OracleVM 3.3 : glibc (OVMSA-2014-0033)

high Nessus Plugin ID 79548
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,

- Switch gettimeofday from INTUSE to libc_hidden_proto (#1099025).

- Fix stack overflow due to large AF_INET6 requests (CVE-2013-4458, #1111460).

- Fix buffer overflow in readdir_r (CVE-2013-4237, #1111460).

- Fix memory order when reading libgcc handle (#905941).

- Fix format specifier in malloc_info output (#1027261).

- Fix nscd lookup for innetgr when netgroup has wildcards (#1054846).

- Add mmap usage to malloc_info output (#1027261).

- Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (#1087833).

- [ppc] Add VDSO IFUNC for gettimeofday (#1028285).

- [ppc] Fix ftime gettimeofday internal call returning bogus data (#1099025).

- Also relocate in dependency order when doing symbol dependency testing (#1019916).

- Fix infinite loop in nscd when netgroup is empty (#1085273).

- Provide correct buffer length to netgroup queries in nscd (#1074342).

- Return NULL for wildcard values in getnetgrent from nscd (#1085289).

- Avoid overlapping addresses to stpcpy calls in nscd (#1082379).

- Initialize all of datahead structure in nscd (#1074353).

- Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (#1044628).

- Do not fail if one of the two responses to AF_UNSPEC fails (#845218).

- nscd: Make SELinux checks dynamic (#1025933).

- Fix race in free of fastbin chunk (#1027101).

- Fix copy relocations handling of unique objects (#1032628).

- Fix encoding name for IDN in getaddrinfo (#981942).

- Fix return code from getent netgroup when the netgroup is not found (#1039988).

- Fix handling of static TLS in dlopen'ed objects (#995972).

- Don't use alloca in addgetnetgrentX (#1043557).

- Adjust pointers to triplets in netgroup query data (#1043557).


Update the affected glibc / glibc-common / nscd packages.

See Also

Plugin Details

Severity: High

ID: 79548

File Name: oraclevm_OVMSA-2014-0033.nasl

Version: 1.9

Type: local

Published: 11/26/2014

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/4/2014

Vulnerability Publication Date: 10/9/2013

Reference Information

CVE: CVE-2013-4237, CVE-2013-4458, CVE-2014-0475, CVE-2014-5119

BID: 61729, 63299, 68505, 68983, 69738