Oracle Linux 9 : NetworkManager (ELSA-2024-9317)

low Nessus Plugin ID 211547

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-9317 advisory.

[1.48.10-2.0.1]
- disable MPTCP handling by default [Orabug: 34801142]
- add connectivity check via Oracle servers [Orabug: 32051972]

[1:1.48.10-2]
- cloud-setup: Allow bigger restart bursts (RHEL-56740)
- cloud-setup: Fix Azure swap of primary and secondary IP addresses (RHEL-56387)

[1:1.48.10-1]
- Unblock the autoconnect for children when parent is available (RHEL-46904)
- Fix crash produced by malformed LLDP package when debug logging (RHEL-46199)
- Support reapplying bridge-port VLANs (RHEL-26750)
- Add small backoff time before resync (RHEL-29902)

[1:1.46.8-1]
- Stop writing offensive terms into keyfiles (RHEL-52597)
- Remove offensive words (RHEL-33368)
- Fix cloned-mac-address race condition with DHCP on ovs-interfaces (RHEL-49796)

[1:1.48.6-1]
- Wait until link is ready before activating for ovs-interface (RHEL-49796)
- Fix rollback on OVS checkpoint (RHEL-31972)
- Assert that the auto-activate list is empty on dispose (RHEL-44345)

[1:1.48.4-1]
- Update to 1.48.4 release
- Support matching a OVS system interface by MAC address (RHEL-34617)
- When looking up the system hostname from the reverse DNS lookup of addresses configured on interfaces, NetworkManager now takes into account the content of /etc/hosts (RHEL-33435)

[1:1.48.2-2]
- Add ipcalc as dependency of NetworkManager-dispatcher-routing-rules (RHEL-36648)

[1:1.48.2-1]
- Update to 1.48.2 release
- Save connection timestamps when shutting down (RHEL-35539)
- Fix regression with OpenVPN dynamic challenge (RHEL-43720)

[1:1.48.0-1]
- Upgrade to 1.48.0 release

[1:1.47.91-1]
- Upgrade to 1.47.91 (rc2)

[1:1.47.90-1]
- Upgrade to 1.47.90 (rc1)

[1:1.47.5-1]
- Fix a crash during shutdown (RHEL-29856)

[1:1.47.4-1]
- Fix LLDP support for interfaces attached to OVS bridges. (RHEL-1418)
- Fix NMCI crashes on ovs_mtu and bond tests. (RHEL-30348)

[1.47.3-2]
- Rebuild for CI gating

[1.47.3-1]
- Upgrade to 1.47.3 release (development)
- Support rollback on global DNS (RHEL-23446)
- Support VLAN over OVS interface which holds the same name as OVS bridge (RHEL-26753)

* Fri Mar 08 2024 Inigo Huguet <[email protected]>
- Update to 1.47.2 release (development)
- Support sending DHCPRELEASE (RHEL-17310)

* Thu Feb 22 2024 Stanislas FAYE <[email protected]>
- Update to 1.46.0 release
- Fix DHCPv4 lease can't be renewed after it expires (RHEL-24127)
- Support the MACsec offload mode (RHEL-24337)
- Support creating generic devices via external 'device-handler' dispatcher (RHEL-1567)
- Support changing the eswitch mode (RHEL-1441)

[1.45.91-1]
- Update to 1.45.91 release (release candidate)
- Support changing the DSCP header field for DHCP packets, and set the default to CS0 (RHEL-16040)
- Deprecate connection.autoconnect-slaves in favour of autoconnect-ports (RHEL-17621)
- Don't reset bridge's PVID in reapply if it didn't change (RHEL-21576)

[1.45.90-1]
- Update to 1.45.90 release (release candidate)
- Deprecate and Replace connection.slave-type in libnm-core and libnm (RHEL-17620)
- [RFE] Support assigning IPv4 static route to interface without IPv4 address (RHEL-5098)

[1.45.10-1]
- Update to 1.45.10 (development)
- Deprecate and Replace connection.master in libnm-core and libnm (RHEL-17619)

[1.45.9-1]
- Update to 1.45.9 (development)
- Add support for PRP/HSR interface (RHEL-5852)
- Drop support for the 'slaves-order' option in NetworkManager.conf (RHEL-19437)
- Return error when setting invalid IP addresses or properties via D-Bus (RHEL-19315)
- Fix extra route being created besides ECMP route (RHEL-1682)

