SUSE SLED15: eclipse-contributor-tools / eclipse-emf-core / etc (SUSE-SU-2024:1304-1)

medium Nessus Plugin ID 193388

Language:

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1304-1 advisory.

eclipse received the following security fix:

- CVE-2023-4218: Fixed a bug where parsing files with xml content laeds to XXE attacks. (bsc#1216992)

maven-sunfire was updated from version 2.22.0 to 2.22.2:

- Changes in version 2.22.2:

* Bugs fixed:

- Fixed JUnit Runner that writes to System.out corrupts Surefires STDOUT when using JUnits Vintage Engine

- Changes in version 2.22.1:

* Bugs fixed:

- Fixed Surefire unable to run testng suites in parallel
- Fixed Git wrongly considering PNG files as changed when there is no change
- Fixed the surefire XSD published on maven site lacking of some rerun element
- Fixed XML Report elements rerunError, rerunFailure, flakyFailure, flakyError
- Fixed overriding platform version through project/plugin dependencies
- Fixed mixed up characters in standard output
- Logs in Parallel Tests are mixed up when `forkMode=never` or `forkCount=0`
- MIME type for javascript is now officially application/javascript

* Improvements:

- Elapsed time in XML Report should satisfy pattern in XSD.
- Fix old test resources TEST-*.xml in favor of continuing with SUREFIRE-1550
- Nil element failureMessage in failsafe-summary.xml should have self closed tag
- Removed obsolete module `surefire-setup-integration-tests`
- Support Java 11
- Surefire should support parameterized reportsDirectory

* Dependency upgrades:

- Upgraded maven-plugins parent to version 32
- Upgraded maven-plugins parent to version 33

tycho received the following bug fixes:

- Fixed build against maven-surefire 2.22.1 and newer
- Fixed build against newer plexus-compiler
- Fixed issues with plexus-archiver 4.4.0 and newer
- Require explicitely artifacts that will not be required automatically any more

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1216992

https://lists.suse.com/pipermail/sle-updates/2024-April/034994.html

https://www.suse.com/security/cve/CVE-2023-4218

Plugin Details

Severity: Medium

ID: 193388

File Name: suse_SU-2024-1304-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/17/2024

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-4218

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:eclipse-equinox-osgi, p-cpe:/a:novell:suse_linux:maven-surefire-provider-testng, p-cpe:/a:novell:suse_linux:eclipse-emf-core-bootstrap, p-cpe:/a:novell:suse_linux:eclipse-pde, p-cpe:/a:novell:suse_linux:eclipse-emf-core, p-cpe:/a:novell:suse_linux:maven-surefire-plugin, p-cpe:/a:novell:suse_linux:eclipse-pde-bootstrap, p-cpe:/a:novell:suse_linux:eclipse-platform-bootstrap, p-cpe:/a:novell:suse_linux:eclipse-swt, p-cpe:/a:novell:suse_linux:eclipse-swt-bootstrap, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:eclipse-platform, p-cpe:/a:novell:suse_linux:eclipse-contributor-tools, p-cpe:/a:novell:suse_linux:maven-surefire-provider-junit, p-cpe:/a:novell:suse_linux:maven-surefire, p-cpe:/a:novell:suse_linux:eclipse-equinox-osgi-bootstrap

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/16/2024

Vulnerability Publication Date: 11/9/2023

Reference Information

CVE: CVE-2023-4218

SuSE: SUSE-SU-2024:1304-1