The remote OracleVM system is missing necessary patches to address critical security updates :

  - fix date in the test

  - Fix (CVE-2016-6662, CVE-2016-6663) Resolves: #1397309

  - Fixed reload_acl_and_cache Resolves: #1281370

  - Add support for TLSv1.1 and TLSv1.2

  - Fixed test events_1 (end date in past) Resolves:
    #1287048

According to its self-reported version number, the version of Junos Space running on the remote device is prior to 15.1R1. It is, therefore, affected by multiple vulnerabilities :

  - An error exists within the Apache 'mod_session_dbd'     module, related to save operations for a session, due to     a failure to consider the dirty flag and to require a     new session ID. An unauthenticated, remote attacker can     exploit this to have an unspecified impact.
    (CVE-2013-2249)

  - An unspecified flaw exists in the MySQL Server component     related to error handling that allows a remote attacker     to cause a denial of service condition. (CVE-2013-5908)

  - A flaw exists within the Apache 'mod_dav' module that is     caused when tracking the length of CDATA that has     leading white space. An unauthenticated, remote attacker     can exploit this, via a specially crafted DAV WRITE     request, to cause the service to stop responding.
    (CVE-2013-6438)

  - A flaw exists within the Apache 'mod_log_config' module     that is caused when logging a cookie that has an     unassigned value. An unauthenticated, remote attacker     can exploit this, via a specially crafted request, to     cause the service to crash. (CVE-2014-0098)

  - A flaw exists, related to pixel manipulation, in the     2D component in the Oracle Java runtime that allows an     unauthenticated, remote attacker to impact availability,     confidentiality, and integrity. (CVE-2014-0429)

  - A flaw exists, related to PKCS#1 unpadding, in the     Security component in the Oracle Java runtime that     allows an unauthenticated, remote attacker to gain     knowledge of timing information, which is intended to     be protected by encryption. (CVE-2014-0453)

  - A race condition exists, related to array copying, in     the Hotspot component in the Oracle Java runtime that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2014-0456)

  - A flaw exists in the JNDI component in the Oracle Java     runtime due to missing randomization of query IDs. An     unauthenticated, remote attacker can exploit this to     conduct spoofing attacks. (CVE-2014-0460)

  - A flaw exists in the Mozilla Network Security Services     (NSS) library, which is due to lenient parsing of ASN.1     values involved in a signature and can lead to the     forgery of RSA signatures, such as SSL certificates.
    (CVE-2014-1568)

  - An unspecified flaw exists in the MySQL Server component     related to the CLIENT:SSL:yaSSL subcomponent that allows     a remote attacker to impact integrity. (CVE-2014-6478)

  - Multiple unspecified flaws exist in the MySQL Server     component related to the SERVER:SSL:yaSSL subcomponent     that allow a remote attacker to impact confidentiality,     integrity, and availability. (CVE-2014-6491,     CVE-2014-6500)

  - Multiple unspecified flaws exist in the MySQL Server     component related to the CLIENT:SSL:yaSSL subcomponent     that allow a remote attacker to cause a denial of     service condition. (CVE-2014-6494, CVE-2014-6495,     CVE-2014-6496)

  - An unspecified flaw exists in the MySQL Server component     related to the C API SSL Certificate Handling     subcomponent that allows a remote attacker to disclose     potentially sensitive information. (CVE-2014-6559)

  - An unspecified flaw exists in the MySQL Server component     related to the Server:Compiling subcomponent that allows     an authenticated, remote attacker to cause a denial of     service condition. (CVE-2015-0501)

  - An XML external entity (XXE) injection vulnerability     exists in OpenNMS due to the Castor component accepting     XML external entities from exception messages. An     unauthenticated, remote attacker can exploit this, via     specially crafted XML data in a RTC post, to access     local files. (CVE-2015-0975)

  - An unspecified flaw exists in the MySQL Server component     related to the Server:Security:Privileges subcomponent     that allows a remote attacker to disclose potentially     sensitive information. (CVE-2015-2620)

  - A heap buffer overflow condition exists in QEMU in the     pcnet_transmit() function within file hw/net/pcnet.c     due to improper validation of user-supplied input when     handling multi-TMD packets with a length above 4096     bytes. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to gain elevated     privileges from guest to host. (CVE-2015-3209)

  - Multiple cross-site scripting (XSS), SQL injection, and     command injection vulnerabilities exist in Junos Space     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2015-7753)

CVE-2013-5908 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.

