Detections
Analytics

Oracle Linux 9 : Image / Builder (ELSA-2023-2204)

high Nessus Plugin ID 175721

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2204 advisory.

 cockpit-composer [45-1.0.1]
 - Make per page documentation links point to Oracle Linux [Orabug: 32013095], [Orabug:34398922]

 [45-1]
 - New upstream release

 [44-1]
 - New upstream release

 [43-1]
 - New upstream release

 [42-1]
 - New upstream release

 osbuild [81-1]
 - New upstream release

 [80-1]
 - New upstream release

 [79-1]
 - New upstream release

 [78-1]
 - New upstream release

 [77-1]
 - New upstream release

 [76-1]
 - New upstream release

 [75-1]
 - New upstream release

 [74-1]
 - New upstream release

 [73-1]
 - New upstream release

 [72-1]
 - New upstream release

 [71-1]
 - New upstream release

 [70-1]
 - New upstream release

 [69-1]
 - New upstream release

 osbuild-composer [76-2]
 - distro/rhel: add payload repos to os package set (rhbz#2177699)
 - Manifest: always set kernel options in grub2 stage (rhbz#2162299)

 [76-1]
 - New upstream release

 [75-1]
 - New upstream release

 [74-1]
 - New upstream release

 [73-1]
 - New upstream release

 [72-1]
 - New upstream release

 [71-1]
 - New upstream release

 [70-1]
 - New upstream release

 [69-1]
 - New upstream release

 [68-1]
 - New upstream release

 [67-2]
 - Fix functional tests to make them pass in RHEL-9.2 gating

 [67-1]
 - New upstream release

 [62-1]
 - New upstream release

 [60-1]
 - New upstream release

 [59-1]
 - New upstream release

 [58-1]
 - New upstream release

 [57-1]
 - New upstream release

 [55-1]
 - New upstream release

 [54-1]
 - New upstream release

 [53-1]
 - New upstream release

 [51-1]
 - New upstream release

 [46-1]
 - New upstream release

 [45-1]
 - New upstream release

 [44-1]
 - New upstream release

 [43-1]
 - New upstream release

 [42-1]
 - New upstream release

 [41-1]
 - New upstream release

 [40-1]
 - New upstream release

 [39-1]
 - New upstream release

 [38-1]
 - New upstream release

 * Tue Nov 02 2021 lavocatt - 37-1
 - New upstream release

 [36-1]
 - New upstream release

 [33-1]
 - New upstream release

 [32-1]
 - New upstream release

 [31-1]
 - New upstream release

 [30-2]
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688

 [30-1]
 - New upstream release

 [29-3]
 - Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065

 [29-2]
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

 weldr-client [35.9-1]
 - Copy rhel-92.json test repository from osbuild-composer
 - Update osbuild-composer test repositories from osbuild-composer
 - New release: 35.9 (bcl) Resolves: rhbz#2164560
 - tests: Replace os.MkdirTemp with t.TempDir (bcl)
 - blueprint save: Allow overriding bad blueprint names (bcl)
 - tests: Clean up checking err in tests (bcl)
 - composer-cli: Implement blueprints diff (bcl)
 - saveBlueprint: Return the filename to the caller (bcl)
 - composer-cli: Add tests for using --commit with old servers (bcl)
 - weldr: Return error about the blueprints change route (bcl)
 - weldr: Save the http status code as part of APIResponse (bcl)
 - Add --commit support to blueprints save (bcl)
 - Add --commit to blueprints show (bcl)
 - gitleaks: Exclude the test password used in tests (bcl)
 - ci: add tags to AWS instances (tlavocat)
 - Update github.com/BurntSushi/toml to 1.2.1
 - Update github.com/stretchr/testify to 1.8.1
 - Update bump github.com/spf13/cobra to 1.6.1
 - New release: 35.8 (bcl)
 - completion: Remove providers from bash completion script (bcl)
 - completion: Filter out new headers from compose list (bcl)
 - docs: Remove unneeded Long descriptions (bcl)
 - docs: Use a custom help template (bcl)
 - docs: Add more command documentation (bcl)
 - cmdline: Add package glob support to modules list command (bcl)
 - workflow: Add govulncheck on go v1.18 (bcl)
 - tests: Update to use golangci-lint 1.49.0 (bcl)
 - New release: 35.7 (bcl)
 - spec: Move %gometa macro above %gourl (bcl)
 - weldr: When starting a compose pass size as bytes, not MiB (bcl)
 - tests: Use correct size value in bytes for test (bcl)
 - workflow: Add Go 1.18 to text matrix (bcl)
 - Replace deprecated ioutil functions (bcl)
 - New release: 35.6 (bcl)
 - tests: Update tests for osbuild-composer changes (bcl)
 - CMD: Compose status format (eloy.coto)
 - CMD: Compose list format (eloy.coto)
 - tests: Update tests to check for JSON list output (bcl)
 - composer-cli: Change JSON output to be a list of objects (bcl)
 - weldr: Simplify the old ComposeLog, etc. functions (bcl)
 - composer-cli: Add --filename to blueprints freeze save command (bcl)
 - composer-cli: Add --filename to blueprints save command (bcl)
 - composer-cli: Add --filename to compose logs command (bcl)
 - composer-cli: Add --filename to compose image command (bcl)
 - composer-cli: Add --filename to compose metadata command (bcl)
 - composer-cli: Add --filename to compose results command (bcl)
 - weldr: Add saving to a new filename to GetFilePath function (bcl)
 - github: Fix issue with codecov and forced pushes in PRs (bcl)
 - Use golangci-lint 1.45.2 in workflow (bcl)
 - Run workflow tests for go 1.16.x and 1.17.x (bcl)
 - Move go.mod to go 1.16 (bcl)
 - workflows/trigger-gitlab: run Gitlab CI in new image-builder project (jrusz)
 - Update GitHub actions/setup-go to 3
 - Update GitHub actions/checkout to 3

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2023-2204.html

Plugin Details

Severity: High

ID: 175721

File Name: oraclelinux_ELSA-2023-2204.nasl

Version: 1.4

Type: local

Agent: unix

Published: 5/15/2023

Updated: 11/2/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-2880

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:osbuild-selinux, p-cpe:/a:oracle:linux:osbuild-luks2, p-cpe:/a:oracle:linux:osbuild-lvm2, p-cpe:/a:oracle:linux:weldr-client, p-cpe:/a:oracle:linux:osbuild, p-cpe:/a:oracle:linux:osbuild-composer-core, p-cpe:/a:oracle:linux:osbuild-composer-worker, p-cpe:/a:oracle:linux:osbuild-ostree, p-cpe:/a:oracle:linux:osbuild-composer-dnf-json, p-cpe:/a:oracle:linux:python3-osbuild, p-cpe:/a:oracle:linux:cockpit-composer, p-cpe:/a:oracle:linux:osbuild-composer, cpe:/o:oracle:linux:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2023

Vulnerability Publication Date: 9/6/2022

Reference Information

CVE: CVE-2022-27664, CVE-2022-2879, CVE-2022-2880, CVE-2022-41715, CVE-2022-41717

IAVB: 2022-B-0042-S, 2022-B-0059-S