Oracle Linux 8 : istio (ELSA-2023-12354)

high Nessus Plugin ID 176424

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12354 advisory.

- Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. (CVE-2022-27496)

- Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable an escalation of privilege via local access. (CVE-2022-27493)

- A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.
(CVE-2022-27487)

- A improper verification of source of a communication channel in Fortinet FortiOS with IPS engine version 7.201 through 7.214, 7.001 through 7.113, 6.001 through 6.121, 5.001 through 5.258 and before 4.086 allows a remote and unauthenticated attacker to trigger the sending of blocked page HTML data to an arbitrary victim via crafted TCP requests, potentially flooding the victim. (CVE-2022-27491)

- An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. (CVE-2022-27492)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2023-12354.html

Plugin Details

Severity: High

ID: 176424

File Name: oraclelinux_ELSA-2023-12354.nasl

Version: 1.3

Type: local

Agent: unix

Published: 5/26/2023

Updated: 12/25/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-27496

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-27488

Vulnerability Information

CPE: cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:kubelet, p-cpe:/a:oracle:linux:olcne-utils, p-cpe:/a:oracle:linux:istio, p-cpe:/a:oracle:linux:olcne-oci-ccm-chart, p-cpe:/a:oracle:linux:kubectl, p-cpe:/a:oracle:linux:olcne-agent, p-cpe:/a:oracle:linux:olcnectl, p-cpe:/a:oracle:linux:olcne-nginx, p-cpe:/a:oracle:linux:olcne-istio-chart, p-cpe:/a:oracle:linux:olcne-multus-chart, p-cpe:/a:oracle:linux:olcne-olm-chart, p-cpe:/a:oracle:linux:olcne-api-server, p-cpe:/a:oracle:linux:olcne-prometheus-chart, p-cpe:/a:oracle:linux:olcne-gluster-chart, p-cpe:/a:oracle:linux:istio-istioctl, p-cpe:/a:oracle:linux:olcne-metallb-chart, p-cpe:/a:oracle:linux:kubeadm, p-cpe:/a:oracle:linux:olcne-grafana-chart, p-cpe:/a:oracle:linux:olcne-calico-chart

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2023

Vulnerability Publication Date: 3/31/2022

Reference Information

CVE: CVE-2022-27487, CVE-2022-27488, CVE-2022-27491, CVE-2022-27492, CVE-2022-27493, CVE-2022-27496