OracleVM 3.3 / 3.4 : sudo (OVMSA-2016-0170)

high Nessus Plugin ID 95599
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Update noexec syscall blacklist

- Fixes (CVE-2016-7032, CVE-2016-7076) Resolves:
rhbz#1391937

- RHEL-6.8 erratum

- fixed a bug causing that non-root users can list privileges of other users Resolves: rhbz#1312481

- RHEL-6.8 erratum

- fixed handling of closefrom_override defaults option Resolves: rhbz#1309976

- RHEL-6.8 erratum

- fixed potential getcwd failure, resulting in Null pointer exception Resolves: rhbz#1284886

- RHEL-6.8 erratum

- fixed sssd's detection of user with zero rules Resolves:
rhbz#1220480

- RHEL-6.8 erratum

- search also by user id when fetching rules from LDAP Resolves: rhbz#1135531

- RHEL-6.8 erratum

- fixed ldap's and sssd's sudoOption value and remove quotes

- fixed ldap's and sssd's sudoOption whitespaces parse problem Resolves: rhbz#1144422 Resolves: rhbz#1279447

- RHEL-6.8 erratum

- removed defaults option requiretty from /etc/sudoers

- backported pam_service and pam_login_service defaults options

- implemented a new defaults option for changing netgroup processing semantics

- fixed visudo's quiet cli option Resolves: rhbz#1248695 Resolves: rhbz#1247231 Resolves: rhbz#1241896 Resolves:
rhbz#1197885 Resolves: rhbz#1233205

- added patch to re-introduce old group processing behaviour Resolves: rhbz#1075836

Solution

Update the affected sudo package.

See Also

http://www.nessus.org/u?197f5d72

http://www.nessus.org/u?edda9d7a

Plugin Details

Severity: High

ID: 95599

File Name: oraclevm_OVMSA-2016-0170.nasl

Version: 3.8

Type: local

Published: 12/7/2016

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:sudo, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/6/2016

Vulnerability Publication Date: 4/14/2017

Reference Information

CVE: CVE-2016-7032, CVE-2016-7076