RHEL 6:Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 (RHSA-2018:2186)
critical Nessus Plugin ID 111147
語系:
Synopsis
遠端 Red Hat 主機缺少一個或多個安全性更新。描述
現已提供適用於 Red Hat Enterprise Linux 6 的 Red Hat JBoss Core Services Pack Apache Server 2.4.29 套件。Red Hat 產品安全性團隊已將此版本評等為具有中等安全性影響。可從〈參照〉一節的 CVE 連結中取得每個弱點之常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。此版本新增了 Apache HTTP Server 2.4.29 套件,其為 JBoss Core Services 供應項目的一部分。此版本作為 Red Hat JBoss Core Services Apache HTTP Server 2.4.23 的取代版本,並含有數個錯誤修正和增強功能。如需此版本中最重要的錯誤修正、增強功能和元件升級的詳細資訊,請參閱「版本資訊」。此版本將 OpenSSL 升級至 1.0.2.n 版 安全性修正:* openssl:BN_bn2dec() 中未檢查到的錯誤導致超出邊界寫入 (CVE-2016-2182) * openssl:TLS 工作階段票證 HMAC 長度檢查不足 (CVE-2016-6302) * openssl:憑證訊息 OOB 讀取 (CVE-2016-6306) * openssl:蒙哥馬利乘法發生進位傳輸錯誤 (CVE-2016-7055) * openssl:OOB 讀取可能損毀截斷的封包 (CVE-2017-3731) * openssl:BN_mod_exp 可在 x86_64 上產生不正確的結果 (CVE-2017-3732) * openssl: bn_sqrx8x_internal 在 x86_64 上發生錯誤 (CVE-2017-3736) * openssl:SSL 物件處於錯誤狀態後,發生讀取/寫入 (CVE-2017-3737) * openssl:rsaz_1024_mul_avx2 在 x86_64 上發生溢位錯誤 (CVE-2017-3738) Red Hat 感謝 OpenSSL 專案報告 CVE-2016-6306 和 CVE-2016-7055。上游確認 Shi Lei (Qihoo 360 Inc. 的 Gear Team) 為 CVE-2016-6306 的原始報告者。解決方案
更新受影響的套件。另請參閱
http://www.nessus.org/u?b2e43da2
https://access.redhat.com/errata/RHSA-2018:2186
https://access.redhat.com/security/cve/cve-2016-2182
https://access.redhat.com/security/cve/cve-2016-4975
https://access.redhat.com/security/cve/cve-2016-6302
https://access.redhat.com/security/cve/cve-2016-6306
https://access.redhat.com/security/cve/cve-2016-7055
https://access.redhat.com/security/cve/cve-2017-3731
https://access.redhat.com/security/cve/cve-2017-3732
https://access.redhat.com/security/cve/cve-2017-3736
Plugin 詳細資訊
嚴重性: Critical
ID: 111147
檔案名稱: redhat-RHSA-2018-2186.nasl
版本: 1.6
類型: local
代理程式: unix
已發布: 2018/7/18
已更新: 2019/10/24
支持的傳感器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: High
基本分數: 7.5
媒介: AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
風險因素: Critical
基本分數: 9.8
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
弱點資訊
CPE: p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-mysql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-nss, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-odbc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-pgsql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-sqlite, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-ap24, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static, cpe:/o:redhat:enterprise_linux:6
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
修補程式發佈日期: 2018/7/12
弱點發布日期: 2016/9/16
參考資訊
CVE: CVE-2016-2182, CVE-2016-4975, CVE-2016-6302, CVE-2016-6306, CVE-2016-7055, CVE-2017-3731, CVE-2017-3732, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738
RHSA: 2018:2186