According to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the bindutils package has been released.

According to the versions of the dhcp package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND     9.17 development branch, when a vulnerable version of named receives a query for a record triggering the     flaw described above, the named process will terminate due to a failed assertion check. The vulnerability     affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other     versions of BIND 9. (CVE-2021-25215)

  - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->     9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND     9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing     can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it     possible for its internal data structures to grow almost infinitely, which may cause significant delays in     client query processing. (CVE-2021-25219)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the dhcp package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and     9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11     of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR     triggering the flaw described above, the named process will terminate due to a failed assertion the next     time the transferred secondary zone is refreshed. (CVE-2021-25214)

  - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND     9.17 development branch, when a vulnerable version of named receives a query for a record triggering the     flaw described above, the named process will terminate due to a failed assertion check. The vulnerability     affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other     versions of BIND 9. (CVE-2021-25215)

  - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->     9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND     9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing     can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it     possible for its internal data structures to grow almost infinitely, which may cause significant delays in     client query processing. (CVE-2021-25219)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function     option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However,     there is not a corresponding call to option_dereference() to decrement the refcount field. The function     add_option() is only used in server responses to lease query packets. Each lease query response calls this     function for several options, so eventually, the reference counters could overflow and cause the server to     abort. (CVE-2022-2928)

  - In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server,     sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the     server to run out of memory. (CVE-2022-2929)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the dhcp package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND     9.17 development branch, when a vulnerable version of named receives a query for a record triggering the     flaw described above, the named process will terminate due to a failed assertion check. The vulnerability     affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other     versions of BIND 9. (CVE-2021-25215)

  - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->     9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND     9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing     can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it     possible for its internal data structures to grow almost infinitely, which may cause significant delays in     client query processing. (CVE-2021-25219)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when using DNS forwarders. An attacker could exploit this vulnerability to poison the cache with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

According to the versions of the dhcp package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and     9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11     of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR     triggering the flaw described above, the named process will terminate due to a failed assertion the next     time the transferred secondary zone is refreshed. (CVE-2021-25214)

  - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND     9.17 development branch, when a vulnerable version of named receives a query for a record triggering the     flaw described above, the named process will terminate due to a failed assertion check. The vulnerability     affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other     versions of BIND 9. (CVE-2021-25215)

  - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->     9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND     9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing     can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it     possible for its internal data structures to grow almost infinitely, which may cause significant delays in     client query processing. (CVE-2021-25219)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

  - In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function     option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However,     there is not a corresponding call to option_dereference() to decrement the refcount field. The function     add_option() is only used in server responses to lease query packets. Each lease query response calls this     function for several options, so eventually, the reference counters could overflow and cause the server to     abort. (CVE-2022-2928)

  - In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server,     sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the     server to run out of memory. (CVE-2022-2929)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:8385 advisory.

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-166 advisory.

    A cache poisoning vulnerability was found in BIND when using forwarders. Bogus NS records supplied by the     forwarders may be cached and used by name if it needs to recurse for any reason. This issue causes it to     obtain and pass on potentially incorrect answers. This flaw allows a remote attacker to manipulate cache     results with incorrect records, leading to queries made to the wrong servers, possibly resulting in false     information received on the client's end. (CVE-2021-25220)

    A flaw was found in Bind that incorrectly handles certain crafted TCP streams. The vulnerability allows     TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream     sent from a client. This flaw allows a remote attacker to send specially crafted TCP streams with keep-     response-order enabled that could cause connections to BIND to remain in CLOSE_WAIT status for an     indefinite period, even after the client has terminated the connection. This issue results in BIND     consuming resources, leading to a denial of service. (CVE-2022-0396)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7643 advisory.

