RHEL 6:Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 (RHSA-2018:2186)

critical Nessus Plugin ID 111147

Synopsis

遠端 Red Hat 主機缺少一個或多個安全性更新。

描述

現已提供適用於 Red Hat Enterprise Linux 6 的 Red Hat JBoss Core Services Pack Apache Server 2.4.29 套件。Red Hat 產品安全性團隊已將此版本評等為具有中等安全性影響。可從〈參照〉一節的 CVE 連結中取得每個弱點之常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。此版本新增了 Apache HTTP Server 2.4.29 套件,其為 JBoss Core Services 供應項目的一部分。此版本作為 Red Hat JBoss Core Services Apache HTTP Server 2.4.23 的取代版本,並含有數個錯誤修正和增強功能。如需此版本中最重要的錯誤修正、增強功能和元件升級的詳細資訊,請參閱「版本資訊」。此版本將 OpenSSL 升級至 1.0.2.n 版 安全性修正:* openssl:BN_bn2dec() 中未檢查到的錯誤導致超出邊界寫入 (CVE-2016-2182) * openssl:TLS 工作階段票證 HMAC 長度檢查不足 (CVE-2016-6302) * openssl:憑證訊息 OOB 讀取 (CVE-2016-6306) * openssl:蒙哥馬利乘法發生進位傳輸錯誤 (CVE-2016-7055) * openssl:OOB 讀取可能損毀截斷的封包 (CVE-2017-3731) * openssl:BN_mod_exp 可在 x86_64 上產生不正確的結果 (CVE-2017-3732) * openssl: bn_sqrx8x_internal 在 x86_64 上發生錯誤 (CVE-2017-3736) * openssl:SSL 物件處於錯誤狀態後,發生讀取/寫入 (CVE-2017-3737) * openssl:rsaz_1024_mul_avx2 在 x86_64 上發生溢位錯誤 (CVE-2017-3738) Red Hat 感謝 OpenSSL 專案報告 CVE-2016-6306 和 CVE-2016-7055。上游確認 Shi Lei (Qihoo 360 Inc. 的 Gear Team) 為 CVE-2016-6306 的原始報告者。

解決方案

更新受影響的套件。

另請參閱

http://www.nessus.org/u?b2e43da2

https://access.redhat.com/errata/RHSA-2018:2186

https://access.redhat.com/security/cve/cve-2016-2182

https://access.redhat.com/security/cve/cve-2016-4975

https://access.redhat.com/security/cve/cve-2016-6302

https://access.redhat.com/security/cve/cve-2016-6306

https://access.redhat.com/security/cve/cve-2016-7055

https://access.redhat.com/security/cve/cve-2017-3731

https://access.redhat.com/security/cve/cve-2017-3732

https://access.redhat.com/security/cve/cve-2017-3736

https://access.redhat.com/security/cve/cve-2017-3737

https://access.redhat.com/security/cve/cve-2017-3738

Plugin 詳細資訊

嚴重性: Critical

ID: 111147

檔案名稱: redhat-RHSA-2018-2186.nasl

版本: 1.6

類型: local

代理程式: unix

已發布: 2018/7/18

已更新: 2019/10/24

支持的傳感器: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

風險資訊

VPR

風險因素: Medium

分數: 6.7

CVSS v2

風險因素: High

基本分數: 7.5

媒介: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

風險因素: Critical

基本分數: 9.8

媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

弱點資訊

CPE: p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-mysql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-nss, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-odbc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-pgsql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-sqlite, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-ap24, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static, cpe:/o:redhat:enterprise_linux:6

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

修補程式發佈日期: 2018/7/12

弱點發布日期: 2016/9/16

參考資訊

CVE: CVE-2016-2182, CVE-2016-4975, CVE-2016-6302, CVE-2016-6306, CVE-2016-7055, CVE-2017-3731, CVE-2017-3732, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738

RHSA: 2018:2186