CVE-2014-0401 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors.

CVE-2014-0437 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2014-0393 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB.

CVE-2014-0386 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2014-0412 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.

CVE-2014-0402 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.

This update provides MariaDB 5.5.42, which fixes several security issues and other bugs. Please refer to the Oracle Critical Patch Update Advisories and the Release Notes for MariaDB for further information regarding the security vulnerabilities.

Additionally the jemalloc packages is being provided as it was previousely provided with the mariadb source code, built and used but removed from the mariadb source code since 5.5.40.

According to its self-reported version number, the remote Junos Space version is prior to 14.1R1. It is, therefore, affected by multiple vulnerabilities in bundled third party software components :

  - Multiple vulnerabilities in the bundled OpenSSL CentOS     package. (CVE-2011-4109, CVE-2011-4576, CVE-2011-4619,     CVE-2012-0884, CVE-2012-2110, CVE-2012-2333,     CVE-2013-0166, CVE-2013-0169, CVE-2014-0224)

  - Multiple vulnerabilities in Oracle MySQL.
    (CVE-2013-5908)

  - Multiple vulnerabilities in the Oracle Java runtime.
    (CVE-2014-0411, CVE-2014-0423, CVE-2014-4244,     CVE-2014-0453, CVE-2014-0460, CVE-2014-4263,     CVE-2014-4264)

The remote host is affected by the vulnerability described in GLSA-201409-04 (MySQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MySQL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly gain escalated privileges. A remote       attacker could send a specially crafted SQL query, possibly resulting in       a Denial of Service condition. A remote attacker could entice a user to       connect to specially crafted MySQL server, possibly resulting in       execution of arbitrary code with the privileges of the process.
  Workaround :

    There is no known workaround at this time.

MySQL was updated to version 5.5.37 to address various security issues.

More information is available at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.h tml#AppendixMSQL and http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.h tml#AppendixMSQL .

This update fixes several vulnerabilities in the MySQL database server. (CVE-2014-0386 , CVE-2014-0393 , CVE-2014-0401 , CVE-2014-0402 , CVE-2014-0412 , CVE-2014-0437 , CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

The remote CentOS host is missing a security update which has been documented in Red Hat advisory RHSA-2014:0189.

The remote CentOS host is missing a security update which has been documented in Red Hat advisory RHSA-2014:0173.

Updated mysql55-mysql packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2013-5807, CVE-2013-5891, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437, CVE-2013-3839, CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team.

These updated packages upgrade MySQL to version 5.5.36. Refer to the MySQL Release Notes listed in the References section for a complete list of changes.

All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

Upstream does not issue any more security advisories for the MySQL 5.0 packages (mysql-5.0.* and related packages). 

The only trusted way to upgrade from MySQL 5.0 to MySQL 5.5 is by using MySQL 5.1 as an intermediate step. This is why the mysql51* Software Collection packages are provided. Note that the MySQL 5.1 packages are not supported and are provided only for the purposes of migrating to MySQL 5.5. You should not use the mysql51* packages on any of your production systems.

Specific instructions for this migration are provided by the upstream Deployment Guide.

After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

From Red Hat Security Advisory 2014:0186 :

Updated mysql55-mysql packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2013-5807, CVE-2013-5891, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437, CVE-2013-3839, CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team.

These updated packages upgrade MySQL to version 5.5.36. Refer to the MySQL Release Notes listed in the References section for a complete list of changes.

All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

Multiple vulnerabilities has been discovered and corrected in mariadb :

Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string (CVE-2014-0001).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB (CVE-2014-0412).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0437).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling (CVE-2013-5908).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication (CVE-2014-0420).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB (CVE-2014-0393).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition (CVE-2013-5891).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer (CVE-2014-0386).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors (CVE-2014-0401).

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking (CVE-2014-0402).

The updated packages have been upgraded to the 5.5.35 version which is not vulnerable to these issues.

Updated mysql packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0437, CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team.

This update also fixes the following bug :

* Prior to this update, MySQL did not check whether a MySQL socket was actually being used by any process before starting the mysqld service.
If a particular mysqld service did not exit cleanly while a socket was being used by a process, this socket was considered to be still in use during the next start-up of this service, which resulted in a failure to start the service up. With this update, if a socket exists but is not used by any process, it is ignored during the mysqld service start-up. (BZ#1058719)

These updated packages upgrade MySQL to version 5.1.73. Refer to the MySQL Release Notes listed in the References section for a complete list of changes.