    The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols.
    BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing     with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es):

    * bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220)

    * bind: DoS from specifically crafted TCP packets (CVE-2022-0396)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202210-25 (ISC BIND: Multiple Vulnerabilities)

  - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->     9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND     9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing     can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it     possible for its internal data structures to grow almost infinitely, which may cause significant delays in     client query processing. (CVE-2021-25219)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported     Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT     status for an indefinite period of time, even after the client has terminated the connection.
    (CVE-2022-0396)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

  - The underlying bug might cause read past end of the buffer and either read memory it should not read, or     crash the process. (CVE-2022-2881)

  - An attacker can leverage this flaw to gradually erode available memory to the point where named crashes     for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the     potential to deny service. (CVE-2022-2906)

  - By sending specific queries to the resolver, an attacker can cause named to crash. (CVE-2022-3080)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0402 advisory.

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AHV installed on the remote host is prior to 20220304.10055. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20220304.10055 advisory.

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

  - In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-     provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append     arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected     versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a
    -- argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
    (CVE-2023-22809)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

  - multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited     alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass     access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
    This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used     instead of bitwise OR. (CVE-2022-41974)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.5.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.3 advisory.

  - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create     user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to     a use-after-free. (CVE-2022-32250)

  - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a     large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some     common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g.,     see the nodejs/node reference). (CVE-2022-37434)

  - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
    (CVE-2022-42703)

  - A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain     kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2022-4378)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;
    Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-21830)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.6.2. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6.2 advisory.

  - Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution     under certain microarchitecture-dependent conditions. (CVE-2022-29900)

  - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their     retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can     hijack return instructions to achieve arbitrary speculative code execution under certain     microarchitecture-dependent conditions. (CVE-2022-29901)

  - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the     bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to     gain unauthorized access to data. (CVE-2022-2905)

  - In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring     timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race     condition perhaps can only be exploited infrequently. (CVE-2022-29582)

  - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces     subsystem was found in the way users have access to some less privileged process that are controlled by     cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of     control groups. A local user could use this flaw to crash the system or escalate their privileges on the     system. (CVE-2021-4197)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

  - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it     possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This     flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel     oops condition that results in a denial of service. (CVE-2022-2153)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;
    Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-21830)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17,     17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2023-21843)

  - multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited     alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass     access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
    This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used     instead of bitwise OR. (CVE-2022-41974)

  - A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the     offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw     allows unprivileged local users on the host to write outside the userspace region and potentially corrupt     the kernel, resulting in a denial of service condition. (CVE-2022-1158)

  - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers     to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)

  - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in     the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or     CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  - With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID     is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
    (CVE-2022-1789)

  - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-     component. This flaw allows a local attacker with a user privilege to cause a denial of service.
    (CVE-2022-1184)

  - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in     net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)

  - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote     attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte     nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)

  - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow     an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)

  - It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a     list but freed, leading to a use-after-free. (CVE-2022-2585)

  - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
    (CVE-2022-42703)

  - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and     incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted     IRC with nf_conntrack_irc configured. (CVE-2022-2663)

  - It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old     filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)

  - A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged     user to gain root privileges. The bug allows to build several exploit primitives such as kernel address     information leak, arbitrary execution, etc. (CVE-2022-1729)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in     privilege escalation. (CVE-2022-1011)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to     exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to     compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in     clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run     untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This     vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service     which supplies data to the APIs. (CVE-2022-21619)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1,     17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21624)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21626)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341,     8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2022-21628)

  - In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-     provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append     arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected     versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a
    -- argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
    (CVE-2023-22809)

  - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of     bounds. (CVE-2021-33655)

  - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This     allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)

  - Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an     authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)

  - A use-after-free flaw was found in the Linux kernel's io_uring subsystem in the way a user sets up a ring     with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a     local user to crash or escalate their privileges on the system. (CVE-2022-1786)

  - A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the     small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of     service problem. (CVE-2022-1012)

  - The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets     are in the intended state. (CVE-2022-28893)

  - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a     user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage     of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read     unauthorized random data from memory. (CVE-2022-1462)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

  - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that     allows local users to create files for the XFS file-system with an unintended group ownership and with     group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a member of this group. This can lead to excessive     permissions granted in case when they should not. This vulnerability is similar to the previous     CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

  - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to     cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14     and later versions. (CVE-2022-29581)

  - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is     not held during a PUD move. (CVE-2022-41222)

  - A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root     (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD     CPU that supports Secure Encrypted Virtualization (SEV). (CVE-2022-0171)

  - In bdi_put and bdi_unregister of backing-dev.c, there is a possible memory corruption due to a use after     free. This could lead to local escalation of privilege with System execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-182815710References: Upstream kernel (CVE-2022-20158)

  - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel     (CVE-2022-20368)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

  - When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
    (CVE-2021-33656)

  - A flaw was found in hw. Mis-trained branch predictions for return instructions may allow arbitrary     speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-28693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2720 advisory.

