Lucene search
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2020-2644.NASLHistoryJun 22, 2020 - 12:00 a.m.
RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 (RHSA-2020:2644)
2020-06-2200:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
57
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
Low
0.582 Medium
EPSS
Percentile
97.7%
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2644 advisory.
-
expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)
-
httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)
-
httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)
-
expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903)
-
libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c (CVE-2019-19956)
-
libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)
-
nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
-
httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
-
libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2020:2644. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(137705);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/06");
script_cve_id(
"CVE-2018-20843",
"CVE-2019-0196",
"CVE-2019-0197",
"CVE-2019-15903",
"CVE-2019-19956",
"CVE-2019-20388",
"CVE-2020-1934",
"CVE-2020-7595",
"CVE-2020-11080"
);
script_bugtraq_id(107665, 107669);
script_xref(name:"RHSA", value:"2020:2644");
script_xref(name:"IAVA", value:"2020-A-0326");
script_xref(name:"IAVA", value:"2019-A-0098-S");
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_xref(name:"CEA-ID", value:"CEA-2019-0203");
script_name(english:"RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 (RHSA-2020:2644)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2020:2644 advisory.
- expat: large number of colons in input makes parser consume high amount of resources, leading to DoS
(CVE-2018-20843)
- httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)
- httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)
- expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903)
- libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c (CVE-2019-19956)
- libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)
- nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
- httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
- libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2018-20843");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-0196");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-0197");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-15903");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19956");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-20388");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-1934");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-7595");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11080");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:2644");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1695030");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1695042");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1723723");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1752592");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1788856");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1799734");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1799786");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1820772");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1844929");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1934");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(122, 125, 400, 401, 416, 444, 456, 770, 772, 835);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/01");
script_set_attribute(attribute:"patch_publication_date", value:"2020/06/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_http2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-ap24");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_md");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-pkcs11");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['6','7'])) audit(AUDIT_OS_NOT, 'Red Hat 6.x / 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'repo_relative_urls': [
'content/dist/rhel/server/6/6Server/i386/jbcs/1/debug',
'content/dist/rhel/server/6/6Server/i386/jbcs/1/os',
'content/dist/rhel/server/6/6Server/i386/jbcs/1/source/SRPMS',
'content/dist/rhel/server/6/6Server/x86_64/jbcs/1/debug',
'content/dist/rhel/server/6/6Server/x86_64/jbcs/1/os',
'content/dist/rhel/server/6/6Server/x86_64/jbcs/1/source/SRPMS'
],
'pkgs': [
