Oracle Linux 8 : ovirt-engine (ELSA-2024-12701)

medium Nessus Plugin ID 208037

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-12701 advisory.

[4.4.10.7-1.0.33]
- Fix external providers properties observability

[4.4.10.7-1.0.32]
- Upgrade bundled frontend dependency of jquery-ui

[4.4.10.7-1.0.31]
- Allow enrolling certificates in non-responsive state and Extend the lifetime of non-web certificates

[4.4.10.7-1.0.30]
- Fix network exception handling and fencing flow logic.

[4.4.10.7-1.0.29]
- Fixing the manage events form email display

[4.4.10.7-1.0.28]
- Remove taa-no from Secure Skylake Server

[4.4.10.7-1.0.27]
- Updating the jquery to 3.6.0

[4.4.10.7-1.0.26]
- Check locale for path traversal character

[4.4.10.7-1.0.25]
- Hide the icons directory from listable directories

[4.4.10.7-1.0.24]
- Fixed the packing of ova where ovf length was changed after encoding

[4.4.10.7-1.0.23]
- Fixed the issue of renewing vm-console-proxy and ovn certificates during engine-setup

[4.4.10.7-1.0.22]
- Fix the engine url for vmconsole to use https protocol

[4.4.10.7-1.0.21]
- Fix classpath for SecureByteArrayOutputStream after apache-sshd-2.9 update

[4.4.10.7-1.0.20]
- Wait for loop device to be available

[4.4.10.7-1.0.19]
- Clean old nvram file on vm emulator update to uefi secure boot

[4.4.10.7-1.0.18]
- Added support to use postgresql-jdbc-42.2.14-1 and spring framework 5.3.19
- Cleanup the spec file to remove unneeded or commented lines

[4.4.10.7-1.0.17]
- Stopping the ovirt-engine-dwh service and setting the DwhCurrentlyRunning to 0 when changing password encryption from md5 to scram-sha-256.

[4.4.10.7-1.0.16]
- Included the condition of origin as NULL while inserting the data in vm_ovf_generations table

[4.4.10.7-1.0.15]
- Fix to parse both uppercase and camelcase instanceID in OvfReader

[4.4.10.7-1.0.14]
- Back Port from upstream 4.5 - https://gerrit.ovirt.org/c/ovirt-engine/+/116317/

[4.4.10.7-1.0.13]
- Remove movirt as it is deprecated upstream

[4.4.10.7-1.0.12]
- Changing the password ecryption type in postgres from md5 to scram-sha-256

[4.4.10.7-1.0.11]
- Add NumOfPciExpressPorts as configurable attribute

[4.4.10.7-1.0.10]
- Forward port - Support for Windows 11 and Windows Server 2022

[4.4.10.7-1.0.9]
- Forward port from 4.3.6.6-1.0.16, added Skylake-Server-noTSX-IBRS and Cascadelake-Server-noTSX CPU Types

[4.4.10.7-1.0.8]
- Forward Port - Fix qxl video

[4.4.10.7-1.0.7]
- Forward Port - Fix NPE during ova import operation

[4.4.10.7-1.0.6]
- Forward Port from 4.3 - Handle ova when origin is null and storage disk is block

[4.4.10.7-1.0.5]
- Forward Port from 4.3 - Remove unnecessary name length restriction for templates.

