleware to enforce a maximum query string size or parameter count, or employ
    a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.
    Limiting request body sizes and query string lengths at the web server or CDN level is an effective
    mitigation.

    CVE-2025-47287:
    Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form-data
    parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the
    data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS
    attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of
    Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado
    version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking Content-Type:
    multipart/form-data in a proxy.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250818.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-46727");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:pcs");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'pcs-0.10.18-2.tl3.5', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-0.10.18-2.tl3.5', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-snmp-0.10.18-2.tl3.5', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pcs-snmp-0.10.18-2.tl3.5', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pcs / pcs-snmp');
}

04 Dec 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.5

EPSS0.01164

SSVC