Oracle Linux 8 : thunderbird (ELSA-2021-2264)

high Nessus Plugin ID 150348

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-2264 advisory.

- Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
(CVE-2021-29967)

- OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. (CVE-2021-29956)

- If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected.
(CVE-2021-29957)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected thunderbird package.

See Also

https://linux.oracle.com/errata/ELSA-2021-2264.html

Plugin Details

Severity: High

ID: 150348

File Name: oraclelinux_ELSA-2021-2264.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/8/2021

Updated: 8/12/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2021-29967

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:thunderbird

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2021

Vulnerability Publication Date: 5/17/2021

Reference Information

CVE: CVE-2021-29956, CVE-2021-29957, CVE-2021-29967

IAVA: 2021-A-0246-S