Detections
Analytics
Oracle Linux 7 : glibc (ELSA-2024-12444)
high Nessus Plugin ID 200741
Language:
Synopsis
The remote Oracle Linux host is missing one or more security updates.Description
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-12444 advisory.[2.17-326.0.9.3]
- Forward-port Oracle patches to 2.17-326.3 Reviewed-by: Jose E. Marchesi <[email protected]> Oracle history:
June-22-2023 Cupertino Miranda <[email protected]> - 2.17-326.0.9
- OraBug 35517820 Reworked previous patch for OraBug 35318841 and removed free() of stack allocations.
Reviewed-by: Jose E. Marchesi <[email protected]> June-20-2023 Cupertino Miranda <[email protected]> - 2.17-326.0.7
- OraBug 35517820 Do not allocate heap memory in __nptl_tunables_init.
- This issue was introduced and fixed in patch related to OraBug 35318841.
Reviewed-by: Jose E. Marchesi <[email protected]> April-21-2023 Cupertino Miranda <[email protected]> - 2.17-326.0.5
- OraBug 35318841 Glibc tunable to disable huge pages on pthread_create stacks Reviewed-by: Jose E. Marchesi <[email protected]> December-19-2022 Cupertino Miranda <[email protected]> - 2.17-326.0.3
- OraBug 34909902 vDSO timer functions support on i686 Reviewed-by: Jose E. Marchesi <[email protected]> May-18-2022 Patrick McGehearty <[email protected]> - 2.17-326.0.1
- Forward-port Oracle patches to 2.17-326.
Reviewed-by: Jose E. Marchesi <[email protected]> April-26-2022 Patrick McGehearty <[email protected]> - 2.17-325.0.3
- OraBug 33968985 Security Patches This release fixes CVE-2022-23219, CVE-2022-23218, and CVE-2021-3999 Reviewed-by: Jose E. Marchesi <[email protected]> October-12-2021 Patrick McGehearty <[email protected]> - 2.17-325.0.1
- Merge el7 u9 errata4 patch with Oracle patches Review-exception: Simple merge
- Merge el7 u9 errata patches with Oracle patches Review-exception: Simple merge
- Adding three arm specific patches to allow glibc x86 tree to be used for
- ILOM and other arm builds Reviewed-by: Jose E. Marchesi <[email protected]>
- Merge el7 u8 patches with Oracle patches Review-exception: Simple merge
- Adding Mike Fabian's C.utf-8 patch (C.utf-8 is a unicode-aware version of the C locale) Orabug 29784239.
Reviewed-by: Jose E. Marchesi <[email protected]>
- Remove glibc-ora28641867.patch as duplicate of glibc-rh1705899-4.patch
- Make _IO_funlockfile match __funlockfile and _IO_flockfile match __flockfile Both should test if ((stream->_flags & _IO_USER_LOCK) == 0)
_IO_lock_lock (*stream->_lock);
OraBug 28481550.
Reviewed-by: Jose E. Marchesi <[email protected]>
- Modify glibc-ora28849085.patch so it works with RHCK kernels.
Orabug 28849085.
- Reviewed-by: Egeyar Bagcioglu <[email protected]>
- Use NLM_F_SKIP_STATS in uek2 and RTEXT_FILTER_SKIP_STATS in uek4 in getifaddrs.
- Orabug 28849085
- Reviewed-by: Patrick McGehearty <[email protected]>
- Mention CVE numbers in the .spec file for CVE-2015-8983 and CVE-2015-8984.
- Orabug 25558067.
- Reviewed-by: Egeyar Bagcioglu <[email protected]>
- Regenerate plural.c
- OraBug 28806294.
- Reviewed-by: Jose E. Marchesi <[email protected]>
- intl: Port to Bison 3.0
- Backport of upstream gettext commit 19f23e290a5e4a82b9edf9f5a4f8ab6192871be9
- OraBug 28806294.
- Reviewed-by: Patrick McGehearty <[email protected]>
- Fix dbl-64/wordsize-64 remquo (bug 17569).
- Backport of upstream d9afe48d55a412e76b0dcb28335fd4b390fe07ae
- OraBug 19570749.
- Reviewed-by: Jose E. Marchesi <[email protected]>
- libio: Disable vtable validation in case of interposition.
- Backport of upstream c402355dfa7807b8e0adb27c009135a7e2b9f1b0.
- OraBug 28641867.
- Reviewed-by: Egeyar Bagcioglu <[email protected]>
- Include-linux-falloc.h-in-bits-fcntl-linux.h
- Defines FALLOC_FL_PUNSH_HOLE, FALLOC_FL_KEEP_SIZE, FALLOC_FL_COLLAPSE_RANGE, and FALLOC_FL_ZERO_RANGE
- OraBug 28483336
- Add MAP_SHARED_VALIDATE and MAP_SYNC flags to
- sysdeps/unix/sysv/linux/x86/bits/mman.h
- OraBug 28389572
- Update bits/siginfo.h with Linux hwpoison SIGBUS changes.
- Adds new SIGBUS error codes for hardware poison signals, syncing with the current kernel headers (v3.9).
- It also adds si_trapno field for alpha.
- New values: BUS_MCEERR_AR, BUS_MCEERR_AO
- OraBug 28124569
Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
Plugin Details
Severity: High
ID: 200741
File Name: oraclelinux_ELSA-2024-12444.nasl
Version: 1.4
Type: local
Agent: unix
Published: 6/19/2024
Updated: 11/4/2024
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 8.3
CVSS v2
Risk Factor: High
Base Score: 9
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P
CVSS Score Source: CVE-2024-2961
CVSS v3
Risk Factor: High
Base Score: 8.6
Temporal Score: 8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
CVSS Score Source: CVE-2024-33602
Vulnerability Information
CPE: cpe:/a:oracle:linux:7::userspace_ksplice, p-cpe:/a:oracle:linux:glibc-headers, p-cpe:/a:oracle:linux:nscd, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:glibc, p-cpe:/a:oracle:linux:glibc-utils, p-cpe:/a:oracle:linux:glibc-static, p-cpe:/a:oracle:linux:glibc-common, p-cpe:/a:oracle:linux:glibc-devel
Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/19/2024
Vulnerability Publication Date: 4/5/2024
Exploitable With
Metasploit (CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961))
Reference Information
CVE: CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602