{'reference':'jbcs-httpd24-curl-7.64.1-36.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-curl-7.64.1-36.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-devel-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-devel-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-manual-2.4.37-57.jbcs.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-selinux-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-selinux-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-tools-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-tools-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-7.64.1-36.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-7.64.1-36.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-devel-7.64.1-36.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-devel-7.64.1-36.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_cluster-native-1.3.14-4.Final_redhat_2.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_cluster-native-1.3.14-4.Final_redhat_2.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_http2-1.15.7-3.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_http2-1.15.7-3.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-ap24-1.2.48-4.redhat_1.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-ap24-1.2.48-4.redhat_1.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-manual-1.2.48-4.redhat_1.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-manual-1.2.48-4.redhat_1.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ldap-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ldap-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_md-2.0.8-24.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_md-2.0.8-24.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_proxy_html-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_proxy_html-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_security-2.9.2-51.GA.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_security-2.9.2-51.GA.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_session-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_session-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ssl-2.4.37-57.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ssl-2.4.37-57.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-1.39.2-25.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-1.39.2-25.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-devel-1.39.2-25.jbcs.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-devel-1.39.2-25.jbcs.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'}
]
},
{
'repo_relative_urls': [
'content/dist/rhel/server/7/7Server/x86_64/jbcs/1/debug',
'content/dist/rhel/server/7/7Server/x86_64/jbcs/1/os',
'content/dist/rhel/server/7/7Server/x86_64/jbcs/1/source/SRPMS'
],
'pkgs': [
{'reference':'jbcs-httpd24-curl-7.64.1-36.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-devel-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-manual-2.4.37-57.jbcs.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-selinux-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-httpd-tools-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-7.64.1-36.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-libcurl-devel-7.64.1-36.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_cluster-native-1.3.14-4.Final_redhat_2.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_http2-1.15.7-3.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-ap24-1.2.48-4.redhat_1.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_jk-manual-1.2.48-4.redhat_1.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ldap-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_md-2.0.8-24.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_proxy_html-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_security-2.9.2-51.GA.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_session-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-mod_ssl-2.4.37-57.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-1.39.2-25.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-nghttp2-devel-1.39.2-25.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'},
{'reference':'jbcs-httpd24-openssl-pkcs11-0.4.10-7.jbcs.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jbcs-httpd24'}
]
}
];
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
foreach var pkg ( constraint_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
var extra = NULL;
if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get() + redhat_report_package_caveat();
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jbcs-httpd24-curl / jbcs-httpd24-httpd / jbcs-httpd24-httpd-devel / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
| redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
| redhat | enterprise_linux | jbcs-httpd24-curl | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-curl |
| redhat | enterprise_linux | jbcs-httpd24-httpd | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd |
| redhat | enterprise_linux | jbcs-httpd24-httpd-devel | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel |
| redhat | enterprise_linux | jbcs-httpd24-httpd-manual | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual |
| redhat | enterprise_linux | jbcs-httpd24-httpd-selinux | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux |
| redhat | enterprise_linux | jbcs-httpd24-httpd-tools | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools |
| redhat | enterprise_linux | jbcs-httpd24-libcurl | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl |
| redhat | enterprise_linux | jbcs-httpd24-libcurl-devel | p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl-devel |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20388