    The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols.
    BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing     with DNS); and tools for verifying that the DNS server is operating correctly.

    The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP     network to get their own network configuration information, including an IP address, a subnet mask, and a     broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and     administer DHCP on a network.

    Security Fix(es):

    * bind: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

    * bind: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

    * bind: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

    * bind: flooding with UPDATE requests may lead to DoS (CVE-2022-3094)

    * bind: processing large delegations may severely degrade resolver performance (CVE-2022-2795)

    * bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	名稱	產品	系列	已發布	已更新	嚴重性
163202	EulerOS Virtualization 2.10.1 : bind (EulerOS-SA-2022-2047)	Nessus	Huawei Local Security Checks	2022/7/15	2022/12/8	medium
165935	EulerOS Virtualization 3.0.6.0 : bind (EulerOS-SA-2022-2545)	Nessus	Huawei Local Security Checks	2022/10/10	2022/11/29	medium
203239	Photon OS 4.0: Bindutils PHSA-2022-4.0-0168	Nessus	PhotonOS Local Security Checks	2024/7/23	2024/7/23	medium
167419	EulerOS 2.0 SP9 : dhcp (EulerOS-SA-2022-2724)	Nessus	Huawei Local Security Checks	2022/11/14	2022/11/29	medium
169869	EulerOS Virtualization 2.10.1 : dhcp (EulerOS-SA-2023-1144)	Nessus	Huawei Local Security Checks	2023/1/11	2023/1/11	medium
169872	EulerOS Virtualization 2.9.0 : dhcp (EulerOS-SA-2023-1218)	Nessus	Huawei Local Security Checks	2023/1/11	2023/1/11	medium
173297	AIX 7.1 TL 5 : bind (IJ40617)	Nessus	AIX Local Security Checks	2023/3/23	2023/4/21	medium
176878	EulerOS Virtualization 2.11.1 : dhcp (EulerOS-SA-2023-2035)	Nessus	Huawei Local Security Checks	2023/6/7	2023/6/7	medium
185057	Rocky Linux 9 : dhcp (RLSA-2022:8385)	Nessus	Rocky Linux Local Security Checks	2023/11/7	2023/11/7	medium
167020	Amazon Linux 2022 : bind, bind-chroot, bind-devel (ALAS2022-2022-166)	Nessus	Amazon Linux Local Security Checks	2022/11/5	2024/12/11	medium
167129	RHEL 8 : bind9.16 (RHSA-2022:7643)	Nessus	Red Hat Local Security Checks	2022/11/8	2024/11/7	medium
166720	GLSA-202210-25 : ISC BIND: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	2022/10/31	2023/10/6	high
170860	CentOS 7 : bind (RHSA-2023:0402)	Nessus	CentOS Local Security Checks	2023/1/30	2024/10/10	medium
183341	Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20220304.10055)	Nessus	Misc.	2023/10/18	2025/2/17	medium
175818	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.3)	Nessus	Misc.	2023/5/16	2025/2/17	critical
174898	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6.2)	Nessus	Misc.	2023/4/27	2024/1/16	high
195112	RHEL 8 : bind and dhcp (RHSA-2024:2720)	Nessus	Red Hat Local Security Checks	2024/5/7	2024/11/7	medium
503228	ABB M2M Gateway HTTP Request Smuggling in embedded Bind (CVE-2021-25220)	Tenable OT Security	Tenable.ot	2025/5/27	2025/5/27	medium

偵測

搜尋 Plugin

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

high

medium

medium

critical

high

medium

medium