OracleVM 3.3 : sos (OVMSA-2016-0011)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Add vendor, vendor URL info for Oracle Linux [orabug
17656507]

- Direct traceroute to linux.oracle.com (John Haxby)
[orabug 11713272]

- Check oraclelinux-release instead of redhat-release to
get OS version (John Haxby) [bug 11681869]

- Remove RH ftp URL and support email

- add sos-oracle-enterprise.patch

- Add smartmon plugin (John Haxby) [orabug 17995005]

- [sosreport] Report correct final path with --build
Related: bz1290953

- [hpasm] Add timeout. Resolves: bz1291828

- [sosreport] Prepare report in a private subdirectory
Resolves: bz1290953

- [ovirt] Collect engine tuneables and domain information.
Resolves: bz1234226

- [networking] nmcli status is obtained from the output
Resolves: bz1206661

- [cluster] Scrub password from crm_report data. Resolves:
bz1206581

- [networking] Use the correct options for nmcli.
Resolves: bz1206661

- [mysql] Collect log file by default. Resolves: bz1209442

- [openshift] Scrub passwords from plugin config files.
Resolves: bz1203330

- [tuned] Collect additional configurations files and
profiles. Resolves: bz1174186

- [networking] Fix 'ip addr' collection. Resolves:
bz1209455

- [networking] test nmcli status before using output
Resolves: bz1206661

- [openshift] Scrub passwords from config files. Resolves:
bz1203330

- [cluster] Ensure cluster sets 'make' to False when
calling get_cmd_output_path. Resolves: bz1190723

- [openshift] Collect additional config files. Resolves:
bz1166874

- [activemq] Honour all_logs and get config on RHEL.
Resolves: bz1165878

- [policy/redhat] use /tmp as default temporary directory

- [global] remove dependency on python-six Resolves:
bz1144525

- [cluster] Added package luci and fix lockdumps
capturing. Resolves: bz1171186

- [puppet] Adding new plugin for puppet Resolves:
bz1172880

- [block] parted will use sector units instead of human
units. Resolves: bz1086537

- [foreman] Added option to prevent generic resource
collection with foreman plugin. Remove the plugin
katello since data collection done by foreman-debug.
Resolves: bz1135290

