http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

103517

1040576

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f

GLSA-201811-21

https://security.netapp.com/advisory/ntap-20180330-0002/

https://www.openssl.org/news/secadv/20180327.txt

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.tenable.com/security/tns-2018-04

https://www.tenable.com/security/tns-2018-06

https://www.tenable.com/security/tns-2018-07

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - An unspecified vulnerability in the subcomponent Networking     (jQuery) of Enterprise Manager Ops Center. Supported versions     that are affected are 12.2.2 and 12.3.3. An easy to exploit     vulnerability could allow an unauthenticated attacker with     network access via HTTP to compromise Enterprise Manager Ops     Center. A successful attacks requires human interaction and     can result in unauthorized update, insert or delete access     to some of Enterprise Manager Ops Center accessible data.
    (CVE-2015-9251)

  - An unspecified vulnerability in the subcomponent Networking     (OpenSSL) of the Enterprise Manager Ops Center. Supported     versions that are affected are 12.2.2 and 12.3.3. An easy     to exploit vulnerability could allow an unauthenticated     attacker with network access via HTTPS to compromise     Enterprise Manager Ops Center. A successful attack of this     vulnerability could result in unauthorized ability to cause     a hang or frequently repeatable crash (complete DOS) of     Enterprise Manager Ops Center. (CVE-2018-0732)

  - An unspecified vulnerability in the subcomponent Networking     (cURL) of Enterprise Manager Ops Center. Supported versions     that are affected are 12.2.2 and 12.3.3. Difficult to exploit     vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Enterprise Manager Ops Center.
    A successful attack requires human interaction from a person     other than the attacker and can result in takeover of     Enterprise Manager Ops Center. (CVE-2018-1000300)

Minor update to version 1.1.0h.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-21 (OpenSSL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSL. Please review       the referenced CVE identifiers for details.
  Impact :

    A remote attacker could cause a Denial of Service condition, obtain       private keying material, or gain access to sensitive information.
  Workaround :

    There is no known workaround at this time.

Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected.(CVE-2018-0733)

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.(CVE-2018-0739)

The version of Oracle Secure Global Desktop installed on the remote host is 5.3 / 5.4 and is missing a security patch from the July 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

 - curl version curl 7.54.1 to and including curl 7.59.0 contains a  Heap-based Buffer Overflow vulnerability in FTP connection closing  down functionality which can lead to DoS and RCE conditions. This  vulnerability appears to have been fixed in curl < 7.54.1 and  curl >= 7.60.0. (CVE-2018-1000300)

 - Security constraints defined by annotations of Servlets in Apache  Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and  7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.  It was possible - depending on the order Servlets were loaded - for  some security constraints not to be applied. This could have exposed  resources to unauthorized users. (CVE-2018-1305)

 - ASN.1 types with a recursive definition could exceed the stack  given malicious input with excessive recursion. This could result  in a Denial Of Service attack. Fixed in OpenSSL 1.1.0h (Affected  1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
 (CVE-2018-0739)

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of OpenSSL.

ID	Name	Product	Family	Severity
131184	Oracle Enterprise Manager Ops Center (Jan 2019 CPU)	Nessus	Misc.	critical
120390	Fedora 28 : 1:openssl (2018-49651b2236)	Nessus	Fedora Local Security Checks	medium
119275	GLSA-201811-21 : OpenSSL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
112092	Amazon Linux AMI : openssl (ALAS-2018-1065)	Nessus	Amazon Linux Local Security Checks	medium
111333	Oracle Secure Global Desktop Multiple Vulnerabilities (July 2018 CPU)	Nessus	Misc.	critical
108776	Fedora 27 : 1:openssl (2018-76afaf1961)	Nessus	Fedora Local Security Checks	medium
108775	Fedora 26 : 1:openssl (2018-40dc8b8b16)	Nessus	Fedora Local Security Checks	medium
106563	Tenable SecurityCenter OpenSSL 1.0.2 < 1.0.2n Multiple Vulnerabilities	Nessus	Misc.	medium

CVE-2018-0733

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

medium

medium

medium

critical

medium

medium

medium