The version of AOS installed on the remote host is prior to 5.17.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.17.1.5 advisory.

  - An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file kernel/trace/trace.c. (CVE-2017-18595)

  - An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-     daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local     attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use     this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus     clients. (CVE-2020-12049)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.
    This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into     the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO     restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate     that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer     dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network     user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)

  - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported     versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to     exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as     unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client     and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start     applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the     specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as     through a web service. (CVE-2020-14556)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1.5)

high Nessus Plugin ID 164579

Version 1.7

Version 1.6

Version 1.5

Version 1.4

Version 1.3

Version 1.7 Feb 18, 2025, 3:26 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202502180326
Version 1.6 Nov 26, 2024, 10:00 AM CVSS metrics ("CVSSv3 score" set to 7.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H") CVSSv3 score source (changed from "CVE-2020-14583" to none) Plugin Feed: 202411261000
Version 1.5 Jan 11, 2024, 5:03 PM Detection (updated detection logic) Plugin metadata Plugin Feed: 202401111703
Version 1.4 Oct 13, 2023, 5:16 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310131716
Version 1.3 Feb 23, 2023, 6:16 PM Plugin metadata Plugin Feed: 202302231816