[4.4.10.7-1.0.4]
- Port forward - Add hsts response header to httpd conf

[4.4.10.7-1.0.3]
- Remove memory limit

[4.4.10.7-1.0.2]
- Fix OS detection

[4.4.10.7]
- Bump version to 4.4.10.7

[4.4.10.6]
- Bump version to 4.4.10.6

[4.4.10.5]
- Bump version to 4.4.10.5

[4.4.10.4]
- Bump version to 4.4.10.4

[4.4.10.3]
- Bump version to 4.4.10.3

[4.4.10.2]
- Bump version to 4.4.10.2

[4.4.10.1]
- Bump version to 4.4.10.1

[4.4.10]
- Bump version to 4.4.10

[4.4.9.2]
- Bump version to 4.4.9.2

[4.4.9.1]
- Bump version to 4.4.9.1

[4.4.9]
- Bump version to 4.4.9

[4.4.8.4]
- Bump version to 4.4.8.4

[4.4.8.3]
- Bump version to 4.4.8.3

[4.4.8.2]
- Bump version to 4.4.8.2

[4.4.8.1]
- Bump version to 4.4.8.1

[4.4.8]
- Bump version to 4.4.8

[4.4.7.6]
- Bump version to 4.4.7.6

[4.4.7.5]
- Bump version to 4.4.7.5

[4.4.7.4]
- Bump version to 4.4.7.4

[4.4.7.3]
- Bump version to 4.4.7.3

[4.4.7.2]
- Bump version to 4.4.7.2

[4.4.7.1]
- Bump version to 4.4.7.1

[4.4.7]
- Bump version to 4.4.7

[4.4.6.6]
- Bump version to 4.4.6.6

[4.4.6.5]
- Bump version to 4.4.6.5

[4.4.6.4]
- Bump version to 4.4.6.4

[4.4.6.3]
- Bump version to 4.4.6.3

[4.4.6.2]
- Bump version to 4.4.6.2

[4.4.6.1]
- Bump version to 4.4.6.1

[4.4.6]
- Bump version to 4.4.6

[4.4.5.8]
- Bump version to 4.4.5.8

[4.4.5.7]
- Bump version to 4.4.5.7

[4.4.5.6]
- Bump version to 4.4.5.6

[4.4.5.5]
- Bump version to 4.4.5.5

[4.4.5.4]
- Bump version to 4.4.5.4

[4.4.5.3]
- Bump version to 4.4.5.3

[4.4.5.2]
- Bump version to 4.4.5.2

[4.4.5.1]
- Bump version to 4.4.5.1

[4.4.5]
- Bump version to 4.4.5

[4.4.4.5]
- Bump version to 4.4.4.5

[4.4.4.4]
- Bump version to 4.4.4.4

[4.4.4.3]
- Bump version to 4.4.4.3

[4.4.4.2]
- Bump version to 4.4.4.2

[4.4.4.1]
- Bump version to 4.4.4.1

[4.4.4]
- Bump version to 4.4.4

[4.4.3.11]
- Bump version to 4.4.3.11

[4.4.3.10]
- Bump version to 4.4.3.10

[4.4.3.9]
- Bump version to 4.4.3.9

[4.4.3.8]
- Bump version to 4.4.3.8

[4.4.3.7]
- Bump version to 4.4.3.7

[4.4.3.6]
- Bump version to 4.4.3.6

[4.4.3.5]
- Bump version to 4.4.3.5

[4.4.3.4]
- Bump version to 4.4.3.4

[4.4.3.3]
- Bump version to 4.4.3.3

[4.4.3.2]
- Bump version to 4.4.3.2

[4.4.3.1]
- Bump version to 4.4.3.1

[4.4.3]
- Bump version to 4.4.3

[4.4.2.2]
- Bump version to 4.4.2.2

[4.4.2.1]
- Bump version to 4.4.2.1

[4.4.2]
- Bump version to 4.4.2

[4.4.1.8]
- Bump version to 4.4.1.8

[4.4.1.7]
- Bump version to 4.4.1.7

[4.4.1.6]
- Bump version to 4.4.1.6

[4.4.1.5]
- Bump version to 4.4.1.5

[4.4.1.4]
- Bump version to 4.4.1.4

[4.4.1.3]
- Bump version to 4.4.1.3

[4.4.1.2]
- Bump version to 4.4.1.2

[4.4.1.1]
- Bump version to 4.4.1.1

[4.4.1]
- Bump version to 4.4.1

[4.4.0.3]
- Bump version to 4.4.0.3

[4.4.0.2]
- Bump version to 4.4.0.2

[4.4.0.1]
- Bump version to 4.4.0.1

[4.4.0]
- Bump version to 4.4.0

[4.3.2.1]
- Bump version to 4.3.2.1

[4.3.2]
- Bump version to 4.3.2

[4.3.1.1]
- Bump version to 4.3.1.1

[4.3.1]
- Bump version to 4.3.1

[4.3.0.4]
- Bump version to 4.3.0.4

[4.3.0.3]
- Bump version to 4.3.0.3

[4.3.0.2]
- Bump version to 4.3.0.2

[4.3.0.1]
- Bump version to 4.3.0.1

[4.3.0]
- Bump version to 4.3.0

[4.2.8.2]
- Bump version to 4.2.8.2

[4.2.8.1]
- Bump version to 4.2.8.1

[4.2.8]
- Bump version to 4.2.8

[4.2.7.3]
- Bump version to 4.2.7.3

[4.2.7.2]
- Bump version to 4.2.7.2

[4.2.7.1]
- Bump version to 4.2.7.1

[4.2.7]
- Bump version to 4.2.7

[4.2.6.4]
- Bump version to 4.2.6.4

[4.2.6.3]
- Bump version to 4.2.6.3

[4.2.6.2]
- Bump version to 4.2.6.2

