OracleVM 3.3 / 3.4 : openssl (OVMSA-2016-0135)

Critical Nessus Plugin ID 93761

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- fix CVE-2016-2177 - possible integer overflow

- fix CVE-2016-2178 - non-constant time DSA operations

- fix CVE-2016-2179 - further DoS issues in DTLS

- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio

- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue

- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec

- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check

- fix CVE-2016-6304 - unbound memory growth with OCSP status request

- fix CVE-2016-6306 - certificate message OOB reads

- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to 112 bit effective strength

- replace expired testing certificates

- fix CVE-2016-2105 - possible overflow in base64 encoding

- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate

- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC

- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO

- fix CVE-2016-0799 - memory issues in BIO_printf

Solution

Update the affected openssl package.

See Also

http://www.nessus.org/u?f71a0ba1

http://www.nessus.org/u?2738e920

Plugin Details

Severity: Critical

ID: 93761

File Name: oraclevm_OVMSA-2016-0135.nasl

Version: 2.10

Type: local

Published: 2016/09/28

Updated: 2019/09/27

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:openssl, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/09/27

Vulnerability Publication Date: 2016/03/03

Reference Information

CVE: CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6304, CVE-2016-6306