RHEL 8:pki-core:10.6 和 pki-deps:10.6 (RHSA-2020: 1644)
critical Nessus Plugin ID 136041
語系:
概要
遠端 Red Hat 主機缺少一個或多個安全性更新。描述
遠端 Redhat Enterprise Linux 8 主機上安裝的套件受到 RHSA-2020: 1644 公告中提及的多個弱點影響。- jackson-databind:com.zaxxer.hikari.HikariConfig 中的序列化小工具 (CVE-2019-14540)
- jackson-databind:com.zaxxer.hikari.HikariDataSource 中的序列化小工具 (CVE-2019-16335)
- jackson-databind:org.apache.commons.dbcp.datasources 中的序列化小工具。* (CVE-2019-16942)
- jackson-databind:com.p6spy.engine.spy.P6DataSource 中的序列化小工具 (CVE-2019-16943)
- jackson-databind:org.apache.log4j.receivers.db 中的序列化小工具。* (CVE-2019-17531)
- jackson-databind:缺少某些 net.sf.ehcache 封鎖 (CVE-2019-20330)
- jackson-databind:未正確處理序列化小工具與類型之間的互動,可能導致遠端命令執行 (CVE-2020-10672、CVE-2020-10673)
- jackson-databind:缺少某個 xbean-reflect/JNDI 封鎖 (CVE-2020-8840)
- jackson-databind:shaded-hikari-config 中的序列化小工具 (CVE-2020-9546)
- jackson-databind:ibatis-sqlmap 中的序列化小工具 (CVE-2020-9547)
- jackson-databind:anteros-core 中的序列化小工具 (CVE-2020-9548)
請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。
解決方案
更新受影響的套件。另請參閱
https://access.redhat.com/security/cve/CVE-2019-14540
https://access.redhat.com/security/cve/CVE-2019-16335
https://access.redhat.com/security/cve/CVE-2019-16942
https://access.redhat.com/security/cve/CVE-2019-16943
https://access.redhat.com/security/cve/CVE-2019-17531
https://access.redhat.com/security/cve/CVE-2019-20330
https://access.redhat.com/security/cve/CVE-2020-8840
https://access.redhat.com/security/cve/CVE-2020-9546
https://access.redhat.com/security/cve/CVE-2020-9547
https://access.redhat.com/security/cve/CVE-2020-9548
https://access.redhat.com/security/cve/CVE-2020-10672
https://access.redhat.com/security/cve/CVE-2020-10673
https://access.redhat.com/errata/RHSA-2020:1644
https://bugzilla.redhat.com/1755831
https://bugzilla.redhat.com/1755849
https://bugzilla.redhat.com/1758187
https://bugzilla.redhat.com/1758191
https://bugzilla.redhat.com/1775293
https://bugzilla.redhat.com/1793154
https://bugzilla.redhat.com/1815470
https://bugzilla.redhat.com/1815495
https://bugzilla.redhat.com/1816330
https://bugzilla.redhat.com/1816332
Plugin 詳細資訊
嚴重性: Critical
ID: 136041
檔案名稱: redhat-RHSA-2020-1644.nasl
版本: 1.10
類型: local
代理程式: unix
發布日期: 2020/4/28
更新日期: 2023/5/25
支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: High
基本分數: 7.5
時間分數: 5.5
媒介: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
時間媒介: CVSS2#E:U/RL:OF/RC:C
CVSS 評分資料來源: CVE-2019-17531
CVSS v3
風險因素: Critical
基本分數: 9.8
時間分數: 8.5
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
CVSS 評分資料來源: CVE-2020-9548
弱點資訊
CPE: cpe:/o:redhat:rhel_e4s:8.4, cpe:/o:redhat:rhel_e4s:8.6, cpe:/o:redhat:rhel_eus:8.2, cpe:/o:redhat:rhel_eus:8.4, cpe:/o:redhat:rhel_eus:8.6, cpe:/o:redhat:rhel_tus:8.2, cpe:/o:redhat:rhel_tus:8.4, cpe:/o:redhat:rhel_tus:8.6, p-cpe:/a:redhat:enterprise_linux:apache-commons-collections, p-cpe:/a:redhat:enterprise_linux:apache-commons-lang, p-cpe:/a:redhat:enterprise_linux:bea-stax-api, p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2, p-cpe:/a:redhat:enterprise_linux:jackson-annotations, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:rhel_aus:8.2, cpe:/o:redhat:rhel_aus:8.4, cpe:/o:redhat:rhel_aus:8.6, cpe:/o:redhat:rhel_e4s:8.2, p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine, p-cpe:/a:redhat:enterprise_linux:pki-symkey, p-cpe:/a:redhat:enterprise_linux:pki-tools, p-cpe:/a:redhat:enterprise_linux:python-nss-doc, p-cpe:/a:redhat:enterprise_linux:python3-nss, p-cpe:/a:redhat:enterprise_linux:python3-pki, p-cpe:/a:redhat:enterprise_linux:jackson-core, p-cpe:/a:redhat:enterprise_linux:jackson-databind, p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider, p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers, p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient, p-cpe:/a:redhat:enterprise_linux:javassist, p-cpe:/a:redhat:enterprise_linux:javassist-javadoc, p-cpe:/a:redhat:enterprise_linux:jss, p-cpe:/a:redhat:enterprise_linux:jss-javadoc, p-cpe:/a:redhat:enterprise_linux:ldapjdk, p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc, p-cpe:/a:redhat:enterprise_linux:pki-base, p-cpe:/a:redhat:enterprise_linux:pki-base-java, p-cpe:/a:redhat:enterprise_linux:pki-ca, p-cpe:/a:redhat:enterprise_linux:pki-kra, p-cpe:/a:redhat:enterprise_linux:pki-server, p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api, p-cpe:/a:redhat:enterprise_linux:relaxngdatatype, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:slf4j, p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14, p-cpe:/a:redhat:enterprise_linux:stax-ex, p-cpe:/a:redhat:enterprise_linux:tomcatjss, p-cpe:/a:redhat:enterprise_linux:velocity, p-cpe:/a:redhat:enterprise_linux:xalan-j2, p-cpe:/a:redhat:enterprise_linux:xerces-j2, p-cpe:/a:redhat:enterprise_linux:xml-commons-apis, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver, p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer, p-cpe:/a:redhat:enterprise_linux:xsom
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可被惡意程式利用: true
可輕鬆利用: Exploits are available
修補程式發佈日期: 2020/4/28
弱點發布日期: 2019/9/15
參考資訊
CVE: CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548