Rocky Linux 8 : container-tools:rhel8 (RLSA-2019:3403)

high Nessus Plugin ID 184867

Synopsis

The remote Rocky Linux host is missing one or more security updates.

Description

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2019:3403 advisory.

- The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. (CVE-2019-10214)

- ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. (CVE-2019-14378)

- Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0. (CVE-2019-9946)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://errata.rockylinux.org/RLSA-2019:3403

https://bugzilla.redhat.com/show_bug.cgi?id=1655211

https://bugzilla.redhat.com/show_bug.cgi?id=1661597

https://bugzilla.redhat.com/show_bug.cgi?id=1671023

https://bugzilla.redhat.com/show_bug.cgi?id=1672581

https://bugzilla.redhat.com/show_bug.cgi?id=1674519

https://bugzilla.redhat.com/show_bug.cgi?id=1677251

https://bugzilla.redhat.com/show_bug.cgi?id=1677264

https://bugzilla.redhat.com/show_bug.cgi?id=1689255

https://bugzilla.redhat.com/show_bug.cgi?id=1690514

https://bugzilla.redhat.com/show_bug.cgi?id=1691543

https://bugzilla.redhat.com/show_bug.cgi?id=1692513

https://bugzilla.redhat.com/show_bug.cgi?id=1693154

https://bugzilla.redhat.com/show_bug.cgi?id=1693424

https://bugzilla.redhat.com/show_bug.cgi?id=1707220

https://bugzilla.redhat.com/show_bug.cgi?id=1719626

https://bugzilla.redhat.com/show_bug.cgi?id=1719994

https://bugzilla.redhat.com/show_bug.cgi?id=1720646

https://bugzilla.redhat.com/show_bug.cgi?id=1720654

https://bugzilla.redhat.com/show_bug.cgi?id=1721247

https://bugzilla.redhat.com/show_bug.cgi?id=1721638

https://bugzilla.redhat.com/show_bug.cgi?id=1723879

https://bugzilla.redhat.com/show_bug.cgi?id=1728700

https://bugzilla.redhat.com/show_bug.cgi?id=1730281

https://bugzilla.redhat.com/show_bug.cgi?id=1731117

https://bugzilla.redhat.com/show_bug.cgi?id=1732508

https://bugzilla.redhat.com/show_bug.cgi?id=1734745

https://bugzilla.redhat.com/show_bug.cgi?id=1734809

https://bugzilla.redhat.com/show_bug.cgi?id=1737077

https://bugzilla.redhat.com/show_bug.cgi?id=1739961

https://bugzilla.redhat.com/show_bug.cgi?id=1740079

https://bugzilla.redhat.com/show_bug.cgi?id=1741157

https://bugzilla.redhat.com/show_bug.cgi?id=1743685

Plugin Details

Severity: High

ID: 184867

File Name: rocky_linux_RLSA-2019-3403.nasl

Version: 1.0

Type: local

Published: 11/7/2023

Updated: 11/7/2023

Supported Sensors: Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-14378

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:rocky:linux:oci-umount, p-cpe:/a:rocky:linux:oci-systemd-hook, p-cpe:/a:rocky:linux:oci-umount-debuginfo, p-cpe:/a:rocky:linux:oci-systemd-hook-debugsource, p-cpe:/a:rocky:linux:oci-umount-debugsource, cpe:/o:rocky:linux:8, p-cpe:/a:rocky:linux:oci-systemd-hook-debuginfo

Required KB Items: Host/local_checks_enabled, Host/RockyLinux/release, Host/RockyLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/5/2019

Vulnerability Publication Date: 3/28/2019

Reference Information

CVE: CVE-2019-10214, CVE-2019-14378, CVE-2019-9946