Detections
Analytics

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17)

critical Nessus Plugin ID 164561

Language:

Synopsis

The Nutanix AOS host is affected by multiple vulnerabilities .

Description

The version of AOS installed on the remote host is prior to 5.17. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.17 advisory.

 - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system. (CVE-2019-14901)

 - libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. (CVE-2020-5312)

 - An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. (CVE-2019-16865)

 - OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
 (CVE-2019-5544)

 - Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11729)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the Nutanix AOS software to the recommended version. Before upgrading: if this cluster is registered with Prism Central, ensure that Prism Central has been upgraded first to a compatible version. Refer to the Software Product Interoperability page on the Nutanix portal.

See Also

http://www.nessus.org/u?928ab35a

Plugin Details

Severity: Critical

ID: 164561

File Name: nutanix_NXSA-AOS-5_17.nasl

Version: 1.35

Type: local

Family: Misc.

Published: 9/1/2022

Updated: 2/17/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-14901

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2020-5312

Vulnerability Information

CPE: cpe:/o:nutanix:aos

Required KB Items: Host/Nutanix/Data/lts, Host/Nutanix/Data/Service, Host/Nutanix/Data/Version, Host/Nutanix/Data/arch

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/24/2022

Vulnerability Publication Date: 1/18/2018

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2018-10853, CVE-2018-12207, CVE-2018-13053, CVE-2018-13093, CVE-2018-13094, CVE-2018-13095, CVE-2018-14625, CVE-2018-14734, CVE-2018-15594, CVE-2018-16658, CVE-2018-16885, CVE-2018-18281, CVE-2018-20856, CVE-2018-7755, CVE-2018-8087, CVE-2018-9363, CVE-2018-9516, CVE-2018-9517, CVE-2019-0154, CVE-2019-0155, CVE-2019-10126, CVE-2019-11135, CVE-2019-1125, CVE-2019-11599, CVE-2019-11729, CVE-2019-11745, CVE-2019-11810, CVE-2019-11833, CVE-2019-13734, CVE-2019-14816, CVE-2019-14821, CVE-2019-14835, CVE-2019-14895, CVE-2019-14898, CVE-2019-14901, CVE-2019-15239, CVE-2019-16865, CVE-2019-17133, CVE-2019-18397, CVE-2019-18634, CVE-2019-3459, CVE-2019-3460, CVE-2019-3846, CVE-2019-3882, CVE-2019-3900, CVE-2019-5489, CVE-2019-5544, CVE-2019-7222, CVE-2019-9500, CVE-2019-9506, CVE-2020-2583, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2659, CVE-2020-5312