Oracle Linux 9 : pcs (ELSA-2023-12595)

critical Nessus Plugin ID 178685

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12595 advisory.

[0.11.4-7]
- Fix displaying differences between configuration checkpoints in pcs config checkpoint diff command
- Fix pcs stonith update-scsi-devices command which was broken since Pacemaker-2.1.5-rc1
- Fixed loading of cluster status in the web interface when fencing levels are configured
- Fixed a vulnerability in pcs-web-ui-node-modules
- Updated bundled rubygem rack
- Resolves: rhbz#2179901 rhbz#2180697 rhbz#2180704 rhbz#2180708 rhbz#2180978 rhbz#2183180

[0.11.4-6]
- Fixed broken filtering in create resource/fence device wizards in the web interface
- Added BuildRequires: pam - needed for tier0 tests during build
- Resolves: rhbz#2167471

[0.11.4-5]
- Fixed enabling/disabling sbd when cluster is not running
- Resolves: rhbz#2166249

[0.11.4-4]
- Rebuilt with fixed patches
- Resolves: rhbz#2158790 rhbz#2159454

[0.11.4-3]
- Allow time values in stonith-watchdog-time property
- Resource/stonith agent self-validation of instance attributes is now disabled by default, as many agents do not work with it properly.
- Updated bundled rubygems: rack, rack-protection, sinatra
- Added license for ruby2_keywords
- Resolves: rhbz#2158790 rhbz#2159454

[0.11.4-2]
- Fixed stopping of pcsd service using systemctl stop pcsd command
- Fixed smoke test execution during gating
- Added warning when omitting validation of misconfigured resource
- Fixed displaying of bool and integer values in pcs resource config command
- Updated bundled rubygems: ethon, rack-protection, sinatra
- Resolves: rhbz#2148124 rhbz#2151164 rhbz#2151524

[0.11.4-1]
- Rebased to latest upstream sources (see CHANGELOG.md)
- Updated pcs-web-ui
- Resolves: rhbz#1620043 rhbz#2019464 rhbz#2099653 rhbz#2109633 rhbz#2112293 rhbz#2116295 rhbz#2117600 rhbz#2117601

[0.11.3-5]
- Rebased to latest upstream sources (see CHANGELOG.md)
- Updated pcs-web-ui
- Added bundled rubygem: childprocess
- Removed bundled rubygem: open4
- Updated bundled rubygems: mustermann, rack, rack-protection, rack-test, sinatra, tilt
- Resolves: rhbz#1493416 rhbz#1796827 rhbz#2059147 rhbz#2092950 rhbz#2112079 rhbz#2112270 rhbz#2112293 rhbz#2117599 rhbz#2117601

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected pcs and / or pcs-snmp packages.

See Also

https://linux.oracle.com/errata/ELSA-2023-12595.html

Plugin Details

Severity: Critical

ID: 178685

File Name: oraclelinux_ELSA-2023-12595.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/20/2023

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-2319

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:pcs, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:pcs-snmp, cpe:/a:oracle:linux:9::addons

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 7/20/2023

Vulnerability Publication Date: 3/6/2023

Reference Information

CVE: CVE-2023-2319, CVE-2023-27530, CVE-2023-27539