Detections
Analytics

OracleVM 3.3 / 3.4 : nss / nss-util (OVMSA-2017-0065)

high Nessus Plugin ID 99568

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

nss

 - Added nss-vendor.patch to change vendor

 - Temporarily disable some tests until expired PayPalEE.cert is renewed

 - Rebase to 3.28.4

 - Fix crash with tstclnt -W

 - Adjust gtests to run with our old softoken and downstream patches

 - Avoid cipher suite ordering change, spotted by Hubert Kario

 - Rebase to 3.28.3

 - Remove upstreamed moz-1282627-rh-1294606.patch, moz-1312141-rh-1387811.patch, moz-1315936.patch, and moz-1318561.patch

 - Remove no longer necessary nss-duplicate-ciphers.patch

 - Disable X25519 and exclude tests using it

 - Catch failed ASN1 decoding of RSA keys, by Kamil Dudka (#1427481)

 - Update expired PayPalEE.cert

 - Disable unsupported test cases in ssl_gtests

 - Adjust the sslstress.txt filename so that it matches with the disableSSL2tests patch ported from RHEL 7

 - Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from stress tests

 - Don't add gtests and ssl_gtests to nss_tests, unless gtests are enabled

 - Add patch to fix SSL CA name leaks, taken from NSS 3.27.2 release

 - Add patch to fix bash syntax error in tests/ssl.sh

 - Add patch to remove duplicate ciphersuites entries in sslinfo.c

 - Add patch to abort selfserv/strsclnt/tstclnt on non-parsable version range

 - Build with support for SSLKEYLOGFILE

 - Update fix_multiple_open patch to fix regression in openldap client

 - Remove pk11_genobj_leak patch, which caused crash with Firefox

 - Add comment in the policy file to preserve the last empty line

 - Disable SHA384 ciphersuites when CKM_TLS12_KEY_AND_MAC_DERIVE is not provided by softoken this superseds check_hash_impl patch

 - Fix problem in check_hash_impl patch

 - Add patch to check if hash algorithms are backed by a token

 - Add patch to disable TLS_ECDHE_[RSA,ECDSA]_WITH_AES_128_CBC_SHA256, which have never enabled in the past

 - Add upstream patch to fix a crash. Mozilla #1315936

 - Disable the use of RSA-PSS with SSL/TLS. #1390161

 - Use updated upstream patch for RH bug 1387811

 - Added upstream patches to fix RH bugs 1057388, 1294606, 1387811

 - Enable gtests when requested

 - Rebase to NSS 3.27.1

 - Remove nss-646045.patch, which is not necessary

 - Remove p-disable-md5-590364-reversed.patch, which is no-op here, because the patched code is removed later in %setup

 - Remove disable_hw_gcm.patch, which is no-op here, because the patched code is removed later in %setup.
 Also remove NSS_DISABLE_HW_GCM setting, which was only required for RHEL 5

 - Add Bug-1001841-disable-sslv2-libssl.patch and Bug-1001841-disable-sslv2-tests.patch, which completedly disable EXPORT ciphersuites. Ported from RHEL 7

 - Remove disable-export-suites-tests.patch, which is covered by Bug-1001841-disable-sslv2-tests.patch

 - Remove nss-ca-2.6-enable-legacy.patch, as we decided to not allow 1024 legacy CA certificates

 - Remove ssl-server-min-key-sizes.patch, as we decided to support DH key size greater than 1023 bits

 - Remove nss-init-ss-sec-certs-null.patch, which appears to be no-op, as it clears memory area allocated with PORT_ZAlloc

 - Remove nss-disable-sslv2-libssl.patch, nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and nss-sslstress-txt-ssl3-lower-value-in-range.patch as SSLv2 is already disabled in upstream

 - Remove fix-nss-test-filtering.patch, which is fixed in upstream

 - Add nss-check-policy-file.patch from Fedora

 - Install policy config in /etc/pki/nss-legacy/nss-rhel6.config

nss-util

 - Rebase to NSS 3.28.4 to accommodate base64 encoding fix

 - Rebase to NSS 3.28.3

 - Package new header eccutil.h

 - Tolerate policy file without last empty line

 - Add missing source files

 - Rebase to NSS 3.26.0

 - Remove upstreamed patch for (CVE-2016-1950)

 - Remove p-disable-md5-590364-reversed.patch for bug 1335915

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?3652e035

http://www.nessus.org/u?97bdc28b

Plugin Details

Severity: High

ID: 99568

File Name: oraclevm_OVMSA-2017-0065.nasl

Version: 3.5

Type: local

Published: 4/21/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:nss, p-cpe:/a:oracle:vm:nss-sysinit, p-cpe:/a:oracle:vm:nss-tools, p-cpe:/a:oracle:vm:nss-util, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2017

Vulnerability Publication Date: 3/13/2016

Reference Information

CVE: CVE-2016-1950