ID RHSA-2014:2000 Type redhat Reporter RedHat Modified 2018-06-13T01:28:17
Description
Thermostat is a monitoring and instrumentation tool for the OpenJDK HotSpot
Java Virtual Machine (JVM) with support for monitoring multiple JVM
instances.
It was discovered that, in certain configurations, the Thermostat agent
disclosed JMX management URLs of all local Java virtual machines to any
local user. A local, unprivileged user could use this flaw to escalate
their privileges on the system. (CVE-2014-8120)
This issue was discovered by Elliott Baron of Red Hat.
All thermostat1-thermostat users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.
{"id": "RHSA-2014:2000", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2014:2000) Important: thermostat1-thermostat security update", "description": "Thermostat is a monitoring and instrumentation tool for the OpenJDK HotSpot\nJava Virtual Machine (JVM) with support for monitoring multiple JVM\ninstances.\n\nIt was discovered that, in certain configurations, the Thermostat agent\ndisclosed JMX management URLs of all local Java virtual machines to any\nlocal user. A local, unprivileged user could use this flaw to escalate\ntheir privileges on the system. (CVE-2014-8120)\n\nThis issue was discovered by Elliott Baron of Red Hat.\n\nAll thermostat1-thermostat users are advised to upgrade to these updated\npackages, which contain a backported patch to correct this issue.\n", "published": "2014-12-16T05:00:00", "modified": "2018-06-13T01:28:17", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://access.redhat.com/errata/RHSA-2014:2000", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2014-8120"], "lastseen": "2019-08-13T18:46:55", "viewCount": 0, "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2019-08-13T18:46:55", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8120"]}, {"type": "nessus", "idList": ["FEDORA_2014-17415.NASL", "FEDORA_2014-17384.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310868912", "OPENVAS:1361412562310868911", "OPENVAS:1361412562310869440"]}, {"type": "fedora", "idList": ["FEDORA:DCD72608770E", "FEDORA:7484B60874B0", "FEDORA:F2D8461401C2"]}], "modified": "2019-08-13T18:46:55", "rev": 2}, "vulnersScore": 5.1}, "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "arch": "src", "packageName": "thermostat1-thermostat", "packageVersion": "1.0.4-70.6.el7", "packageFilename": "thermostat1-thermostat-1.0.4-70.6.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "src", "packageName": "thermostat1-thermostat", "packageVersion": "1.0.4-60.6.el6", "packageFilename": "thermostat1-thermostat-1.0.4-60.6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "thermostat1-thermostat", "packageVersion": "1.0.4-70.6.el7", "packageFilename": "thermostat1-thermostat-1.0.4-70.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "thermostat1-thermostat", "packageVersion": "1.0.4-60.6.el6", "packageFilename": "thermostat1-thermostat-1.0.4-60.6.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "thermostat1-thermostat-webapp", "packageVersion": "1.0.4-60.6.el6", "packageFilename": "thermostat1-thermostat-webapp-1.0.4-60.6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "thermostat1-thermostat-webapp", "packageVersion": "1.0.4-70.6.el7", "packageFilename": "thermostat1-thermostat-webapp-1.0.4-70.6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "thermostat1-thermostat-javadoc", "packageVersion": "1.0.4-70.6.el7", "packageFilename": "thermostat1-thermostat-javadoc-1.0.4-70.6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "thermostat1-thermostat-debuginfo", "packageVersion": "1.0.4-60.6.el6", "packageFilename": "thermostat1-thermostat-debuginfo-1.0.4-60.6.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "thermostat1-thermostat-debuginfo", "packageVersion": "1.0.4-70.6.el7", "packageFilename": "thermostat1-thermostat-debuginfo-1.0.4-70.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "thermostat1-thermostat-javadoc", "packageVersion": "1.0.4-60.6.el6", "packageFilename": "thermostat1-thermostat-javadoc-1.0.4-60.6.el6.noarch.rpm", "operator": "lt"}]}
{"cve": [{"lastseen": "2021-02-02T06:14:35", "description": "The agent in Thermostat before 1.0.6, when using unspecified configurations, allows local users to obtain the JMX management URLs of all local Java virtual machines and gain privileges via unknown vectors.", "edition": 6, "cvss3": {}, "published": "2014-12-18T15:59:00", "title": "CVE-2014-8120", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8120"], "modified": "2014-12-18T19:55:00", "cpe": ["cpe:/a:thermostat_project:thermostat:1.0.4"], "id": "CVE-2014-8120", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8120", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:thermostat_project:thermostat:1.0.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:36:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8120"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-01-09T00:00:00", "id": "OPENVAS:1361412562310868912", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868912", "type": "openvas", "title": "Fedora Update for thermostat FEDORA-2014-17384", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for thermostat FEDORA-2014-17384\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868912\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-09 05:52:35 +0100 (Fri, 09 Jan 2015)\");\n script_cve_id(\"CVE-2014-8120\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for thermostat FEDORA-2014-17384\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thermostat'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"thermostat on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17384\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147778.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"thermostat\", rpm:\"thermostat~1.0.6~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8120"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-01-09T00:00:00", "id": "OPENVAS:1361412562310868911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868911", "type": "openvas", "title": "Fedora Update for thermostat FEDORA-2014-17415", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for thermostat FEDORA-2014-17415\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868911\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-09 05:52:34 +0100 (Fri, 09 Jan 2015)\");\n script_cve_id(\"CVE-2014-8120\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for thermostat FEDORA-2014-17415\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thermostat'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"thermostat on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17415\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147779.