[4.2.6.1]
- Bump version to 4.2.6.1

[4.2.6]
- Bump version to 4.2.6

[4.2.5.2]
- Bump version to 4.2.5.2

[4.2.5.1]
- Bump version to 4.2.5.1

[4.2.5]
- Bump version to 4.2.5

[4.2.4.5]
- Bump version to 4.2.4.5

[4.2.4.4]
- Bump version to 4.2.4.4

[4.2.4.3]
- Bump version to 4.2.4.3

[4.2.4.2]
- Bump version to 4.2.4.2

[4.2.4.1]
- Bump version to 4.2.4.1

[4.2.4]
- Bump version to 4.2.4

[4.2.3.3]
- Bump version to 4.2.3.3

[4.2.3.2]
- Bump version to 4.2.3.2

[4.2.3.1]
- Bump version to 4.2.3.1

[4.2.3]
- Bump version to 4.2.3

[4.2.2.6]
- Bump version to 4.2.2.6

[4.2.2.5]
- Bump version to 4.2.2.5

[4.2.2.4]
- Bump version to 4.2.2.4

[4.2.2.3]
- Bump version to 4.2.2.3

[4.2.2.2]
- Bump version to 4.2.2.2

[4.2.2.1]
- Bump version to 4.2.2.1

[4.2.2]
- Bump version to 4.2.2

[4.2.1.4]
- Bump version to 4.2.1.4

[4.2.1.3]
- Bump version to 4.2.1.3

[4.2.1.2]
- Bump version to 4.2.1.2

[4.2.1.1]
- Bump version to 4.2.1.1

[4.2.1]
- Bump version to 4.2.1

[4.2.0.2]
- Bump version to 4.2.0.2

[4.2.0.1]
- Bump version to 4.2.0.1

[4.2.0]
- Bump version to 4.2.0

[4.1.0]
- Add dependency for ovirt-engine-dashboard.
- Bump version to 4.1.0

[4.0.0]
- Bump version to 4.0.0
- Dropped Fedora < 22 and EL < 7 support

[3.6.0]
- Update dependencies and removed legacy provides / requires

[3.3.0-1]
- Bump version to 3.3.0

[3.2.0-1]
- Bump version to 3.2.0

[3.1.0-3]
- Removed image uploader, iso uploader, and log collector from this git repo. The are now in their own respective ovirt.org git repos. BZ#803240.

[3.1.0-2]
- The ovirt-engine spec file did not previously contain a BuildRequires statement for the maven package. As a result in mock environments the build failed with an error when attempting to call the 'mvn' binary - BZ#807761.

[3.1.0-1]
- Adjust code for Jboss AS 7.1

[3.1.0-1]
- Moved all hard coded paths to macros

[3.1.0-1]
- Initial build
- Cloned from RHEVM spec file

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-12701.html

Plugin Details

Severity: Medium

ID: 208037

File Name: oraclelinux_ELSA-2024-12701.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/2/2024

Updated: 10/2/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2024-7259

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:ovirt-engine-backend, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:ovirt-engine-webadmin-portal, cpe:/a:oracle:linux:8::ovirt44, p-cpe:/a:oracle:linux:ovirt-engine-restapi, p-cpe:/a:oracle:linux:ovirt-engine-tools-backup, p-cpe:/a:oracle:linux:ovirt-engine-dbscripts, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-imageio, p-cpe:/a:oracle:linux:ovirt-engine-health-check-bundler, p-cpe:/a:oracle:linux:ovirt-engine, p-cpe:/a:oracle:linux:ovirt-engine-websocket-proxy, p-cpe:/a:oracle:linux:ovirt-engine-tools, p-cpe:/a:oracle:linux:ovirt-engine-setup, p-cpe:/a:oracle:linux:ovirt-engine-vmconsole-proxy-helper, p-cpe:/a:oracle:linux:ovirt-engine-setup-base, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-cinderlib, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-ovirt-engine, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-ovirt-engine-common, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper, p-cpe:/a:oracle:linux:python3-ovirt-engine-lib, p-cpe:/a:oracle:linux:ovirt-engine-setup-plugin-websocket-proxy

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Ease: No known exploits are available

Patch Publication Date: 9/30/2024

Vulnerability Publication Date: 9/26/2024

Reference Information

CVE: CVE-2024-7259