OracleVM 3.3 / 3.4 : sudo (OVMSA-2016-0170)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Update noexec syscall blacklist

- Fixes (CVE-2016-7032, CVE-2016-7076) Resolves:
rhbz#1391937

- RHEL-6.8 erratum

- fixed a bug causing that non-root users can list
privileges of other users Resolves: rhbz#1312481

- RHEL-6.8 erratum

- fixed handling of closefrom_override defaults option
Resolves: rhbz#1309976

- RHEL-6.8 erratum

- fixed potential getcwd failure, resulting in Null
pointer exception Resolves: rhbz#1284886

- RHEL-6.8 erratum

- fixed sssd's detection of user with zero rules Resolves:
rhbz#1220480

- RHEL-6.8 erratum

- search also by user id when fetching rules from LDAP
Resolves: rhbz#1135531

- RHEL-6.8 erratum

- fixed ldap's and sssd's sudoOption value and remove
quotes

- fixed ldap's and sssd's sudoOption whitespaces parse
problem Resolves: rhbz#1144422 Resolves: rhbz#1279447

- RHEL-6.8 erratum

- removed defaults option requiretty from /etc/sudoers

- backported pam_service and pam_login_service defaults
options

- implemented a new defaults option for changing netgroup
processing semantics

- fixed visudo's quiet cli option Resolves: rhbz#1248695
Resolves: rhbz#1247231 Resolves: rhbz#1241896 Resolves:
rhbz#1197885 Resolves: rhbz#1233205

- added patch to re-introduce old group processing
behaviour Resolves: rhbz#1075836

See also :

http://www.nessus.org/u?197f5d72
http://www.nessus.org/u?edda9d7a

Solution :

Update the affected sudo package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 95599 ()

Bugtraq ID:

CVE ID: CVE-2016-7032
CVE-2016-7076

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now