Oracle Linux 9 : nodejs (ELSA-2023-5765)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-5765 advisory. 1:16.20.2-3.0.1 - Update nghttp2 to 1.57.0 Resolves: CVE-2023-44487 Tenable has extracted the preceding description block directly from the Oracle Linux securit...

Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2023-390)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-390 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2023-394)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-394 advisory. Line directives //line can be used to bypass the restrictions on //go:cgo directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected...

CentOS 8 : nodejs:18 (CESA-2023:5869)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:5869 advisory. - When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return...

Amazon Linux 2023 : libnghttp2, libnghttp2-devel, nghttp2 (ALAS2023-2023-392)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-392 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2023-393)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-393 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Oracle Linux 9 : go-toolset / and / golang (ELSA-2023-5738)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-5738 advisory. - Update to go 1.19.13 CVE-2023-44487 CVE-2023-39325 CVE-2023-29409 go-toolset Tenable has extracted the preceding description block directly from the...

Amazon Linux AMI : tomcat8 (ALAS-2023-1868)

The version of tomcat8 installed on the remote host is prior to 8.5.94-1.95. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1868 advisory. Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from...

AlmaLinux 8 : grafana (ALSA-2023:5863)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:5863 advisory. - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total...

AlmaLinux 9 : grafana (ALSA-2023:5867)

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:5867 advisory. - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total...

Ubuntu 23.10 : .NET vulnerability (USN-6427-2)

The remote Ubuntu 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6427-2 advisory. USN-6427-1 fixed a vulnerability in .NET. This update provides the corresponding update for .NET 8. Tenable has extracted the preceding description block directly fro...

Ubuntu 23.10 : .NET vulnerabilities (USN-6438-1)

The remote Ubuntu 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6438-1 advisory. Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service...

Important: nghttp2 security update

nghttp2 contains the Hypertext Transfer Protocol version 2 HTTP/2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Security Fixes: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 For more...

Oracle Linux 8 : go-toolset:ol8 (ELSA-2023-5721)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-5721 advisory. - Rebase to Go 1.19.13 CVE-2023-39325 CVE-2023-44487 go-toolset Tenable has extracted the preceding description block directly from the Oracle Linux...

Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-010)

The version of tomcat installed on the remote host is prior to 9.0.81-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2023-010 advisory. Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from...

Oracle Linux 9 : nginx (ELSA-2023-5711)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-5711 advisory. 1:1.20.1-14.0.1.1 - Resolves: RHEL-12518 - nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487...

AlmaLinux 8 : dotnet7.0 (ALSA-2023:5709)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:5709 advisory. - The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild ...

Oracle Linux 8 : nginx:1.20 (ELSA-2023-5712)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-5712 advisory. 1:1.20.1-1.0.1.1 - Resolves: RHEL-12732 - nginx:1.20/nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack...

Important: golang

Issue Overview: Line directives "//line" can be used to bypass the restrictions on "//go:cgo" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the...

Important: nghttp2

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 Affected Packages: nghttp2 Note: This advisory is applicable to Amazon...