It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2021-004 advisory.

    It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-     default configurations. This could allows attackers with control over Thread Context Map (MDC) input data     when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for     example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input     data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-     effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by     removing support for message lookup patterns and disabling JNDI functionality by default. (CVE-2021-45046)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the b0f49cb9-6736-11ec-9eea-589cfc007716 advisory.

  - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-     default configurations. This could allows attackers with control over Thread Context Map (MDC) input data     when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for     example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input     data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some     environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix     this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
    (CVE-2021-45046)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the installed version of Serv-U is a version prior to 15.3. It is, therefore, affected by an improper input validation vulnerability. The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

SolarWinds has updated the input mechanism to perform additional validation and sanitization.

Please Note: No downstream effect has been detected as the LDAP servers ignored improper characters.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of log4j installed on the remote host is prior to 1.2.17-16.12. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1562 advisory.

    It was found that when using remote logging with log4j socket server the log4j server would deserialize     any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log     event that, during deserialization, would execute arbitrary code in the context of the logger application.
    (CVE-2017-5645)

    A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of     untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a     deserialization gadget. (CVE-2019-17571)

    A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is     vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the     server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP     endpoint. (CVE-2021-4104)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache Log4j is an open source Java-based logging framework leveraged within numerous Java applications. Apache Log4j versions 2.0-beta9 to 2.15.0 suffer from insufficient protections on message lookup substitutions when dealing with user controlled input. By crafting a malicious string, an attacker could leverage this issue to achieve a remote code execution on the Log4j instance used by the target application.

The version of AOS installed on the remote host is prior to 5.20.4. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.20.4 advisory.

  - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

  - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow     when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures     encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for     certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how     they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and     PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and     Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.
    (CVE-2021-43527)

  - AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS     extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)

  - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-     default configurations. This could allows attackers with control over Thread Context Map (MDC) input data     when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for     example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input     data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some     environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix     this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
    (CVE-2021-45046)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0038-1 advisory.

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2905 advisory.

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Apache Log4j is an open source Java-based logging framework leveraged within numerous Java applications. The scanner detected the presence of installation files referring to the usage of Apache Log4j.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:0290 advisory.

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-0290 advisory.

    - Obsolete (remove) vulnerable versions of log4j12 (NVR < 1.2.17-23)       when upgrading to parfait 0.5.4-4 (CVE-2021-4104)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0006 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2021-4104:
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions.

    CVE-2022-23302:
    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions.

    CVE-2022-23305:
    By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions.

    CVE-2022-23307:
    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0006 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2021-4104:
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions.

    CVE-2022-23302:
    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions.

    CVE-2022-23305:
    By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions.

    CVE-2022-23307:
    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202209-02 (IBM Spectrum Protect: Multiple Vulnerabilities)

  - IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow,     caused by improper bounds checking when processing the current locale settings. A local attacker could     overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the     application to crash. IBM X-Force ID: 199479 (CVE-2021-29672)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function     EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the     out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size     required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer     and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug     in the implementation of the SM2 decryption code means that the calculation of the buffer size required to     hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size     required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the     application a second time with a buffer that is too small. A malicious attacker who is able present SM2     content for decryption to an application could cause attacker chosen data to overflow the buffer by up to     a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing     application behaviour or causing the application to crash. The location of the buffer is application     dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
    (CVE-2021-3711)

  - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a     buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings     which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not     a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar     parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will     additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for     applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array     by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using     the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to     assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for     strings that have been directly constructed. Where an application requests an ASN.1 structure to be     printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the     application without NUL terminating the data field, then a read buffer overrun can occur. The same thing     can also occur during name constraints processing of certificates (for example if a certificate has been     directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the     certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an     application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL     functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).
    It could also result in the disclosure of private memory contents (such as private keys, or sensitive     plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected     1.0.2-1.0.2y). (CVE-2021-3712)

  - IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper     bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM     X-Force ID: 214438. (CVE-2021-39048)

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
212475	Amazon Linux 2022 : log4j, log4j-jcl, log4j-slf4j (ALAS2022-2021-004)	Nessus	Amazon Linux Local Security Checks	12/11/2024	12/12/2024	critical
156324	FreeBSD : OpenSearch -- Log4Shell (b0f49cb9-6736-11ec-9eea-589cfc007716)	Nessus	FreeBSD Local Security Checks	12/27/2021	11/6/2023	critical
156886	Serv-U FTP Server < 15.3 Improper Input Validation	Nessus	FTP	1/20/2022	4/25/2023	medium
156871	Amazon Linux AMI : log4j (ALAS-2022-1562)	Nessus	Amazon Linux Local Security Checks	1/20/2022	12/11/2024	critical
113075	Apache Log4j Remote Code Execution (Log4Shell)	Web App Scanning	Component Vulnerability	12/11/2021	3/6/2024	critical
164601	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.4)	Nessus	Misc.	9/1/2022	2/17/2025	critical
158150	openSUSE 15 Security Update : kafka (openSUSE-SU-2022:0038-1)	Nessus	SuSE Local Security Checks	2/18/2022	11/8/2023	critical
157261	Debian DLA-2905-1 : apache-log4j1.2 - LTS security update	Nessus	Debian Local Security Checks	1/31/2022	11/17/2023	critical
113076	Apache Log4j Installation File Detected	Web App Scanning	Data Exposure	12/14/2021	12/14/2021	high
184625	Rocky Linux 8 : parfait:0.5 (RLSA-2022:0290)	Nessus	Rocky Linux Local Security Checks	11/6/2023	11/6/2023	critical
157159	Oracle Linux 8 : parfait:0.5 (ELSA-2022-0290)	Nessus	Oracle Linux Local Security Checks	1/27/2022	10/23/2024	critical
236700	Alibaba Cloud Linux 3 : 0006: parfait:0.5 (ALINUX3-SA-2022:0006)	Nessus	Alibaba Cloud Linux Local Security Checks	5/14/2025	5/14/2025	critical
238559	TencentOS Server 3: parfait:0.5 (TSSA-2022:0006)	Nessus	Tencent Local Security Checks	6/16/2025	6/16/2025	high
164805	GLSA-202209-02 : IBM Spectrum Protect: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	9/7/2022	10/12/2023	critical

Detections

Analytics

Plugins Search

critical

critical

medium

critical

critical

critical

critical

critical

high

critical

critical

critical

high

critical