OracleVM 3.3 : pam (OVMSA-2015-0117)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.

Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- fix CVE-2015-3238 - DoS due to blocking pipe with very
long password

- make pam_pwhistory and pam_unix tolerant of opasswd file

- pam_userdb: allow any crypt hash algorithm to be used

- pam_cracklib: improve documentation (#889233)

- unbreak authentication if is not empty

- correct off by one error in account expiration
calculation (#947011)

- pam_console_apply: do not print error if console.perms.d
is empty

- properly handle all cases where crypt might return NULL

- pam_limits: clarify documentation of maxsyslogins limit

- pam_access: call DNS resolution only when necessary and
cache results (#1029817)

- pam_limits: nofile applies to file descriptors not files

- pam_limits: check whether the utmp login entry is valid

- correct URLs in spec file (#1071770)

- pam_userdb: correct the example in man page (#1078779)

- pam_selinux: canonicalize username for getseuser

- pam_access: fix netgroup matching and @[email protected]@netgroup
parsing (#740233)

- pam_tty_audit: allow for runtime backwards compatibility
with old kernels

- add option to pam_tty_audit to disable auditing of
password input

See also :

Solution :

Update the affected pam package.

Risk factor :

Medium / CVSS Base Score : 5.8
CVSS Temporal Score : 4.8
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 85529 ()

Bugtraq ID: 75428

CVE ID: CVE-2015-3238

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now