Amazon Linux AMI : python27 Multiple Vulnerabilities (ALAS-2012-81)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

The SSL protocol, as used in certain configurations in Microsoft
Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
Chrome, Opera, and other products, encrypts data by using CBC mode
with chained initialization vectors, which allows man-in-the-middle
attackers to obtain plaintext HTTP headers via a blockwise
chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with
JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java
URLConnection API, or (3) the Silverlight WebClient API, aka a 'BEAST'
attack. (CVE-2011-3389)

python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
(CVE-2012-0845)

python: hash table collisions CPU usage DoS (CVE-2012-1150)

See also :

http://www.nessus.org/u?b40f3185

Solution :

Run 'yum update python27' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69688 ()

Bugtraq ID:

CVE ID: CVE-2011-3389
CVE-2012-0845
CVE-2012-1150