Oracle Linux 6 / 7 : ntp (ELSA-2016-0063)
Medium Nessus Plugin ID 88167
SynopsisThe remote Oracle Linux host is missing one or more security updates.
DescriptionFrom Red Hat Security Advisory 2016:0063 :
Updated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.
It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.
All ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically.
SolutionUpdate the affected ntp packages.