Detections
Analytics

Alibaba Cloud Linux 3 : 0067: osbuild and osbuild-composer (ALINUX3-SA-2025:0067)

high Nessus Plugin ID 236934

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2025:0067 advisory.

 Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

 CVE-2024-1394:
 A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the return nil, nil, fail(...) pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

 CVE-2024-34158:
 Calling Parse on a // +build build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

 CVE-2024-9355:
 A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

 CVE-2025-30204:
 golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20250067.xml

Plugin Details

Severity: High

ID: 236934

File Name: alinux3_sa_2025-0067.nasl

Version: 1.1

Type: local

Published: 5/19/2025

Updated: 5/19/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.0

CVSS v2

Risk Factor: Medium

Base Score: 5.7

Temporal Score: 4.2

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:P

CVSS Score Source: CVE-2024-9355

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-30204

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-debugsource, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-ostree, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-core-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-tools, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-tests, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-worker-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-selinux, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-luks2, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-worker, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-osbuild, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-tests-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-depsolve-dnf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-doc, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-lvm2, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:osbuild-composer-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Alibaba/release, Host/Alibaba/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/16/2025

Vulnerability Publication Date: 3/20/2024

Reference Information

CVE: CVE-2024-1394, CVE-2024-34158, CVE-2024-9355, CVE-2025-30204