[1.45.8-1]
- Update to 1.45.8 (development)
- Introduce 'stable-ssid' option for wifi.cloned-mac-address property (RHEL-16470)

[1.45.7-1]
- Update to 1.45.7 release (development)
- Migrate to SPDX license

[1.45.6-1]
- Update to 1.45.6 release (development)
- Fix ovs activation with netdev datapath and cloned MAC (RHEL-5886)

[1.45.5-1]
- Update to 1.45.5 release (development)
- Various fixes to Duplicate Address Detection (DAD) (RHEL-1581, RHEL-1411)
- New option to avoid sending the DHCPv4 client-identifier (RHEL-1469)
- Support setting channels in ethtool options (RHEL-1471)

[1.45.4-1]
- Update to 1.45.4 release (development)
- Add 'dns-change' dispatcher event (RHEL-1671)

[1.45.3-1]
- Update to 1.45.3 release (development)
- Improve explanation of the format and routes properties in keyfile man page (RHEL-1407)
- Improve nm-settings-nmcli manpage to show format and valid values of properties (RHEL-2465)
- Honor the autoactivate priority for port connections (RHEL-2202)
- Properly document valid values for ip-tunnel properties (RHEL-1459)

[1.45.2-1]
- update to 1.45.2 release (development)

[1.44.0-4]
- Rebuild for RHEL 9.4

[1:1.44.0-3]
- checkpoint: Fix segfault crash when rollback (rhel-1526)

[1:1.44.0-2]
- manager: ensure device is exported on D-Bus in authentication request (rh #2210271)

[1:1.44.0-1]
- update to 1.44.0 release
- nmcli: add nmcli version mismatch warning (rh #2173196)
- checkpoint: preserve devices that were removed and readded (rh #2177590)

[1:1.43.90-1]
- update to 1.43.90 release (release candidate)
- manager: allow controller activation if device is deactivating (rh #2125615)
- assume: change IPv6 method from 'ignore' and 'disabled' into 'auto' for loopback device (rh #2207878)
- device: delete software device when lose carrier and is controller (rh #2224479)
- core: better handle ignore-carrier=no for bond/bridge/team devices (rh #2180363)

[1:1.43.11-1]
- update to 1.43.11 release (development)
- fix assertion about missing ifindex when resetting MAC (rh #2215022)
- fix wrong order of entries in resolv.conf after reconnect (rh #2218448)
- do not fail activation when SR-IOV VF parameters can't be applied (rh #2210164)
- warn that the ifcfg-rh plugin is deprecated (rh #2190375)

[1:1.43.10-1]
- Update to 1.43.10 release (development)
- fix reading infiniband p-key from ifcfg files (rh #2209974)
- improve autoconnect when selecting controller (rh #2121451)
- fix managing devices after network reconnect (rh #2149012)
- better handle ignore-carrier for bond/bridge/team (rh #2180363)
- cloud-setup: block wait-online while configuration is ongoing (rh #2151040)
- cloud-setup: avoid leaving half configured system (rh #2207812)
- cloud-setup: log warning when no provider detected (rh #2214880)
- cloud-setup: fix RPM description (rh #2214491)

[1:1.43.9-1]
- Update to 1.43.9 release (development)
- improve autoconnect logic for port/controller configurations (rh #2121451)
- fix handling external devices during network off/on (rh #2149012)

[1:1.43.8-1]
- Update to 1.43.8 release (development)
- ipv6ll: don't regenerate the address when it's removed externally (rh #2196441)

[1:1.43.7-1]
- Update to 1.43.7 release (development)
- bond: support port priorities (rh #2152304)
- ovs: fix autoconnect race (rh #2152864)

[1:1.43.6-1]
- Update to 1.43.6 release (development)
- fix assertion failure when renewing DHCP lease (rh #2179890)
- emit the dhcp-change dispatcher script event on lease renewal (rh #2179537)
- ensure the NetworkManager is restarted when dbus is restarted (rh #2161915)
- add support for the 'no-aaaa' resolv.conf option (rh #2176137)
-

[1:1.43.5-1]
- Update to 1.43.5 release (development)
- cloud-init/ec2: use right HTTP method for IMDSv2 (rh #2179718)
- core: request a bus name only when dbus objects are present (rh #2175919)
- core: fix autoconnect retry count tracking (rh #2174353)
- core: fix retry on netlink socket buffer exhaustion (rh #2169512)
- ovs: fix a race condition on port detachment (rh #2054933)