- [global] update el6 to upstream 3.2 release Resolves:
bz1144525

- [global] sync 3.2-15.el6 with RHEL-7.1 Resolves:
bz1144525

- [mysql] test for boolean values in dbuser and dbpass

- [mysql] improve handling of dbuser, dbpass and MYSQL_PWD

- [plugin] limit path names to PC_NAME_MAX

- [squid] collect files from /var/log/squid

- [sosreport] log plugin exceptions to a file

- [ctdb] fix collection of /etc/sysconfig/ctdb

- [sosreport] fix silent exception handling

- [sosreport] do not make logging calls after OSError

- [sosreport] catch OSError exceptions in
SoSReport.execute

- [anaconda] make useradd password regex tolerant of
whitespace

- [mysql] fix handling of mysql.dbpass option

- [navicli] catch exceptions if stdin is unreadable

- [docs] update man page for new options

- [sosreport] make all utf-8 handling user errors=ignore

- [kpatch] do not attempt to collect data if kpatch is not
installed

- [archive] drop support for Zip archives

- [sosreport] fix archive permissions regression

- [tomcat] add support for tomcat7 and default log size
limits

- [mysql] obtain database password from the environment

- [corosync] add postprocessing for corosync-objctl output

- [ovirt_hosted_engine] fix exception when force-enabled

- [yum] call rhsm-debug with --no-subscriptions

- [powerpc] allow PowerPC plugin to run on ppc64le

- [package] add Obsoletes for sos-plugins-openstack

- [pam] add pam_tally2 and faillock support

- [postgresql] obtain db password from the environment

- [pcp] add Performance Co-Pilot plugin

- [nfsserver] collect /etc/exports.d

- [sosreport] handle --compression-type correctly

- [anaconda] redact passwords in kickstart configurations

- [haproxy] add new plugin

- [keepalived] add new plugin

- [lvm2] set locking_type=0 when calling lvm commands

- [tuned] add new plugin

- [cgroups] collect /etc/sysconfig/cgred

- [plugins] ensure doc text is always displayed for
plugins

- [sosreport] fix the distribution version API call

- [docker] add new plugin

- [openstack_*] include broken-out openstack plugins

- [mysql] support MariaDB

- [openstack] do not collect /var/lib/nova

- [grub2] collect grub.cfg on UEFI systems

- [sosreport] handle out-of-space errors gracefully

- [firewalld] new plugin

- [networking] collect NetworkManager status

- [kpatch] new plugin

- [global] update to upstream 3.2 release

- [ds] add collection of ds admin server configuration
Resolves: bz994628

- [ldap] ensure /etc/openldap/ content is collected
Resolves: bz994628

- [plugintools] preserve permissions on directories
Resolves: bz1069786

- [plugintools] Fix size limiting in addCopySpecLimit
Resolves: bz1001600

- [general] do not collect /var/log/sa Resolves: bz1001600

- [grub] Fix grub.conf path for grub-1.x versions
Resolves: bz1076388

- [ds] Fix logging exception when plugin force-enabled
Resolves: bz994628

- [pgsql] backport PGPASSWORD changes from upstream
Resolves: bz1125998

- [plugin] backport command timeout support Resolves:
bz1005703

- Restrict ldap and ds plugin paths to avoid collecting
secrets Resolves: bz994628

- Add certutil output to ldap and ds plugins to summarize
certs Resolves: bz994628

- [powerpc] backport plugin from upstream Resolves:
bz977190

- [devicemapper] set locking_type=0 when calling lvm2
commands Resolves: bz1102282

- [nfsserver] collect 'exportfs -v' Resolves: bz985512

- [openshift] improve password redaction Resolves:
bz1039755

- [openshift] don't collect all of /etc/openshift
Resolves: bz1039755

- [mongodb] backport new plugin from upstream

- [activemq] backport new plugin from upstream

- [openshift] sync plugin with upstream

- [plugin] backport collectExtOutputs and addCopySpecs

- Make OpenShift module collect domain information

- Add 'gear' option to OpenShift module

- Add OpenShift module Resolves: bz1039755

- [plugin] backport addCopySpecLimit tailit parameter
Resolves: bz1001600

- [plugintools] preserve permissions on all path
components Resolves: bz1069786

- [tomcat] update for tomcat6 and add password filtering
Resolves: bz1088070

- [filesys] collect dumpe2fs -h output by default
Resolves: bz1105629

- [rpm] reduce number of calls to rpm Resolves: bz1019872

- Verify fewer packages in rpm plug-in Resolves: bz1019872

- [bootloader] elide bootloader password Resolves:
bz1101311

- [plugin] backport do_path_regex_sub Resolves: bz1101311

- [networking] do not attempt to read use-gss-proxy
Resolves: bz1079954

- [mysql] limit log collection by default Resolves:
bz1015783

- [mysql] add optional database dump support Resolves:
bz1032262

- [docs] update man pages Resolves: bz1022226

- [sosreport] log exceptions during Plugin.postproc
Resolves: bz1020445

- [distupgrade] elide passwords in kickstart user
directives Resolves: bz1052344

- [ipa] add ipa-replica-manage output Resolves: bz1012410

- [bootloader] Include /etc/yaboot.conf Resolves:
bz1001941

- [cluster] collect /sys/fs/gfs2/*/withdraw Resolves:
bz997174

- [general] do not collect /var/log/sa Resolves: bz1001600

- [networking] avoid Cisco cdp paths in /proc and /sys
Resolves: bz1004936

- [sar] Handle compressed binary data files better
Resolves: bz1001600

- [sar] Add file size limits Resolves: bz1001600

- [sar] Enable XML data collection Resolves: bz1001600

- [selinux] pass --input-logs when calling ausearch
Resolves: bz1032706

- [printing] fix cups log file size limiting Resolves:
bz1061529

- [auditd] fix log size limiting Resolves: bz1061529

- [hardware] call hardware.py directly instead of invoking
python Resolves: bz1041770

- [hpasm] new plugin to collect HP ASM information
Resolves: bz915115

- [sos] improve handling of fatal IO errors Resolves:
bz1085042

- [bootloader] collect grub.conf for UEFI based systems
Resolves: bz1076388

- [ctdb] add plugin to collect Samba CTDB information
Resolves: bz961041

- [keepalived] new plugin Resolves: bz1107862

- [sssd] scrub ldap_default_authtok in sssd plugin
Resolves: bz1013366

- [haproxy] new plugin Resolves: bz1107866

- [gluster] add 'logsize' and 'all_logs' plugin options
Resolves: bz1002619

- Fix doRegexSub usage in distupgrade plugin Resolves:
bz1052344

- Redact user home directory paths in distupgrade plugin
Resolves: bz1052344

- Add distupgrade plugin Resolves: bz1052344

- Pass a --from parameter when calling crm_report
Resolves: bz1035774

See also :

http://www.nessus.org/u?0b045540

Solution :

Update the affected sos package.

Risk factor :

Medium

Family: OracleVM Local Security Checks

Nessus Plugin ID: 88689 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now