OracleVM 3.3 / 3.4 : procps (OVMSA-2018-0226)

critical Nessus Plugin ID 110306

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- vmstat: fix invalid CPU utilization stats after vCPU hot-plug/unplug (Konrad Rzeszutek Wilk) [bug 18011019]

- drop leftover assignment in fix for CVE-2018-1124 causing a severe regression

- Resolves: (CVE-2018-1124)

- fix integer overflows leading to heap overflow in file2strvec

- Resolves: CVE-2018-1124 (CVE-2018-1126)

- ps: STIME no longer 1970 if many cores in /proc/stat

- Resolves: rhbz#1460176

- slabtop: additional work on usage computation to work on 32bit archs

- Related: rhbz#1330008

- Removal of patch 92 - procps-3.2.8-pgrep-15-chars-warning.patch

- Related: rhbz#877352

- Rework of patch 91 from 3.2.8-37, stripping removed permanently, no new option

- Resolves: rhbz#1322111

- top: Termination with segfault if /proc becomes inaccessible during run

- Resolves: rhbz#928724

- sysctl manpage: Added explanation of conf files precedence

- Resolves: rhbz#1217077

- sysctl.conf manpage: new NOTES section with predefined vars hint

- Resolves: rhbz#1318644

- slabtop: fixing incorrect usage percent computation - int overflow

- Resolves: rhbz#1330008

- New warning if pattern exceeds 15 characters without -f option

- Resolves: #877352

- Adding option to skip stripping of wchan name data

- Resolves: #1322111

- #1201024 - [RFE] Increase sysctl -p line size limit

- #1246573 - typo in ps man page

- #1251101 - Fixing human readable patch (removing trailing spaces)

- #1284076 - [RFE] Support for thread cgroups

- #1288208 - use of /proc/self/auxv breaks ps when running as a different euid

- #1288497 - pmap - no sums computed for RSS and Dirty column

- Resolves: #1201024 #1246573 #1251101 #1284076 #1288208 #1288497

- #1262870 - Correctly skip vmflags (and other keys starting with A-Z)

- Resolves: #1262870

- #1246379 - free: values truncated to the column width

- Resolves: #1246379

- #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

- Related: rhbz#1120580

- #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

- Related: rhbz#1120580

- #993072 - Make the 'free' command a little more human friendly

- #1172059 - ps coredump in stat2proc

- #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

- #1123311 - RFE: 'w' should have '-n' flag to suppress reverse name resolution of IP addresses

- #1163404 - [procps] find_elf_note invalid read if setenv has been called before libproc init

- Resolves: rhbz#993072 rhbz#1172059 rhbz#1120580 rhbz#1123311 rhbz#1163404

- #977467 - [RFE] Have sysctl -p read info from /etc/sysctl.d

- Resolves: rhbz#977467

- Reimplementing (#1060681) due to regressions

- Related: rhbz#1060681

- #1105125 - Locale dependent float delay in top and watch utilities

- #1039013 - Include an API in RHEL to return the number of opened file descriptors for a process

- Resolves: rhbz#1105125

- Related: rhbz#1034337

- #1060681 - ps -p cycles over all PIDs instead of just one

- #963799 - Should shared memory be accounted in cached in free output?

- Resolves: rhbz#1060681 rhbz#963799

- #1089817 - Return value of pgrep is incorrect

- #950748 - /lib64/libproc.so package both in procps and procps-devel

- #1011216 - Backport man page fix of top utility - RES = CODE + DATA

- #1082877 - top/man: RES - physical memory a task 'has used'->'is using'

- #1034337 - Include man pages for openproc, readproc and readproctab

- Resolves: rhbz#1089817 rhbz#950748 rhbz#1011216 rhbz#1082877 rhbz#1034337

Solution

Update the affected procps package.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2018-June/000861.html

https://oss.oracle.com/pipermail/oraclevm-errata/2018-June/000862.html

Plugin Details

Severity: Critical

ID: 110306

File Name: oraclevm_OVMSA-2018-0226.nasl

Version: 1.8

Type: local

Published: 6/4/2018

Updated: 9/26/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1126

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:vm_server:3.3, p-cpe:/a:oracle:vm:procps, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/1/2018

Vulnerability Publication Date: 5/23/2018

Reference Information

CVE: CVE-2018-1124, CVE-2018-1126

IAVA: 2018-A-0174-S