SUSE SLES15 Security Update : busybox (SUSE-SU-2022:0135-2)

critical Nessus Plugin ID 158060

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0135-2 advisory.

- CVE-2011-5325: Fixed tar directory traversal (bsc#951562).
- CVE-2015-9261: Fixed segfalts and application crashes in huft_build (bsc#1102912).
- CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow in udhcpc (bsc#970663).
- CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing (bsc#970662).
- CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).
- CVE-2017-15873: Fixed integer overflow in get_next_block function in archival/libarchive/decompress_bunzip2.c (bsc#1064976).
- CVE-2017-15874: Fixed integer underflow in archival/libarchive/decompress_unlzma.c (bsc#1064978).
- CVE-2017-16544: Fixed Insufficient sanitization of filenames when autocompleting (bsc#1069412).
- CVE-2018-1000500 : Fixed missing SSL certificate validation in wget (bsc#1099263).
- CVE-2018-1000517: Fixed heap-based buffer overflow in the retrieve_file_data() (bsc#1099260).
- CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
- CVE-2019-5747: Fixed out of bounds read in udhcp components (bsc#1121428).
- CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522).
- CVE-2021-42373: Fixed NULL pointer dereference in man leading to DoS when a section name is supplied but no page argument is given (bsc#1192869).
- CVE-2021-42374: Fixed out-of-bounds heap read in unlzma leading to information leak and DoS when crafted LZMA-compressed input is decompressed (bsc#1192869).
- CVE-2021-42375: Fixed incorrect handling of a special element in ash leading to DoS when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters (bsc#1192869).
- CVE-2021-42376: Fixed NULL pointer dereference in hush leading to DoS when processing a crafted shell command (bsc#1192869).
- CVE-2021-42377: Fixed attacker-controlled pointer free in hush leading to DoS and possible code execution when processing a crafted shell command (bsc#1192869).
- CVE-2021-42378: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the getvar_i function (bsc#1192869).
- CVE-2021-42379: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the next_input_file function (bsc#1192869).
- CVE-2021-42380: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the clrvar function (bsc#1192869).
- CVE-2021-42381: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the hash_init function (bsc#1192869).
- CVE-2021-42382: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the getvar_s function (bsc#1192869).
- CVE-2021-42383: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the evaluate function (bsc#1192869).
- CVE-2021-42384: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the handle_special function (bsc#1192869).
- CVE-2021-42385: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the evaluate function (bsc#1192869).
- CVE-2021-42386: Fixed use-after-free in awk leading to DoS and possibly code execution when processing a crafted awk pattern in the nvalloc function (bsc#1192869).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected busybox and / or busybox-static packages.

See Also

https://bugzilla.suse.com/1064976

https://bugzilla.suse.com/1064978

https://bugzilla.suse.com/1069412

https://bugzilla.suse.com/1099260

https://bugzilla.suse.com/1099263

https://bugzilla.suse.com/1102912

https://bugzilla.suse.com/1121426

https://bugzilla.suse.com/1121428

https://bugzilla.suse.com/1184522

https://bugzilla.suse.com/1192869

https://bugzilla.suse.com/951562

https://bugzilla.suse.com/970662

https://bugzilla.suse.com/970663

https://bugzilla.suse.com/991940

https://www.suse.com/security/cve/CVE-2011-5325

https://www.suse.com/security/cve/CVE-2015-9261

https://www.suse.com/security/cve/CVE-2016-2147

https://www.suse.com/security/cve/CVE-2016-2148

https://www.suse.com/security/cve/CVE-2016-6301

https://www.suse.com/security/cve/CVE-2017-15873

https://www.suse.com/security/cve/CVE-2017-15874

https://www.suse.com/security/cve/CVE-2017-16544

https://www.suse.com/security/cve/CVE-2018-1000500

https://www.suse.com/security/cve/CVE-2018-1000517

https://www.suse.com/security/cve/CVE-2018-20679

https://www.suse.com/security/cve/CVE-2019-5747

https://www.suse.com/security/cve/CVE-2021-28831

https://www.suse.com/security/cve/CVE-2021-42373

https://www.suse.com/security/cve/CVE-2021-42374

https://www.suse.com/security/cve/CVE-2021-42375

https://www.suse.com/security/cve/CVE-2021-42376

https://www.suse.com/security/cve/CVE-2021-42377

https://www.suse.com/security/cve/CVE-2021-42378

https://www.suse.com/security/cve/CVE-2021-42379

https://www.suse.com/security/cve/CVE-2021-42380

https://www.suse.com/security/cve/CVE-2021-42381

https://www.suse.com/security/cve/CVE-2021-42382

https://www.suse.com/security/cve/CVE-2021-42383

https://www.suse.com/security/cve/CVE-2021-42384

https://www.suse.com/security/cve/CVE-2021-42385

https://www.suse.com/security/cve/CVE-2021-42386

http://www.nessus.org/u?d1caad4b

Plugin Details

Severity: Critical

ID: 158060

File Name: suse_SU-2022-0135-2.nasl

Version: 1.7

Type: Local

Agent: unix

Published: 2/15/2022

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.67

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1000517

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-42377

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:busybox-static, p-cpe:/a:novell:suse_linux:busybox, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2022

Vulnerability Publication Date: 8/3/2016

Reference Information

CVE: CVE-2011-5325, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-15873, CVE-2017-15874, CVE-2017-16544, CVE-2018-1000500, CVE-2018-1000517, CVE-2018-20679, CVE-2019-5747, CVE-2021-28831, CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

IAVA: 2019-A-0344

SuSE: SUSE-SU-2022:0135-2