The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4774-1 advisory.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. (CVE-2015-3192)
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. (CVE-2015-5211)
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. (CVE-2016-9878)
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. (CVE-2014-0225)
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. (CVE-2014-3625)
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. (CVE-2014-3578)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4774-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(183546);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");
script_cve_id(
"CVE-2014-0225",
"CVE-2014-3578",
"CVE-2014-3625",
"CVE-2015-3192",
"CVE-2015-5211",
"CVE-2016-9878"
);
script_xref(name:"USN", value:"4774-1");
script_name(english:"Ubuntu 16.04 ESM : Spring Framework vulnerabilities (USN-4774-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-4774-1 advisory.
- Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD
declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service
(memory consumption and out-of-memory errors) via a crafted XML file. (CVE-2015-3192)
- Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older
unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a
malicious user crafting a URL with a batch script extension that results in the response being downloaded
rather than rendered and also includes some input reflected in the response. (CVE-2015-5211)
- An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before
4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to
directory traversal attacks. (CVE-2016-9878)
- When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and
possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD
declaration. This enabled an XXE attack. (CVE-2014-0225)
- Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x
before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified
vectors, related to static resource handling. (CVE-2014-3625)
- Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows
remote attackers to read arbitrary files via a crafted URL. (CVE-2014-3578)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4774-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5211");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/28");
script_set_attribute(attribute:"patch_publication_date", value:"2021/03/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-aop-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-beans-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-context-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-context-support-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-core-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-expression-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-instrument-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-jdbc-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-jms-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-orm-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-oxm-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-test-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-transaction-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-web-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-web-portlet-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-web-servlet-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libspring-web-struts-java");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'libspring-aop-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-beans-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-context-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-context-support-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-core-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-expression-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-instrument-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-jdbc-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-jms-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-orm-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-oxm-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-transaction-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-web-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-web-portlet-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'},
{'osver': '16.04', 'pkgname': 'libspring-web-servlet-java', 'pkgver': '3.2.13-5ubuntu0.1~esm1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libspring-aop-java / libspring-beans-java / libspring-context-java / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:esm |
canonical | ubuntu_linux | libspring-aop-java | p-cpe:/a:canonical:ubuntu_linux:libspring-aop-java |
canonical | ubuntu_linux | libspring-beans-java | p-cpe:/a:canonical:ubuntu_linux:libspring-beans-java |
canonical | ubuntu_linux | libspring-context-java | p-cpe:/a:canonical:ubuntu_linux:libspring-context-java |
canonical | ubuntu_linux | libspring-context-support-java | p-cpe:/a:canonical:ubuntu_linux:libspring-context-support-java |
canonical | ubuntu_linux | libspring-core-java | p-cpe:/a:canonical:ubuntu_linux:libspring-core-java |
canonical | ubuntu_linux | libspring-expression-java | p-cpe:/a:canonical:ubuntu_linux:libspring-expression-java |
canonical | ubuntu_linux | libspring-instrument-java | p-cpe:/a:canonical:ubuntu_linux:libspring-instrument-java |
canonical | ubuntu_linux | libspring-jdbc-java | p-cpe:/a:canonical:ubuntu_linux:libspring-jdbc-java |
canonical | ubuntu_linux | libspring-jms-java | p-cpe:/a:canonical:ubuntu_linux:libspring-jms-java |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3578
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878
ubuntu.com/security/notices/USN-4774-1