Detections
Analytics
OracleVM 3.2 : openssl (OVMSA-2016-0071)
high Nessus Plugin ID 91751
Language:
Synopsis
The remote OracleVM host is missing a security update.Description
The remote OracleVM system is missing necessary patches to address critical security updates :- To disable SSLv2 client connections create the file /etc/sysconfig/openssl-ssl-client-kill-sslv2 (John Haxby) [orabug 21673934]
- Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893]
- fix CVE-2014-3570 - Bignum squaring may produce incorrect results
- fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
- fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method (can be reenabled by setting environment variable OPENSSL_ENABLE_SSL2)
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
Solution
Update the affected openssl package.See Also
https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000490.html
Plugin Details
Severity: High
ID: 91751
File Name: oraclevm_OVMSA-2016-0071.nasl
Version: 2.8
Type: local
Family: OracleVM Local Security Checks
Published: 6/22/2016
Updated: 1/4/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:oracle:vm:openssl, cpe:/o:oracle:vm_server:3.2
Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 6/21/2016
Vulnerability Publication Date: 1/8/2015
Reference Information
CVE: CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2015-3195, CVE-2015-3197, CVE-2016-0797