OracleVM 3.3 : krb5 (OVMSA-2014-0034)

High Nessus Plugin ID 79549


The remote OracleVM host is missing a security update.


The remote OracleVM system is missing necessary patches to address critical security updates :

- actually apply that last patch

- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157)

- ksu: when evaluating .k5users, don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised)

- ksu: when evaluating .k5users, treat lines with just a principal name as if they contained the principal name followed by '*', and don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised)

- gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344, #1121510)

- gssapi: pull in proposed-and-accepted fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1121510)

- correct a type mistake in the backported fix for (CVE-2013-1418, CVE-2013-6800)

- pull in backported fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1121510)

- incorporate backported patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, more of

- pull in backport of patch to not subsequently always require that responses come from master KDCs if we get one from a master somewhere along the way while chasing referrals (RT#7650, #1113652)

- ksu: if the -e flag isn't used, use the target user's shell when checking for authorization via the target user's .k5users file (#1026721)

- define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that it's declared (#1059730)

- spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator doesn't get confused (#1087068, RT#7858)

- add patch from Jatin Nansi to avoid attempting to clear memory at the NULL address if krb5_encrypt_helper returns an error when called from encrypt_credencpart (#1055329, pull #158)

- drop patch to add additional access checks to ksu - they shouldn't be resulting in any benefit

- apply patch from Nikolai Kondrashov to pass a default realm set in /etc/sysconfig/krb5kdc to the kdb_check_weak helper, so that it doesn't produce an error if there isn't one set in krb5.conf (#1009389)

- packaging: don't Obsoletes: older versions of krb5-pkinit-openssl and virtual Provide:
krb5-pkinit-openssl on EL6, where we don't need to bother with any of that (#1001961)

- pkinit: backport tweaks to avoid trying to call the prompter callback when one isn't set (part of #965721)

- pkinit: backport the ability to use a prompter callback to prompt for a password when reading private keys (the rest of #965721)

- backport fix to not spin on a short read when reading the length of a response over TCP (RT#7508, #922884)

- backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1070244)

- backport fix for not being able to verify the list of transited realms in GSS acceptors (RT#7639, #959685)

- pull fix for keeping track of the message type when parsing FAST requests in the KDC (RT#7605, #951965)

- incorporate upstream patch to fix a NULL pointer dereference while processing certain TGS requests (CVE-2013-1416, #950343)

- incorporate upstream patch to fix a NULL pointer dereference when the client supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #917910)

- add patch to avoid dereferencing a NULL pointer in the KDC when handling a draft9 PKINIT request (#917910, CVE-2012-1016)

- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,

- don't leak the memory used to hold the previous entry when walking a keytab to figure out which kinds of keys we have (#911147)


Update the affected krb5-libs package.

See Also

Plugin Details

Severity: High

ID: 79549

File Name: oraclevm_OVMSA-2014-0034.nasl

Version: $Revision: 1.6 $

Type: local

Published: 2014/11/26

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:krb5-libs, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/11/04

Reference Information

CVE: CVE-2002-2443, CVE-2012-1016, CVE-2013-1415, CVE-2013-1416, CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345

BID: 58144, 58532, 59261, 60008, 63555, 63770, 68908, 68909, 69159, 69160, 69168

OSVDB: 93240, 99508, 108748, 108751, 109389, 109390, 109908