The version of AOS installed on the remote host is prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.2 advisory.

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as     demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this     is similar to CVE-2020-26116. (CVE-2020-26137)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged     user to gain root privileges. The bug allows to build several exploit primitives such as kernel address     information leak, arbitrary execution, etc. (CVE-2022-1729)

  - Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated     user to potentially enable information disclosure via local access. (CVE-2022-21123)

  - Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an     authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)

  - Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an     authenticated user to potentially enable information disclosure via local access. (CVE-2022-21166)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,     17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21540)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,     17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle     GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through     a web service which supplies data to the APIs. (CVE-2022-21541)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to     exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to     compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in     clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run     untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This     vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service     which supplies data to the APIs. (CVE-2022-21619)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1,     17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21624)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21626)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341,     8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2022-21628)

  - A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function     and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for     the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream     object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)

  - An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary     files inside the directories of connecting peers. The server chooses which files/directories are sent to     the client. However, the rsync client performs insufficient validation of file names. A malicious rsync     server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory     and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

  - VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious     actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the     virtual machine. (CVE-2022-31676)

  - The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious     XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler     and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being     retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes     (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the     Form authentication example in the examples web application displayed user provided data without     filtering, exposing a XSS vulnerability. (CVE-2022-34305)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited     alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass     access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
    This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used     instead of bitwise OR. (CVE-2022-41974)

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.2)

critical Nessus Plugin ID 170627

Version 1.6

Version 1.5

Version 1.5

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.6 Jan 16, 2024, 5:39 PM CVE (Removed rejected CVE) Plugin Feed: 202401161739
Version 1.5 Sep 6, 2023, 2:11 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Plugin Feed: 202309061411
Version 1.5 Jan 16, 2024, 3:43 PM CVE (Removed rejected CVE) Plugin Feed: 202401161543
Version 1.4 Feb 23, 2023, 6:16 PM Plugin metadata Plugin Feed: 202302231816
Version 1.3 Feb 6, 2023, 9:36 PM CVSSv3 score source (changed from "CVE-2022-40674" to "CVE-2022-2526") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202302062136
Version 1.2 Feb 3, 2023, 2:05 PM Regenerated based on advisory update Plugin Feed: 202302031405
Version 1.1 Jan 26, 2023, 3:59 PM Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202301261559
Version 1.0 Jan 26, 2023, 2:58 AM New Plugin Feed: 202301260258