OracleVM 3.2 : ntp (OVMSA-2015-0001)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Remove default ntp servers in ntp.conf [bug 14342986]

- don't generate weak control key for resolver
(CVE-2014-9293)

- don't generate weak MD5 keys in ntp-keygen
(CVE-2014-9294)

- fix buffer overflows via specially-crafted packets
(CVE-2014-9295)

- increase memlock limit again (#1035198)

- allow selection of cipher for private key files
(#741573)

- revert init script priority (#470945, #689636)

- drop tentative patch (#489835)

- move restorecon call to %posttrans

- call restorecon on ntpd and ntpdate on start (#470945)

- don't crash with more than 512 local addresses (#661934)

- add -I option (#528799)

- fix -L option to not require argument (#460434)

- move ntpd and ntpdate to /sbin and start earlier on boot
(#470945, #689636)

- increase memlock limit (#575874)

- ignore tentative addresses (#489835)

- print synchronization distance instead of dispersion in
ntpstat (#679034)

- fix typos in ntpq and ntp-keygen man pages (#664524,
#664525)

- clarify ntpd -q description (#591838)

- don't verify ntp.conf (#481151)

- replace Prereq tag

- fix DoS with mode 7 packets (#532640, CVE-2009-3563)

- compile with -fno-strict-aliasing

- fix buffer overflow when parsing Autokey association
message (#500784, CVE-2009-1252)

- fix buffer overflow in ntpq (#500784, CVE-2009-0159)

- fix check for malformed signatures (#479699,
CVE-2009-0021)

See also :

http://www.nessus.org/u?e0af960c

Solution :

Update the affected ntp package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 80394 ()

Bugtraq ID: 33150
34481
35017
37255
71757
71761
71762

CVE ID: CVE-2009-0021
CVE-2009-0159
CVE-2009-1252
CVE-2009-3563
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now