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595
access.redhat.com/errata/RHSA-2020:2644
access.redhat.com/security/cve/CVE-2018-20843
access.redhat.com/security/cve/CVE-2019-0196
access.redhat.com/security/cve/CVE-2019-0197
access.redhat.com/security/cve/CVE-2019-15903
access.redhat.com/security/cve/CVE-2019-19956
access.redhat.com/security/cve/CVE-2019-20388
access.redhat.com/security/cve/CVE-2020-11080
access.redhat.com/security/cve/CVE-2020-1934
access.redhat.com/security/cve/CVE-2020-7595
bugzilla.redhat.com/1695030
bugzilla.redhat.com/1695042
bugzilla.redhat.com/1723723
bugzilla.redhat.com/1752592
bugzilla.redhat.com/1788856
bugzilla.redhat.com/1799734
bugzilla.redhat.com/1799786
bugzilla.redhat.com/1820772
bugzilla.redhat.com/1844929
Related
redhat
redhat
(RHSA-2020:2644) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 security update
2020-06-22 12:14:48
(RHSA-2020:2646) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 security update
2020-06-22 13:04:38
(RHSA-2020:3996) Moderate: libxml2 security and bug fix update
2020-09-29 07:49:53
oraclelinux
oraclelinux
libxml2 security update
2020-11-10 00:00:00
libxml2 security and bug fix update
2020-10-06 00:00:00
expat security update
2020-11-10 00:00:00
nessus
nessus
RHEL 8 : libxml2 (RHSA-2020:4479)
2020-11-19 00:00:00
RHEL 7 : libxml2 (RHSA-2020:3996)
2020-09-29 00:00:00
Amazon Linux 2 : libxml2 (ALAS-2020-1534)
2020-10-28 00:00:00
ibm
ibm
almalinux
almalinux
Moderate: libxml2 security update
2020-11-03 12:08:23
Moderate: expat security update
2020-11-03 12:09:00
amazon
amazon
Medium: libxml2
2020-10-22 18:25:00
Medium: libxml2
2020-10-26 18:09:00
Medium: expat
2021-01-12 22:51:00
suse
suse
Security update for libxml2 (moderate)
2020-05-23 00:00:00
Security update for libxml2 (moderate)
2020-06-08 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: libxml2-2.9.10-3.fc30
2020-04-30 02:51:35
[SECURITY] Fedora 32 Update: mingw-libxml2-2.9.10-1.fc32
2020-05-01 04:08:08
[SECURITY] Fedora 31 Update: mingw-libxml2-2.9.10-3.fc31
2020-09-19 22:45:29
openvas
openvas
Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2020-1670)
2020-06-16 00:00:00
Fedora: Security Advisory for mingw-libxml2 (FEDORA-2020-7694e8be73)
2020-05-02 00:00:00
Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2020-1533)
2020-04-30 00:00:00
centos
centos
libxml2 security update
2020-10-20 18:27:26
expat security update
2020-10-20 17:58:03
ubuntu
ubuntu
VTK vulnerabilities
2021-03-15 00:00:00
libxml2 vulnerabilities
2020-02-10 00:00:00
Expat vulnerability
2019-06-26 00:00:00
osv
osv
vtk vulnerabilities
2021-03-15 22:38:15
Moderate: expat security update
2020-11-03 12:09:00
libxml2 - security update
2020-09-09 00:00:00
gentoo
gentoo
libxml2: Multiple vulnerabilities
2020-10-20 00:00:00
Expat: Multiple vulnerabilities
2019-11-25 00:00:00
ics
ics
Siemens SINEMA Remote Connect Server
2021-04-13 12:00:00
cloudfoundry
cloudfoundry
USN-4274-1: libxml2 vulnerabilities | Cloud Foundry
2020-02-20 00:00:00
mageia
mageia
Updated libxml2_2 packages fix security vulnerabilities
2020-02-25 00:44:46
Updated libxml2 packages fix security vulnerability
2020-07-05 01:47:21
Updated libxml2 packages fix security vulnerability
2020-01-05 18:37:51
rocky
rocky
expat security update
2020-11-03 12:09:00
altlinux
altlinux
Security fix for the ALT Linux 9 package expat version 2.2.9-alt1
2020-05-31 00:00:00
Security fix for the ALT Linux 10 package libxml2 version 1:2.9.10-alt4
2020-11-06 00:00:00
Security fix for the ALT Linux 9 package libxml2 version 1:2.9.10-alt4
2020-11-09 00:00:00
archlinux
archlinux
[ASA-202011-15] libxml2: multiple issues
2020-11-17 00:00:00
photon
photon
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2020-1.0-0271
2020-02-05 00:00:00
Important Photon OS Security Update - PHSA-2020-0203
2020-01-30 00:00:00
Important Photon OS Security Update - PHSA-2020-0271
2020-02-05 00:00:00
freebsd
freebsd
libxml -- multiple vulnerabilities
2020-01-21 00:00:00
f5
f5
debian
debian
[SECURITY] [DLA 2369-1] libxml2 security update
2020-09-09 22:41:50
[SECURITY] [DSA 4472-1] expat security update
2019-06-28 09:30:19
[SECURITY] [DLA 1839-1] expat security update
2019-06-29 18:59:53
veracode
veracode
Denial Of Service (DoS)
2020-01-22 13:24:09
Denial Of Service (DoS)
2019-07-01 08:36:31
Denial Of Service (DoS)
2020-01-21 03:40:01
cvelist
cvelist
CVE-2019-20388
2020-01-21 22:53:50
CVE-2019-19956
2019-12-24 15:12:57
CVE-2020-11080 Denial of service in nghttp2
2020-06-03 00:00:00
prion
prion
Memory corruption
2019-12-24 16:15:00
Memory corruption
2020-01-21 23:15:00
cve
cve
CVE-2019-19956
2019-12-24 16:15:11
CVE-2018-20843
2019-06-24 17:15:09
alpinelinux
alpinelinux
CVE-2019-19956
2019-12-24 16:15:11
CVE-2019-20388
2020-01-21 23:15:13
redhatcve
redhatcve
nvd
nvd
debiancve
debiancve
CVE-2018-20843
2019-06-24 17:15:09
CVE-2019-19956
2019-12-24 16:15:11
ubuntucve
ubuntucve
cbl_mariner
cbl_mariner
CVE-2019-20388 affecting package libxml2 2.9.10-4
2020-10-08 18:09:52
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
Low
0.582 Medium
EPSS
Percentile
97.7%
Related for REDHAT-RHSA-2020-2644.NASL