SUSE SLED15 / SLES15 Security Update : sqlite3 (SUSE-SU-2021:2320-1)

critical Nessus Plugin ID 151654

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2320-1 advisory.

- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self- referential views in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libsqlite3-0, libsqlite3-0-32bit, sqlite3 and / or sqlite3-devel packages.

See Also

https://bugzilla.suse.com/1157818

https://bugzilla.suse.com/1158812

https://bugzilla.suse.com/1158958

https://bugzilla.suse.com/1158959

https://bugzilla.suse.com/1158960

https://bugzilla.suse.com/1159491

https://bugzilla.suse.com/1159715

https://bugzilla.suse.com/1159847

https://bugzilla.suse.com/1159850

https://bugzilla.suse.com/1160309

https://bugzilla.suse.com/1160438

https://bugzilla.suse.com/1160439

https://bugzilla.suse.com/1164719

https://bugzilla.suse.com/1172091

https://bugzilla.suse.com/1172115

https://bugzilla.suse.com/1172234

https://bugzilla.suse.com/1172236

https://bugzilla.suse.com/1172240

https://bugzilla.suse.com/1173641

https://bugzilla.suse.com/928700

https://bugzilla.suse.com/928701

https://www.suse.com/security/cve/CVE-2015-3414

https://www.suse.com/security/cve/CVE-2015-3415

https://www.suse.com/security/cve/CVE-2019-19244

https://www.suse.com/security/cve/CVE-2019-19317

https://www.suse.com/security/cve/CVE-2019-19603

https://www.suse.com/security/cve/CVE-2019-19645

https://www.suse.com/security/cve/CVE-2019-19646

https://www.suse.com/security/cve/CVE-2019-19880

https://www.suse.com/security/cve/CVE-2019-19923

https://www.suse.com/security/cve/CVE-2019-19924

https://www.suse.com/security/cve/CVE-2019-19925

https://www.suse.com/security/cve/CVE-2019-19926

https://www.suse.com/security/cve/CVE-2019-19959

https://www.suse.com/security/cve/CVE-2019-20218

https://www.suse.com/security/cve/CVE-2020-13434

https://www.suse.com/security/cve/CVE-2020-13435

https://www.suse.com/security/cve/CVE-2020-13630

https://www.suse.com/security/cve/CVE-2020-13631

https://www.suse.com/security/cve/CVE-2020-13632

https://www.suse.com/security/cve/CVE-2020-15358

https://www.suse.com/security/cve/CVE-2020-9327

http://www.nessus.org/u?1fe5c1d1

Plugin Details

Severity: Critical

ID: 151654

File Name: suse_SU-2021-2320-1.nasl

Version: 1.7

Type: Local

Agent: unix

Published: 7/15/2021

Updated: 6/25/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-19646

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libsqlite3-0, p-cpe:/a:novell:suse_linux:sqlite3, p-cpe:/a:novell:suse_linux:sqlite3-devel, p-cpe:/a:novell:suse_linux:libsqlite3-0-32bit

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/14/2021

Vulnerability Publication Date: 3/19/2015

Reference Information

CVE: CVE-2015-3414, CVE-2015-3415, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19646, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2019-19959, CVE-2019-20218, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, CVE-2020-9327

IAVA: 2020-A-0358-S

SuSE: SUSE-SU-2021:2320-1