9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.5%
The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-4589 advisory.
An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user- activation</code> could lead to script execution without <code>allow-scripts</code> being present.
(CVE-2022-29911)
Documents in deeply-nested cross-origin browsing contexts could obtain permissions granted to the top- level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.
(CVE-2022-29909)
Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.
(CVE-2022-29912)
When reusing existing popups Thunderbird would allow them to cover the fullscreen notification UI, which could enable browser spoofing attacks. (CVE-2022-29914)
Thunderbird would behave slightly differently for already known resources, when loading CSS resources through resolving CSS variables. This could be used to probe the browser history. (CVE-2022-29916)
Mozilla developers Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2022-29917)
When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. (CVE-2022-1520)
The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. (CVE-2022-29913)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2022-4589.
##
include('compat.inc');
if (description)
{
script_id(162781);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/19");
script_cve_id(
"CVE-2022-1520",
"CVE-2022-29909",
"CVE-2022-29911",
"CVE-2022-29912",
"CVE-2022-29913",
"CVE-2022-29914",
"CVE-2022-29916",
"CVE-2022-29917"
);
script_xref(name:"IAVA", value:"2022-A-0190-S");
script_name(english:"Oracle Linux 9 : thunderbird (ELSA-2022-4589)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the
ELSA-2022-4589 advisory.
- An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-
activation</code> could lead to script execution without <code>allow-scripts</code> being present.
(CVE-2022-29911)
- Documents in deeply-nested cross-origin browsing contexts could obtain permissions granted to the top-
level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.
(CVE-2022-29909)
- Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.
(CVE-2022-29912)
- When reusing existing popups Thunderbird would allow them to cover the fullscreen notification UI, which
could enable browser spoofing attacks. (CVE-2022-29914)
- Thunderbird would behave slightly differently for already known resources, when loading CSS resources
through resolving CSS variables. This could be used to probe the browser history. (CVE-2022-29916)
- Mozilla developers Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs
present in Thunderbird 91.8. Some of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run arbitrary code. (CVE-2022-29917)
- When viewing an email message A, which contains an attached message B, where B is encrypted or digitally
signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and
viewing the attached message B, when returning to the display of message A, the message A might be shown
with the security status of message B. (CVE-2022-1520)
- The parent process would not properly check whether the Speech Synthesis feature is enabled, when
receiving instructions from a child process. (CVE-2022-29913)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2022-4589.html");
script_set_attribute(attribute:"solution", value:
"Update the affected thunderbird package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-29917");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/03");
script_set_attribute(attribute:"patch_publication_date", value:"2022/06/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:thunderbird");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
var os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
var pkgs = [
{'reference':'thunderbird-91.9.0-3.0.1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
{'reference':'thunderbird-91.9.0-3.0.1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release) {
if (exists_check) {
if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'thunderbird');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1520
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29909
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29911
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29912
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29914
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29917
linux.oracle.com/errata/ELSA-2022-4589.html