SUSE SLED15 / SLES15 / openSUSE 15 : Recommended update for mojo-parent (SUSE-SU-SUSE-RU-2024:3971-1)

high Nessus Plugin ID 210762

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-SUSE-RU-2024:3971-1 advisory.

xalan-j2 was updated from version 2.7.2 to 2.7.3:

- Security issues fixed:

* CVE-2022-34169: Fixed integer truncation issue when processing malicious XSLT stylesheets (bsc#1201684)

- Changes and Bugs fixed:

* Java 8 is now the minimum requirement
* Upgraded to Apache Commons BCEL 6.7.0
* Upgraded to Xerces-J 2.12.2

mojo-parent was updated from version 70 to 82:

- Main changes:

* Potentially Breaking Changes:

+ mojo.java.target should be set as '8', without '1.' + spotless plugin must be executed by JDK 11 at least + ossrh-snapshots repository was removed from parent

* New features and improvements:

+ Removed SHA-512 checksum for source release artifact + Use only project version as tag for release + Added space before close empty elements in poms by spotless + Using Checkstyle together with Spotless + Introduce spotless for automatic code formatting + Introduce enforcer rule for minimal version of Java and Maven + Use new Plugin Tools report - maven-plugin-report-plugin + Added sisu-maven-plugin + Introduced maven.version property + Execute spotless by JDK 11 at least + Use release options for m-compiler-p with newer JDKs + Allow override of invoker.streamLogsOnFailures + Require Maven 3.9.x at least for releases + Added maven-wrapper-plugin to pluginManagement + Removed ossrh-snapshots repository from MojoHaus parent + Added build-helper-maven-plugin to pluginManagement + Require Maven 3.6.3+ + Updated palantirJavaFormat for spotless - JDK 21 compatible + Added dependencyManagement for maven-shade-plugin + Dropped recommendedJavaBuildVersion property + Format Markdown files with Spotless Plugin

* Bugs fixed:

+ Restore source release distribution in child projects + Rename property maven.version to mavenVersion + minimalMavenBuildVersion should not be overriding by mavenVersion + Use simple checkstyle rules since spotless is executed by default + Use old spotless version only for JDK < 11 + Fixed spotless configuration for markdown

- Other changes:

* Removed Google search box due to privacy
* Put version for mrm-maven-plugin in property
* Added streamLogsOnFailures to m-invoker-p
* Added property for maven-fluido-skin version
* Setup Apache Matomo analytics
* Require Maven 3.2.5
* Added SHA-512 hashes
* Extract plugin version as variable so child pom can override if needed
* Removed issue-tracking as no longer exists
* Removed cim report as no longer exists

bcel was updated from version 5.2 to 6.10:

- Many APIs have been extended
- Added riscv64 support
- Various bugs were fixed

apache-commons-lang3 was updated to version 3.12.0 to 3.16.0:

- Included new APIs that are needed by bcel 6.x
- Various minor bugs were fixed

xerces-j2:

- Improved RPM packaging build instructions

netty3:

- Generate sources with protobuf instead of using pre-generated ones

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://lists.suse.com/pipermail/sle-updates/2024-November/037527.html

https://www.suse.com/security/cve/CVE-2022-34169

Plugin Details

Severity: High

ID: 210762

File Name: suse_SU-RU-2024-3971-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/12/2024

Updated: 11/12/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-34169

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:bcel, p-cpe:/a:novell:suse_linux:netty3, p-cpe:/a:novell:suse_linux:xerces-j2, p-cpe:/a:novell:suse_linux:apache-commons-lang3, p-cpe:/a:novell:suse_linux:xalan-j2, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/11/2024

Vulnerability Publication Date: 7/19/2022

Reference Information

CVE: CVE-2022-34169

SuSE: SUSE-RU-2024:3971-1