Detections
Analytics

Oracle Linux 8 : libreoffice (ELSA-2020-1598)

critical Nessus Plugin ID 180688

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1598 advisory.

 - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

 - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

 - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
 However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects:
 Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

 - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

 - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
 (CVE-2019-9852)

 - LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
 LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2020-1598.html

Plugin Details

Severity: Critical

ID: 180688

File Name: oraclelinux_ELSA-2020-1598.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/7/2023

Updated: 9/8/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9851

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:libreoffice-help-sl, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:autocorr-af, p-cpe:/a:oracle:linux:autocorr-bg, p-cpe:/a:oracle:linux:autocorr-ca, p-cpe:/a:oracle:linux:autocorr-cs, p-cpe:/a:oracle:linux:autocorr-da, p-cpe:/a:oracle:linux:autocorr-de, p-cpe:/a:oracle:linux:autocorr-en, p-cpe:/a:oracle:linux:autocorr-es, p-cpe:/a:oracle:linux:autocorr-fa, p-cpe:/a:oracle:linux:autocorr-fi, p-cpe:/a:oracle:linux:autocorr-fr, p-cpe:/a:oracle:linux:autocorr-ga, p-cpe:/a:oracle:linux:autocorr-hr, p-cpe:/a:oracle:linux:autocorr-hu, p-cpe:/a:oracle:linux:autocorr-is, p-cpe:/a:oracle:linux:autocorr-it, p-cpe:/a:oracle:linux:autocorr-ja, p-cpe:/a:oracle:linux:autocorr-ko, p-cpe:/a:oracle:linux:autocorr-lb, p-cpe:/a:oracle:linux:autocorr-lt, p-cpe:/a:oracle:linux:autocorr-mn, p-cpe:/a:oracle:linux:autocorr-nl, p-cpe:/a:oracle:linux:autocorr-pl, p-cpe:/a:oracle:linux:autocorr-pt, p-cpe:/a:oracle:linux:autocorr-ro, p-cpe:/a:oracle:linux:autocorr-ru, p-cpe:/a:oracle:linux:autocorr-sk, p-cpe:/a:oracle:linux:autocorr-sl, p-cpe:/a:oracle:linux:autocorr-sr, p-cpe:/a:oracle:linux:autocorr-sv, p-cpe:/a:oracle:linux:autocorr-tr, p-cpe:/a:oracle:linux:autocorr-vi, p-cpe:/a:oracle:linux:autocorr-zh, p-cpe:/a:oracle:linux:libreoffice-base, p-cpe:/a:oracle:linux:libreoffice-calc, p-cpe:/a:oracle:linux:libreoffice-core, p-cpe:/a:oracle:linux:libreoffice-data, p-cpe:/a:oracle:linux:libreoffice-draw, p-cpe:/a:oracle:linux:libreoffice-emailmerge, p-cpe:/a:oracle:linux:libreoffice-filters, p-cpe:/a:oracle:linux:libreoffice-help-bg, p-cpe:/a:oracle:linux:libreoffice-help-bn, p-cpe:/a:oracle:linux:libreoffice-help-ca, p-cpe:/a:oracle:linux:libreoffice-help-cs, p-cpe:/a:oracle:linux:libreoffice-help-da, p-cpe:/a:oracle:linux:libreoffice-help-de, p-cpe:/a:oracle:linux:libreoffice-help-dz, p-cpe:/a:oracle:linux:libreoffice-help-el, p-cpe:/a:oracle:linux:libreoffice-help-en, p-cpe:/a:oracle:linux:libreoffice-help-es, p-cpe:/a:oracle:linux:libreoffice-help-et, p-cpe:/a:oracle:linux:libreoffice-help-eu, p-cpe:/a:oracle:linux:libreoffice-help-fi, p-cpe:/a:oracle:linux:libreoffice-help-fr, p-cpe:/a:oracle:linux:libreoffice-help-gl, p-cpe:/a:oracle:linux:libreoffice-help-gu, p-cpe:/a:oracle:linux:libreoffice-help-he, p-cpe:/a:oracle:linux:libreoffice-help-hi, p-cpe:/a:oracle:linux:libreoffice-help-hr, p-cpe:/a:oracle:linux:libreoffice-help-hu, p-cpe:/a:oracle:linux:libreoffice-help-id, p-cpe:/a:oracle:linux:libreoffice-help-it, p-cpe:/a:oracle:linux:libreoffice-help-sv, p-cpe:/a:oracle:linux:libreoffice-help-ta, p-cpe:/a:oracle:linux:libreoffice-help-tr, p-cpe:/a:oracle:linux:libreoffice-help-uk, p-cpe:/a:oracle:linux:libreoffice-help-zh-hans, p-cpe:/a:oracle:linux:libreoffice-help-zh-hant, p-cpe:/a:oracle:linux:libreoffice-impress, p-cpe:/a:oracle:linux:libreoffice-langpack-af, p-cpe:/a:oracle:linux:libreoffice-langpack-ar, p-cpe:/a:oracle:linux:libreoffice-langpack-as, p-cpe:/a:oracle:linux:libreoffice-langpack-bg, p-cpe:/a:oracle:linux:libreoffice-langpack-bn, p-cpe:/a:oracle:linux:libreoffice-langpack-br, p-cpe:/a:oracle:linux:libreoffice-sdk-doc, p-cpe:/a:oracle:linux:libreoffice-ure, p-cpe:/a:oracle:linux:libreoffice-ure-common, p-cpe:/a:oracle:linux:libreoffice-wiki-publisher, p-cpe:/a:oracle:linux:libreoffice-writer, p-cpe:/a:oracle:linux:libreoffice-x11, p-cpe:/a:oracle:linux:libreoffice-xsltfilter, p-cpe:/a:oracle:linux:libreofficekit, p-cpe:/a:oracle:linux:libreoffice-gdb-debug-support, p-cpe:/a:oracle:linux:libreoffice-graphicfilter, p-cpe:/a:oracle:linux:libreoffice-gtk2, p-cpe:/a:oracle:linux:libreoffice-gtk3, p-cpe:/a:oracle:linux:libreoffice-help-ar, p-cpe:/a:oracle:linux:libreoffice-help-ja, p-cpe:/a:oracle:linux:libreoffice-help-ko, p-cpe:/a:oracle:linux:libreoffice-help-lt, p-cpe:/a:oracle:linux:libreoffice-help-lv, p-cpe:/a:oracle:linux:libreoffice-help-nb, p-cpe:/a:oracle:linux:libreoffice-help-nl, p-cpe:/a:oracle:linux:libreoffice-help-nn, p-cpe:/a:oracle:linux:libreoffice-help-pl, p-cpe:/a:oracle:linux:libreoffice-help-pt-br, p-cpe:/a:oracle:linux:libreoffice-help-pt-pt, p-cpe:/a:oracle:linux:libreoffice-help-ro, p-cpe:/a:oracle:linux:libreoffice-help-ru, p-cpe:/a:oracle:linux:libreoffice-help-si, p-cpe:/a:oracle:linux:libreoffice-help-sk, p-cpe:/a:oracle:linux:libreoffice-langpack-gl, p-cpe:/a:oracle:linux:libreoffice-langpack-gu, p-cpe:/a:oracle:linux:libreoffice-langpack-he, p-cpe:/a:oracle:linux:libreoffice-langpack-hi, p-cpe:/a:oracle:linux:libreoffice-langpack-hr, p-cpe:/a:oracle:linux:libreoffice-langpack-hu, p-cpe:/a:oracle:linux:libreoffice-langpack-id, p-cpe:/a:oracle:linux:libreoffice-langpack-it, p-cpe:/a:oracle:linux:libreoffice-langpack-ja, p-cpe:/a:oracle:linux:libreoffice-langpack-kk, p-cpe:/a:oracle:linux:libreoffice-langpack-kn, p-cpe:/a:oracle:linux:libreoffice-langpack-ko, p-cpe:/a:oracle:linux:libreoffice-langpack-ca, p-cpe:/a:oracle:linux:libreoffice-langpack-cs, p-cpe:/a:oracle:linux:libreoffice-langpack-cy, p-cpe:/a:oracle:linux:libreoffice-langpack-da, p-cpe:/a:oracle:linux:libreoffice-langpack-de, p-cpe:/a:oracle:linux:libreoffice-langpack-dz, p-cpe:/a:oracle:linux:libreoffice-langpack-el, p-cpe:/a:oracle:linux:libreoffice-langpack-en, p-cpe:/a:oracle:linux:libreoffice-langpack-es, p-cpe:/a:oracle:linux:libreoffice-langpack-et, p-cpe:/a:oracle:linux:libreoffice-langpack-eu, p-cpe:/a:oracle:linux:libreoffice-langpack-fa, p-cpe:/a:oracle:linux:libreoffice-langpack-fi, p-cpe:/a:oracle:linux:libreoffice-langpack-fr, p-cpe:/a:oracle:linux:libreoffice-langpack-ga, p-cpe:/a:oracle:linux:libreoffice-langpack-lt, p-cpe:/a:oracle:linux:libreoffice-langpack-lv, p-cpe:/a:oracle:linux:libreoffice-langpack-mai, p-cpe:/a:oracle:linux:libreoffice-langpack-ml, p-cpe:/a:oracle:linux:libreoffice-langpack-mr, p-cpe:/a:oracle:linux:libreoffice-langpack-nb, p-cpe:/a:oracle:linux:libreoffice-langpack-nl, p-cpe:/a:oracle:linux:libreoffice-langpack-nn, p-cpe:/a:oracle:linux:libreoffice-langpack-nr, p-cpe:/a:oracle:linux:libreoffice-langpack-nso, p-cpe:/a:oracle:linux:libreoffice-langpack-or, p-cpe:/a:oracle:linux:libreoffice-langpack-pa, p-cpe:/a:oracle:linux:libreoffice-langpack-pl, p-cpe:/a:oracle:linux:libreoffice-langpack-pt-br, p-cpe:/a:oracle:linux:libreoffice-langpack-pt-pt, p-cpe:/a:oracle:linux:libreoffice-langpack-ro, p-cpe:/a:oracle:linux:libreoffice-langpack-ru, p-cpe:/a:oracle:linux:libreoffice-langpack-si, p-cpe:/a:oracle:linux:libreoffice-langpack-sk, p-cpe:/a:oracle:linux:libreoffice-langpack-sl, p-cpe:/a:oracle:linux:libreoffice-langpack-sr, p-cpe:/a:oracle:linux:libreoffice-langpack-ss, p-cpe:/a:oracle:linux:libreoffice-langpack-st, p-cpe:/a:oracle:linux:libreoffice-langpack-sv, p-cpe:/a:oracle:linux:libreoffice-langpack-ta, p-cpe:/a:oracle:linux:libreoffice-langpack-te, p-cpe:/a:oracle:linux:libreoffice-langpack-th, p-cpe:/a:oracle:linux:libreoffice-langpack-tn, p-cpe:/a:oracle:linux:libreoffice-langpack-tr, p-cpe:/a:oracle:linux:libreoffice-langpack-ts, p-cpe:/a:oracle:linux:libreoffice-langpack-uk, p-cpe:/a:oracle:linux:libreoffice-langpack-ve, p-cpe:/a:oracle:linux:libreoffice-langpack-xh, p-cpe:/a:oracle:linux:libreoffice-langpack-zh-hans, p-cpe:/a:oracle:linux:libreoffice-langpack-zh-hant, p-cpe:/a:oracle:linux:libreoffice-langpack-zu, p-cpe:/a:oracle:linux:libreoffice-math, p-cpe:/a:oracle:linux:libreoffice-ogltrans, p-cpe:/a:oracle:linux:libreoffice-opensymbol-fonts, p-cpe:/a:oracle:linux:libreoffice-pdfimport, p-cpe:/a:oracle:linux:libreoffice-pyuno, p-cpe:/a:oracle:linux:libreoffice-sdk

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/5/2020

Vulnerability Publication Date: 7/17/2019

Exploitable With

Core Impact

Reference Information

CVE: CVE-2019-9849, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852, CVE-2019-9853, CVE-2019-9854