This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.
The remote OracleVM host is missing a security update.
The remote OracleVM system is missing necessary patches to address
critical security updates :
CVE-2009-0159 Stack-based buffer overflow in the cookedprint function
in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP
servers to execute arbitrary code via a crafted response.
CVE-2009-1252 Stack-based buffer overflow in the crypto_recv function
in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before
4.2.5p74, when OpenSSL and autokey are enabled, allows remote
attackers to execute arbitrary code via a crafted packet containing an
CVE-2009-0021 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does
not properly check the return value from the OpenSSL EVP_VerifyFinal
function, which allows remote attackers to bypass validation of the
certificate chain via a malformed SSL/TLS signature for DSA and ECDSA
keys, a similar vulnerability to CVE-2008-5077.
- fix buffer overflow when parsing Autokey association
message (#500783, CVE-2009-1252)
- fix buffer overflow in ntpq (#500783, CVE-2009-0159)
- fix check for malformed signatures (#479698,
- fix selecting multicast interface (#444106)
- disable kernel discipline when -x option is used
- avoid use of uninitialized floating-point values in
- generate man pages from html source, include config man
- add note about paths and exit codes to ntpd man page
- add section about exit codes to ntpd man page (#319591)
- always return 0 in scriptlets
- pass additional options to ntpdate (#240141)
- fix broadcast client to accept broadcasts on
- compile with crypto support on 64bit architectures
- add ncurses-devel to buildrequires (#239580)
- exit with nonzero code if ntpd -q did not set clock
- fix return codes in init script (#240118)
See also :
Update the affected ntp package.
Risk factor :
Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.9
Public Exploit Available : false