Detections
Analytics

OracleVM 3.3 / 3.4 : procps (OVMSA-2018-0226)

critical Nessus Plugin ID 110306

Language:

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - vmstat: fix invalid CPU utilization stats after vCPU hot-plug/unplug (Konrad Rzeszutek Wilk) [bug 18011019]

 - drop leftover assignment in fix for CVE-2018-1124 causing a severe regression

 - Resolves: (CVE-2018-1124)

 - fix integer overflows leading to heap overflow in file2strvec

 - Resolves: CVE-2018-1124 (CVE-2018-1126)

 - ps: STIME no longer 1970 if many cores in /proc/stat

 - Resolves: rhbz#1460176

 - slabtop: additional work on usage computation to work on 32bit archs

 - Related: rhbz#1330008

 - Removal of patch 92 - procps-3.2.8-pgrep-15-chars-warning.patch

 - Related: rhbz#877352

 - Rework of patch 91 from 3.2.8-37, stripping removed permanently, no new option

 - Resolves: rhbz#1322111

 - top: Termination with segfault if /proc becomes inaccessible during run

 - Resolves: rhbz#928724

 - sysctl manpage: Added explanation of conf files precedence

 - Resolves: rhbz#1217077

 - sysctl.conf manpage: new NOTES section with predefined vars hint

 - Resolves: rhbz#1318644

 - slabtop: fixing incorrect usage percent computation - int overflow

 - Resolves: rhbz#1330008

 - New warning if pattern exceeds 15 characters without -f option

 - Resolves: #877352

 - Adding option to skip stripping of wchan name data

 - Resolves: #1322111

 - #1201024 - [RFE] Increase sysctl -p line size limit

 - #1246573 - typo in ps man page

 - #1251101 - Fixing human readable patch (removing trailing spaces)

 - #1284076 - [RFE] Support for thread cgroups

 - #1288208 - use of /proc/self/auxv breaks ps when running as a different euid

 - #1288497 - pmap - no sums computed for RSS and Dirty column

 - Resolves: #1201024 #1246573 #1251101 #1284076 #1288208 #1288497

 - #1262870 - Correctly skip vmflags (and other keys starting with A-Z)

 - Resolves: #1262870

 - #1246379 - free: values truncated to the column width

 - Resolves: #1246379

 - #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

 - Related: rhbz#1120580

 - #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

 - Related: rhbz#1120580

 - #993072 - Make the 'free' command a little more human friendly

 - #1172059 - ps coredump in stat2proc

 - #1120580 - [RFE] Have sysctl -p read info from /etc/sysctl.d

 - #1123311 - RFE: 'w' should have '-n' flag to suppress reverse name resolution of IP addresses

 - #1163404 - [procps] find_elf_note invalid read if setenv has been called before libproc init

 - Resolves: rhbz#993072 rhbz#1172059 rhbz#1120580 rhbz#1123311 rhbz#1163404

 - #977467 - [RFE] Have sysctl -p read info from /etc/sysctl.d

 - Resolves: rhbz#977467

 - Reimplementing (#1060681) due to regressions

 - Related: rhbz#1060681

 - #1105125 - Locale dependent float delay in top and watch utilities

 - #1039013 - Include an API in RHEL to return the number of opened file descriptors for a process

 - Resolves: rhbz#1105125

 - Related: rhbz#1034337

 - #1060681 - ps -p cycles over all PIDs instead of just one

 - #963799 - Should shared memory be accounted in cached in free output?

 - Resolves: rhbz#1060681 rhbz#963799

 - #1089817 - Return value of pgrep is incorrect

 - #950748 - /lib64/libproc.so package both in procps and procps-devel

 - #1011216 - Backport man page fix of top utility - RES = CODE + DATA

 - #1082877 - top/man: RES - physical memory a task 'has used'->'is using'

 - #1034337 - Include man pages for openproc, readproc and readproctab

 - Resolves: rhbz#1089817 rhbz#950748 rhbz#1011216 rhbz#1082877 rhbz#1034337

Solution

Update the affected procps package.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2018-June/000861.html

https://oss.oracle.com/pipermail/oraclevm-errata/2018-June/000862.html

Plugin Details

Severity: Critical

ID: 110306

File Name: oraclevm_OVMSA-2018-0226.nasl

Version: 1.7

Type: local

Published: 6/4/2018

Updated: 8/24/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:procps, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/1/2018

Vulnerability Publication Date: 5/23/2018

Reference Information

CVE: CVE-2018-1124, CVE-2018-1126

IAVA: 2018-A-0174-S