Amazon Linux 2 : thunderbird (ALAS-2020-1468)

high Nessus Plugin ID 138857

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.
This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12418)

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12419)

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12421)

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420)

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12417)

Solution

Run 'yum update thunderbird' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2020-1468.html

Plugin Details

Severity: High

ID: 138857

File Name: al2_ALAS-2020-1468.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/23/2020

Updated: 7/27/2020

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:thunderbird, p-cpe:/a:amazon:linux:thunderbird-debuginfo, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2020

Vulnerability Publication Date: 7/9/2020

Reference Information

CVE: CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12421

ALAS: 2020-1468