[1:1.43.4-1]
- Update to 1.43.4 release (development)
- core: fix handling of IPv4 prefsrc routes with ACD (rh #2046293)
- core: don't configure static routes without addresses (rh #2102212)
- core: fix race activating VLAN devices (rh #2155991)

[1:1.43.3-1]
- Update to an early 1.44 snapshot
- cloud-setup: add IDMSv2 support (rh #2151986)
- core: add [link] setting (rh #2158328)
- dhcp: expose client ID, DUID and IAID that have been used (rh #2169869)
- ovs: ensure device has a proper MAC address once we start dhcp (rh #2168477)
- team: fix assumption of team port management (rh #2092215)

[1:1.42.2-1]
- Update to 1.42.2 release
- fix hostname lookup from IPv6 address (rh #2167816)
- add new connection property to remove the autogenerated local route rule (rh #2167805)
- fix race condition while setting the MAC of a OVS interface (rh #2168477)
- expose the DHCP IAID in the lease information (rh #2169869)

[1:1.42.0-1]
- Update to 1.42.0 release

[1:1.41.91-1]
- Update to 1.41.91 release (release candidate)
- core: retry if a rtnetlink socket runs out of buffer space (rh #2154350)
- dns: allow changing resolv.conf options alone via global-dns (rh #2019306)

[1:1.41.90-1]
- Update to 1.41.90 release (release candidate)
- l3cfg: schedule an update after every commit-type/config-data register/unregister (rh #2158394)
- all: add support for ovs-dpdk n-rxq-desc and n-txq-desc (rh #2156385)
- core: fix consistency for internal cache for IPv6 routes (rh #2060684)

[1:1.41.8-1]
- Update to 1.41.8 release (development)
- core: add support for equal-cost multi-path (ECMP) routes (rh #2081302)
- device: preserve the DHCP lease during reapply (rh #2117352)
- ovs: add support for 'other_config' settings (rh #2151455)

[1:1.41.7-2]
- core: avoid infinite autoconnect with multi-connect profiles (rh #2150000)

[1:1.41.7-1]
- Update to 1.41.7 release (development)
- macsec: fix tracking of parent ifindex (rh #2122564)
- cloud-setup: set preserve-external-ip flag during reapply (rh #2132754)

[1:1.41.6-1]
- Update to 1.41.6 release (development)
- add support for loopback interfaces (rh #2073512)
- ovs: support VLAN trunks for OVS port (rh #2111959)

[1:1.41.5-1]
- Update to 1.41.5 release (development)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-9317.html

Plugin Details

Severity: Low

ID: 211547

File Name: oraclelinux_ELSA-2024-9317.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/19/2024

Updated: 11/19/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2024-6501

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:networkmanager-dispatcher-routing-rules, cpe:/o:oracle:linux:9:5:baseos_base, p-cpe:/a:oracle:linux:networkmanager-team, p-cpe:/a:oracle:linux:networkmanager-ppp, cpe:/a:oracle:linux:9::appstream, p-cpe:/a:oracle:linux:networkmanager-bluetooth, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:networkmanager-libnm-devel, p-cpe:/a:oracle:linux:networkmanager-wwan, p-cpe:/a:oracle:linux:networkmanager-config-connectivity-oracle, p-cpe:/a:oracle:linux:networkmanager-wifi, p-cpe:/a:oracle:linux:networkmanager-tui, cpe:/a:oracle:linux:9::codeready_builder, p-cpe:/a:oracle:linux:networkmanager-cloud-setup, p-cpe:/a:oracle:linux:networkmanager-config-server, p-cpe:/a:oracle:linux:networkmanager-ovs, p-cpe:/a:oracle:linux:networkmanager-adsl, p-cpe:/a:oracle:linux:networkmanager-initscripts-updown, p-cpe:/a:oracle:linux:networkmanager, cpe:/a:oracle:linux:9:5:appstream_base, p-cpe:/a:oracle:linux:networkmanager-libnm, cpe:/o:oracle:linux:9::baseos_latest

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 11/14/2024

Vulnerability Publication Date: 7/9/2024

Reference Information

CVE: CVE-2024-6501