SUSE SLED12 / SLES12 Security Update : sqlite3 (SUSE-SU-2021:3215-1)

critical Nessus Plugin ID 153643

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3215-1 advisory.

sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).

The following CVEs have been fixed in upstream releases up to this point, but were not mentioned in the change log so far:

* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference
* bsc#1159850, CVE-2019-19924: improper error handling in sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libsqlite3-0, libsqlite3-0-32bit, sqlite3 and / or sqlite3-devel packages.

See Also

https://bugzilla.suse.com/1157818

https://bugzilla.suse.com/1158812

https://bugzilla.suse.com/1158958

https://bugzilla.suse.com/1158959

https://bugzilla.suse.com/1158960

https://bugzilla.suse.com/1159491

https://bugzilla.suse.com/1159715

https://bugzilla.suse.com/1159847

https://bugzilla.suse.com/1159850

https://bugzilla.suse.com/1160309

https://bugzilla.suse.com/1160438

https://bugzilla.suse.com/1160439

https://bugzilla.suse.com/1164719

https://bugzilla.suse.com/1172091

https://bugzilla.suse.com/1172115

https://bugzilla.suse.com/1172234

https://bugzilla.suse.com/1172236

https://bugzilla.suse.com/1172240

https://bugzilla.suse.com/1173641

https://bugzilla.suse.com/928700

https://bugzilla.suse.com/928701

https://www.suse.com/security/cve/CVE-2015-3414

https://www.suse.com/security/cve/CVE-2015-3415

https://www.suse.com/security/cve/CVE-2016-6153

https://www.suse.com/security/cve/CVE-2017-10989

https://www.suse.com/security/cve/CVE-2017-2518

https://www.suse.com/security/cve/CVE-2018-20346

https://www.suse.com/security/cve/CVE-2018-8740

https://www.suse.com/security/cve/CVE-2019-16168

https://www.suse.com/security/cve/CVE-2019-19244

https://www.suse.com/security/cve/CVE-2019-19317

https://www.suse.com/security/cve/CVE-2019-19603

https://www.suse.com/security/cve/CVE-2019-19645

https://www.suse.com/security/cve/CVE-2019-19646

https://www.suse.com/security/cve/CVE-2019-19880

https://www.suse.com/security/cve/CVE-2019-19923

https://www.suse.com/security/cve/CVE-2019-19924

https://www.suse.com/security/cve/CVE-2019-19925

https://www.suse.com/security/cve/CVE-2019-19926

https://www.suse.com/security/cve/CVE-2019-19959

https://www.suse.com/security/cve/CVE-2019-20218

https://www.suse.com/security/cve/CVE-2019-8457

https://www.suse.com/security/cve/CVE-2020-13434

https://www.suse.com/security/cve/CVE-2020-13435

https://www.suse.com/security/cve/CVE-2020-13630

https://www.suse.com/security/cve/CVE-2020-13631

https://www.suse.com/security/cve/CVE-2020-13632

https://www.suse.com/security/cve/CVE-2020-15358

https://www.suse.com/security/cve/CVE-2020-9327

http://www.nessus.org/u?b948800c

Plugin Details

Severity: Critical

ID: 153643

File Name: suse_SU-2021-3215-1.nasl

Version: 1.8

Type: Local

Agent: unix

Published: 9/24/2021

Updated: 6/25/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-8457

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:libsqlite3-0, p-cpe:/a:novell:suse_linux:sqlite3, p-cpe:/a:novell:suse_linux:sqlite3-devel, p-cpe:/a:novell:suse_linux:libsqlite3-0-32bit

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/23/2021

Vulnerability Publication Date: 3/19/2015

Reference Information

CVE: CVE-2015-3414, CVE-2015-3415, CVE-2016-6153, CVE-2017-10989, CVE-2017-2518, CVE-2018-20346, CVE-2018-8740, CVE-2019-16168, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19646, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2019-19959, CVE-2019-20218, CVE-2019-8457, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, CVE-2020-9327

IAVA: 2020-A-0358-S

SuSE: SUSE-SU-2021:3215-1