Detections
Analytics

RHEL 8 : firefox (RHSA-2024:1491)

high Nessus Plugin ID 192551

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for firefox.

Description

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:1491 advisory.

 - nss: timing attack against RSA decryption (CVE-2023-5388)

 - Mozilla: Crash in NSS TLS method (CVE-2024-0743)

 - Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)

 - Mozilla: Integer overflow could have led to out of bounds write (CVE-2024-2608)

 - Mozilla: Improper handling of html and body tags enabled CSP nonce leakage (CVE-2024-2610)

 - Mozilla: Clickjacking vulnerability could have led to a user accidentally granting permissions (CVE-2024-2611)

 - Mozilla: Self referencing object could have potentially led to a use-after-free (CVE-2024-2612)

 - Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 (CVE-2024-2614)

 - Mozilla: Improve handling of out-of-memory conditions in ICU (CVE-2024-2616)

 - Mozilla: Privileged JavaScript Execution via Event Handlers (CVE-2024-29944)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL firefox package based on the guidance in RHSA-2024:1491.

See Also

http://www.nessus.org/u?49ae6075

https://access.redhat.com/security/updates/classification/#critical

https://bugzilla.redhat.com/show_bug.cgi?id=2243644

https://bugzilla.redhat.com/show_bug.cgi?id=2260012

https://bugzilla.redhat.com/show_bug.cgi?id=2270660

https://bugzilla.redhat.com/show_bug.cgi?id=2270661

https://bugzilla.redhat.com/show_bug.cgi?id=2270662

https://bugzilla.redhat.com/show_bug.cgi?id=2270663

https://bugzilla.redhat.com/show_bug.cgi?id=2270664

https://bugzilla.redhat.com/show_bug.cgi?id=2270665

https://bugzilla.redhat.com/show_bug.cgi?id=2270666

https://bugzilla.redhat.com/show_bug.cgi?id=2271064

https://access.redhat.com/errata/RHSA-2024:1491

Plugin Details

Severity: High

ID: 192551

File Name: redhat-RHSA-2024-1491.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/25/2024

Updated: 4/23/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-0743

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:rhel_aus:8.4, cpe:/o:redhat:rhel_tus:8.4, cpe:/o:redhat:rhel_e4s:8.4, p-cpe:/a:redhat:enterprise_linux:firefox

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/25/2024

Vulnerability Publication Date: 1/19/2024

Reference Information

CVE: CVE-2023-5388, CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614, CVE-2024-2616, CVE-2024-29944

CWE: 120, 1262, 208, 252, 416, 449, 79, 94

IAVA: 2024-A-0053-S, 2024-A-0174-S

RHSA: 2024:1491