OracleVM 3.3 : pam (OVMSA-2015-0117)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- fix CVE-2015-3238 - DoS due to blocking pipe with very
long password

- make pam_pwhistory and pam_unix tolerant of opasswd file
corruption

- pam_userdb: allow any crypt hash algorithm to be used
(#1119289)

- pam_cracklib: improve documentation (#889233)

- unbreak authentication if ld.so.preload is not empty

- correct off by one error in account expiration
calculation (#947011)

- pam_console_apply: do not print error if console.perms.d
is empty

- properly handle all cases where crypt might return NULL
(#1026203)

- pam_limits: clarify documentation of maxsyslogins limit
(#1028490)

- pam_access: call DNS resolution only when necessary and
cache results (#1029817)

- pam_limits: nofile applies to file descriptors not files
(#1040664)

- pam_limits: check whether the utmp login entry is valid
(#1054936)

- correct URLs in spec file (#1071770)

- pam_userdb: correct the example in man page (#1078779)

- pam_selinux: canonicalize username for getseuser
(#1083981)

- pam_access: fix netgroup matching and @[email protected]@netgroup
parsing (#740233)

- pam_tty_audit: allow for runtime backwards compatibility
with old kernels

- add option to pam_tty_audit to disable auditing of
password input

See also :

http://www.nessus.org/u?5790b061

Solution :

Update the affected pam package.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 4.8
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 85529 ()

Bugtraq ID: 75428

CVE ID: CVE-2015-3238

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now