All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

(CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0437, CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

This update also fixes the following bug :

  - Prior to this update, MySQL did not check whether a     MySQL socket was actually being used by any process     before starting the mysqld service. If a particular     mysqld service did not exit cleanly while a socket was     being used by a process, this socket was considered to     be still in use during the next start-up of this     service, which resulted in a failure to start the     service up. With this update, if a socket exists but is     not used by any process, it is ignored during the mysqld     service start-up.

After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

From Red Hat Security Advisory 2014:0164 :

Updated mysql packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0437, CVE-2013-5908)

A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
(CVE-2014-0001)

The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team.

This update also fixes the following bug :

* Prior to this update, MySQL did not check whether a MySQL socket was actually being used by any process before starting the mysqld service.
If a particular mysqld service did not exit cleanly while a socket was being used by a process, this socket was considered to be still in use during the next start-up of this service, which resulted in a failure to start the service up. With this update, if a socket exists but is not used by any process, it is ignored during the mysqld service start-up. (BZ#1058719)

These updated packages upgrade MySQL to version 5.1.73. Refer to the MySQL Release Notes listed in the References section for a complete list of changes.

All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

The version of MariaDB 5.5 running on the remote host is a version prior to 5.5.35. It is, therefore, potentially affected by the following vulnerabilities :

  - Errors exist related to the following subcomponents :
    Error Handling, FTS, GIS, InnoDB, Locking, Optimizer,     Partition, Performance Schema, Privileges, Replication,     and Thread Pooling. (CVE-2013-5860, CVE-2013-5881,     CVE-2013-5891, CVE-2013-5894, CVE-2013-5908,     CVE-2014-0386, CVE-2014-0393, CVE-2014-0401,     CVE-2014-0402, CVE-2014-0412, CVE-2014-0420,     CVE-2014-0427, CVE-2014-0430, CVE-2014-0431,     CVE-2014-0433, CVE-2014-0437)

  - An unspecified error exists related to stored     procedures handling that could allow denial of service     attacks. (CVE-2013-5882)

  - An error exists in the file 'client/mysql.cc' that     could allow a buffer overflow leading to denial of     service or possibly arbitrary code execution.
    (CVE-2014-0001)

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details :

  -     http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     34.html
  -     http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-     35.html

  -     http://www.oracle.com/technetwork/topics/security/cpujan     2014-1972949.html

The version of MySQL installed on the remote host is earlier than 5.5.35. Therefore, vulnerabilities likely exist in the following components :

  - InnoDB
  - Locking
  - Optimizer
  - Partition
  - Privileges
  - Replication
  - Error Handling

The version of MySQL installed on the remote host is earlier than 5.1.73. Therefore, vulnerabilities likely exist in the following components :

  - InnoDB
  - Locking
  - Optimizer
  - Privileges
  - Error Handling

The version of MySQL installed on the remote host is earlier than 5.6.15. Therefore, vulnerabilities likely exist in the following components :

  - Service Manager
  - GIS
  - Stored Procedure
  - Thread Pooling
  - InnoDB
  - Locking
  - Optimizer
  - Partition
  - Privileges
  - FTS
  - Performance Schema
  - Replication
  - Error Handling

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.1.73 in Ubuntu 10.04 LTS. Ubuntu 12.04 LTS, Ubuntu 12.10, and Ubuntu 13.10 have been updated to MySQL 5.5.35.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-73.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.h tml.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple unspecified security problems in MySQL:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.h tml

The version of MySQL installed on the remote host is 5.6.x older than 5.6.15.  As such, it is reportedly affected by vulnerabilities in the following components :

  - Error Handling
  - GIS
  - InnoDB
  - Privileges
  - Optimizer
  - Replication

The version of MySQL installed on the remote host is version 5.5.x prior to 5.5.35.  It is, therefore, potentially affected by vulnerabilities in the following components :

  - Error Handling
  - InnoDB
  - Privileges
  - Optimizer
  - Replication

The version of MySQL installed on the remote host is 5.1.x prior to 5.1.73.  It is, therefore, reportedly affected by vulnerabilities in the following components :

  - Error Handling
  - InnoDB
  - Optimizer
  - Privileges

CVE-2013-5908 is not available