OracleVM 3.3 / 3.4 : nss / nss-util (OVMSA-2017-0065)

high Nessus Plugin ID 99568

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

nss

- Added nss-vendor.patch to change vendor

- Temporarily disable some tests until expired PayPalEE.cert is renewed

- Rebase to 3.28.4

- Fix crash with tstclnt -W

- Adjust gtests to run with our old softoken and downstream patches

- Avoid cipher suite ordering change, spotted by Hubert Kario

- Rebase to 3.28.3

- Remove upstreamed moz-1282627-rh-1294606.patch, moz-1312141-rh-1387811.patch, moz-1315936.patch, and moz-1318561.patch

- Remove no longer necessary nss-duplicate-ciphers.patch

- Disable X25519 and exclude tests using it

- Catch failed ASN1 decoding of RSA keys, by Kamil Dudka (#1427481)

- Update expired PayPalEE.cert

- Disable unsupported test cases in ssl_gtests

- Adjust the sslstress.txt filename so that it matches with the disableSSL2tests patch ported from RHEL 7

- Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from stress tests

- Don't add gtests and ssl_gtests to nss_tests, unless gtests are enabled

- Add patch to fix SSL CA name leaks, taken from NSS 3.27.2 release

- Add patch to fix bash syntax error in tests/ssl.sh

- Add patch to remove duplicate ciphersuites entries in sslinfo.c

- Add patch to abort selfserv/strsclnt/tstclnt on non-parsable version range

- Build with support for SSLKEYLOGFILE

- Update fix_multiple_open patch to fix regression in openldap client

- Remove pk11_genobj_leak patch, which caused crash with Firefox

- Add comment in the policy file to preserve the last empty line

- Disable SHA384 ciphersuites when CKM_TLS12_KEY_AND_MAC_DERIVE is not provided by softoken this superseds check_hash_impl patch

- Fix problem in check_hash_impl patch

- Add patch to check if hash algorithms are backed by a token

- Add patch to disable TLS_ECDHE_[RSA,ECDSA]_WITH_AES_128_CBC_SHA256, which have never enabled in the past

- Add upstream patch to fix a crash. Mozilla #1315936

- Disable the use of RSA-PSS with SSL/TLS. #1390161

- Use updated upstream patch for RH bug 1387811

- Added upstream patches to fix RH bugs 1057388, 1294606, 1387811

- Enable gtests when requested

- Rebase to NSS 3.27.1

- Remove nss-646045.patch, which is not necessary

- Remove p-disable-md5-590364-reversed.patch, which is no-op here, because the patched code is removed later in %setup

- Remove disable_hw_gcm.patch, which is no-op here, because the patched code is removed later in %setup.
Also remove NSS_DISABLE_HW_GCM setting, which was only required for RHEL 5

- Add Bug-1001841-disable-sslv2-libssl.patch and Bug-1001841-disable-sslv2-tests.patch, which completedly disable EXPORT ciphersuites. Ported from RHEL 7

- Remove disable-export-suites-tests.patch, which is covered by Bug-1001841-disable-sslv2-tests.patch

- Remove nss-ca-2.6-enable-legacy.patch, as we decided to not allow 1024 legacy CA certificates

- Remove ssl-server-min-key-sizes.patch, as we decided to support DH key size greater than 1023 bits

- Remove nss-init-ss-sec-certs-null.patch, which appears to be no-op, as it clears memory area allocated with PORT_ZAlloc

- Remove nss-disable-sslv2-libssl.patch, nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and nss-sslstress-txt-ssl3-lower-value-in-range.patch as SSLv2 is already disabled in upstream

- Remove fix-nss-test-filtering.patch, which is fixed in upstream

- Add nss-check-policy-file.patch from Fedora

- Install policy config in /etc/pki/nss-legacy/nss-rhel6.config

nss-util

- Rebase to NSS 3.28.4 to accommodate base64 encoding fix

- Rebase to NSS 3.28.3

- Package new header eccutil.h

- Tolerate policy file without last empty line

- Add missing source files

- Rebase to NSS 3.26.0

- Remove upstreamed patch for (CVE-2016-1950)

- Remove p-disable-md5-590364-reversed.patch for bug 1335915

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?3652e035

http://www.nessus.org/u?97bdc28b

Plugin Details

Severity: High

ID: 99568

File Name: oraclevm_OVMSA-2017-0065.nasl

Version: 3.5

Type: local

Published: 4/21/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:vm_server:3.3, p-cpe:/a:oracle:vm:nss-tools, p-cpe:/a:oracle:vm:nss-sysinit, p-cpe:/a:oracle:vm:nss-util, cpe:/o:oracle:vm_server:3.4, p-cpe:/a:oracle:vm:nss

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2017

Vulnerability Publication Date: 3/13/2016

Reference Information

CVE: CVE-2016-1950