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"thermostat\", rpm:\"thermostat~1.0.6~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8120", "CVE-2015-3201"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-06-11T00:00:00", "id": "OPENVAS:1361412562310869440", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869440", "type": "openvas", "title": "Fedora Update for thermostat FEDORA-2015-8919", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for thermostat FEDORA-2015-8919\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869440\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-11 06:29:13 +0200 (Thu, 11 Jun 2015)\");\n script_cve_id(\"CVE-2015-3201\", \"CVE-2014-8120\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for thermostat FEDORA-2015-8919\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thermostat'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"thermostat on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-8919\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159958.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"thermostat\", rpm:\"thermostat~1.0.6~2.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8120"], "description": "Thermostat is a monitoring and instrumentation tool for the Hotspot JVM, with support for monitoring multiple JVM instances. The system is made up of two processes: an Agent, which collects data, and a Client which allows users to visualize this data. These components communicate via a MongoDB-based storage layer. A pluggable agent and gui framework allows for collection and visualization of performance data beyond that which is included out of the box. ", "modified": "2015-01-08T07:01:52", "published": "2015-01-08T07:01:52", "id": "FEDORA:DCD72608770E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: thermostat-1.0.6-1.fc21", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8120"], "description": "Thermostat is a monitoring and instrumentation tool for the Hotspot JVM, with support for monitoring multiple JVM instances. The system is made up of two processes: an Agent, which collects data, and a Client which allows users to visualize this data. These components communicate via a MongoDB-based storage layer. A pluggable agent and gui framework allows for collection and visualization of performance data beyond that which is included out of the box. ", "modified": "2015-01-08T07:02:09", "published": "2015-01-08T07:02:09", "id": "FEDORA:F2D8461401C2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: thermostat-1.0.6-1.fc20", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8120", "CVE-2015-3201"], "description": "Thermostat is a monitoring and instrumentation tool for the Hotspot JVM, with support for monitoring multiple JVM instances. The system is made up of two processes: an Agent, which collects data, and a Client which allows users to visualize this data. These components communicate via a MongoDB-based storage layer. A pluggable agent and gui framework allows for collection and visualization of performance data beyond that which is included out of the box. ", "modified": "2015-06-10T19:07:44", "published": "2015-06-10T19:07:44", "id": "FEDORA:7484B60874B0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: thermostat-1.0.6-2.fc21", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T10:12:26", "description": "Update to latest maintenance release. It was discovered that, in\ncertain configurations, the Thermostat agent disclosed JMX management\nURLs of all local Java virtual machines to any local user. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2014-8120)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2015-01-09T00:00:00", "title": "Fedora 20 : thermostat-1.0.6-1.fc20 (2014-17415)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8120"], "modified": "2015-01-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:thermostat", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-17415.NASL", "href": "https://www.tenable.com/plugins/nessus/80423", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-17415.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80423);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-8120\");\n script_bugtraq_id(71709);\n script_xref(name:\"FEDORA\", value:\"2014-17415\");\n\n script_name(english:\"Fedora 20 : thermostat-1.0.6-1.fc20 (2014-17415)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to latest maintenance release. It was discovered that, in\ncertain configurations, the Thermostat agent disclosed JMX management\nURLs of all local Java virtual machines to any local user. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2014-8120)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1168977\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147779.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1c5058aa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected thermostat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:thermostat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"thermostat-1.0.6-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thermostat\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:26", "description": "Update to latest maintenance release. It was discovered that, in\ncertain configurations, the Thermostat agent disclosed JMX management\nURLs of all local Java virtual machines to any local user. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2014-8120)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2015-01-09T00:00:00", "title": "Fedora 21 : thermostat-1.0.6-1.fc21 (2014-17384)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8120"], "modified": "2015-01-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:thermostat", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2014-17384.NASL", "href": "https://www.tenable.com/plugins/nessus/80422", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-17384.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80422);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-8120\");\n script_bugtraq_id(71709);\n script_xref(name:\"FEDORA\", value:\"2014-17384\");\n\n script_name(english:\"Fedora 21 : thermostat-1.0.6-1.fc21 (2014-17384)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to latest maintenance release. It was discovered that, in\ncertain configurations, the Thermostat agent disclosed JMX management\nURLs of all local Java virtual machines to any local user. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2014-8120)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1168977\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147778.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a6d21182\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected thermostat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:thermostat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"thermostat-1.0.6-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thermostat\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}]}
