OracleVM 3.3 / 3.4 : bash (OVMSA-2017-0050)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Fix signal handling in read builtin Resolves: #1421926

- CVE-2016-9401 - Fix crash when '-' is passed as second
sign to popd Resolves: #1396383

- CVE-2016-7543 - Fix for arbitrary code execution via
SHELLOPTS+PS4 variables Resolves: #1379630

- CVE-2016-0634 - Fix for arbitrary code execution via
malicious hostname Resolves: #1377613

- Avoid crash in parameter expansion while expanding long
strings Resolves: #1359142

- Stop reading input when SIGHUP is received Resolves:
#1325753

- Bash leaks memory while doing pattern removal in
parameter expansion Resolves: #1283829

- Fix a race condition in saving bash history on shutdown
Resolves: #1325753

- Bash shouldn't ignore bash --debugger without a dbger
installed Related: #1260568

- Wrong parsing inside for loop and brackets Resolves:
#1207803

- IFS incorrectly splitting herestrings Resolves: #1250070

- Case in a for loop in a subshell causes a syntax error
Resolves: #1240994

- Bash shouldn't ignore bash --debugger without a dbger
installed Resolves: #1260568

- Bash leaks memory when repeatedly doing a pattern-subst
Resolves: #1207042

- Bash hangs when a signal is received Resolves: #868846

See also :

http://www.nessus.org/u?49d2a21e
http://www.nessus.org/u?85c795b3

Solution :

Update the affected bash package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 99077 ()

Bugtraq ID: 70137

CVE ID: CVE-2014-7169
CVE-2016-0634
CVE-2016-7543
CVE-2016-9401

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now