Detections
Analytics

Oracle Linux 8 : idm:DL1 / and / idm:client (ELSA-2020-4670)

medium Nessus Plugin ID 180950

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4670 advisory.

 bind-dyndb-ldap [11.3-1]
 - New upstream release
 - Resolves: rhbz#1845211

 ipa [4.8.7-12.0.1]
 - Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]

 [4.8.7-12]
 - Require selinux sub package in the proper version Related: RHBZ#1868432
 - SELinux: do not double-define node_t and pki_tomcat_cert_t Related: RHBZ#1868432
 - SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests Related: RHBZ#1868432
 - dogtaginstance.py: add --debug to pkispawn Resolves: RHBZ#1879604

 [4.8.7-11]
 - SELinux Policy: let custodia replicate keys Resolves: RHBZ#1868432

 [4.8.7-10]
 - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202

 [4.8.7-9]
 - CAless installation: set the perms on KDC cert file Resolves: RHBZ#1863616
 - EPN: handle empty attributes Resolves: RHBZ#1866938
 - IPA-EPN: enhance input validation Resolves: RHBZ#1866291
 - EPN: enhance input validation Resolves: RHBZ#1863079
 - Require new samba build 4.12.3-52 Related: RHBZ#1868558
 - Require new selinux-policy build 3.14.3-52 Related: RHBZ#1869311

 [4.8.7-8]
 - [WebUI] IPA Error 3007: RequirmentError while adding members in User ID overrides tab (updated) Resolves: RHBZ#1757045
 - ipa-client-install: use the authselect backup during uninstall Resolves: RHBZ#1810179
 - Replace SSLCertVerificationError with CertificateError for py36 Resolves: RHBZ#1858318
 - Fix AVC denial during ipa-adtrust-install --add-agents Resolves: RHBZ#1859213

 [4.8.7-7]
 - replica install failing with avc denial for custodia component Resolves: RHBZ#1857157

 [4.8.7-6]
 - selinux dont audit rules deny fetching trust topology Resolves: RHBZ#1845596
 - fix iPAddress cert issuance for >1 host/service Resolves: RHBZ#1846352
 - Specify cert_paths when calling PKIConnection Resolves: RHBZ#1849155
 - Update crypto policy to allow AD-SUPPORT when installing IPA Resolves: RHBZ#1851139
 - Add version to ipa-idoverride-memberof obsoletes Related: RHBZ#1846434

 [4.8.7-5]
 - Add missing ipa-selinux package Resolves: RHBZ#1853263

 [4.8.7-4]
 - Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999

 [4.8.7-3]
 - [WebUI] IPA Error 3007: RequirmentError while adding members in User ID overrides tab Resolves: RHBZ#1757045
 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn Resolves: RHBZ#1847999
 - FreeIPA - Utilize 256-bit AJP connector passwords Resolves: RHBZ#1849914
 - ipa: typo issue in ipanthomedirectoryrive deffinition Resolves: RHBZ#1851411

 [4.8.7-2]
 - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 Resolves: RHBZ#1846434

 [4.8.7-1]
 - Upstream release FreeIPA 4.8.7
 - Require new samba build 4.12.3-0 Related: RHBZ#1818765
 - New client-epn sub package Resolves: RHBZ#913799

 ipa-healthcheck [0.4-6]
 - The core subpackage can be installed standalone, drop the Requires on the base package. (#1852244)
 - Add Conflicts < 0.4 to to core to allow downgrading with
 --allowerasing (#1852244)

 [0.4-5]
 - Remove the Obsoletes < 0.4 and add same-version Requires to each subpackage so that upgrades from 0.3 will work (#1852244)

 opendnssec [2.1.6-2]
 - Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm=ods-enforcerd

 [2.1.6-1]
 - Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1

 slapi-nis [0.56.5-4]
 - Ignore unmatched searches
 - Resolves: rhbz#1874015

 [0.56.5-3]
 - Fix memory leaks in ID views processing
 - Resolves: rhbz#1875348

 [0.56.5-2]
 - Initialize map lock in NIS plugin
 - Resolves: rhbz#1832331

 [0.56.5-1]
 - Upstream release 0.56.5
 - Resolves: rhbz#1751295: (2) When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming
 - Resolves: rhbz#1768156: ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED

 softhsm [2.6.0-3]
 - Fixes: rhbz#1834909 - softhsm use-after-free on process exit
 - Synchronize the final fix with Fedora

 [2.6.0-2]
 - Fixes: rhbz#1834909 - softhsm use-after-free on process exit

 [2.6.0-1]
 - Fixes: rhbz#1818877 - rebase to softhsm 2.6.0+
 - Fixes: rhbz#1701233 - support setting supported signature methods on the token

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2020-4670.html

Plugin Details

Severity: Medium

ID: 180950

File Name: oraclelinux_ELSA-2020-4670.nasl

Version: 1.3

Type: local

Agent: unix

Published: 9/7/2023

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-11022

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:ipa-selinux, p-cpe:/a:oracle:linux:python3-qrcode-core, p-cpe:/a:oracle:linux:ipa-healthcheck, p-cpe:/a:oracle:linux:ipa-common, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:ipa-server, p-cpe:/a:oracle:linux:ipa-client-common, p-cpe:/a:oracle:linux:custodia, p-cpe:/a:oracle:linux:ipa-server-trust-ad, p-cpe:/a:oracle:linux:ipa-server-common, p-cpe:/a:oracle:linux:ipa-client, p-cpe:/a:oracle:linux:python3-qrcode, p-cpe:/a:oracle:linux:ipa-client-epn, p-cpe:/a:oracle:linux:python3-yubico, p-cpe:/a:oracle:linux:ipa-healthcheck-core, p-cpe:/a:oracle:linux:python3-custodia, p-cpe:/a:oracle:linux:python3-jwcrypto, p-cpe:/a:oracle:linux:ipa-client-samba, p-cpe:/a:oracle:linux:bind-dyndb-ldap, p-cpe:/a:oracle:linux:opendnssec, p-cpe:/a:oracle:linux:slapi-nis, p-cpe:/a:oracle:linux:softhsm-devel, p-cpe:/a:oracle:linux:python3-ipaclient, p-cpe:/a:oracle:linux:python3-ipalib, p-cpe:/a:oracle:linux:ipa-python-compat, p-cpe:/a:oracle:linux:python3-ipaserver, p-cpe:/a:oracle:linux:ipa-server-dns, p-cpe:/a:oracle:linux:softhsm, p-cpe:/a:oracle:linux:python3-pyusb, p-cpe:/a:oracle:linux:python3-kdcproxy

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/10/2020

Vulnerability Publication Date: 1/18/2018

Reference Information

CVE: CVE-2015-9251, CVE-2016-10735, CVE-2018-14040, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-11358, CVE-2019-8331, CVE-2020-11022, CVE-2020-1722