OracleVM 3.3 / 3.4 : bash (OVMSA-2017-0050)

critical Nessus Plugin ID 99077
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 8.4

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Fix signal handling in read builtin Resolves: #1421926

- CVE-2016-9401 - Fix crash when '-' is passed as second sign to popd Resolves: #1396383

- CVE-2016-7543 - Fix for arbitrary code execution via SHELLOPTS+PS4 variables Resolves: #1379630

- CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname Resolves: #1377613

- Avoid crash in parameter expansion while expanding long strings Resolves: #1359142

- Stop reading input when SIGHUP is received Resolves:
#1325753

- Bash leaks memory while doing pattern removal in parameter expansion Resolves: #1283829

- Fix a race condition in saving bash history on shutdown Resolves: #1325753

- Bash shouldn't ignore bash --debugger without a dbger installed Related: #1260568

- Wrong parsing inside for loop and brackets Resolves:
#1207803

- IFS incorrectly splitting herestrings Resolves: #1250070

- Case in a for loop in a subshell causes a syntax error Resolves: #1240994

- Bash shouldn't ignore bash --debugger without a dbger installed Resolves: #1260568

- Bash leaks memory when repeatedly doing a pattern-subst Resolves: #1207042

- Bash hangs when a signal is received Resolves: #868846

Solution

Update the affected bash package.

See Also

http://www.nessus.org/u?49d2a21e

http://www.nessus.org/u?85c795b3

Plugin Details

Severity: Critical

ID: 99077

File Name: oraclevm_OVMSA-2017-0050.nasl

Version: 3.6

Type: local

Published: 3/30/2017

Updated: 1/4/2021

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 8.4

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.4

Temporal Score: 7.6

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:bash, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/29/2017

Vulnerability Publication Date: 9/24/2014

Reference Information

CVE: CVE-2014-7169, CVE-2016-0634, CVE-2016-7543, CVE-2016-9401

BID: 70137