From 8bcef81bd4aaad8964fb06bcafdee44dc1d0a27d Mon Sep 17 00:00:00 2001 From: pepelyaevip Date: Tue, 13 Feb 2024 09:03:13 +0000 Subject: [PATCH] ALT Vulnerability --- oval/c10f2/ALT-PU-2024-2026/definitions.json | 100 +++++++++++++++++++ oval/c10f2/ALT-PU-2024-2026/objects.json | 40 ++++++++ oval/c10f2/ALT-PU-2024-2026/states.json | 23 +++++ oval/c10f2/ALT-PU-2024-2026/tests.json | 42 ++++++++ oval/p9/ALT-PU-2022-3039/definitions.json | 2 +- 5 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 oval/c10f2/ALT-PU-2024-2026/definitions.json create mode 100644 oval/c10f2/ALT-PU-2024-2026/objects.json create mode 100644 oval/c10f2/ALT-PU-2024-2026/states.json create mode 100644 oval/c10f2/ALT-PU-2024-2026/tests.json diff --git a/oval/c10f2/ALT-PU-2024-2026/definitions.json b/oval/c10f2/ALT-PU-2024-2026/definitions.json new file mode 100644 index 0000000000..7e7ff8b097 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-2026/definitions.json @@ -0,0 +1,100 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242026", + "Version": "oval:org.altlinux.errata:def:20242026", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2026: package `apache2-mod_wsgi` update to version 4.9.4-alt0.c10f2.1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f2" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2026", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2026", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2022-05209", + "RefURL": "https://bdu.fstec.ru/vul/2022-05209", + "Source": "BDU" + }, + { + "RefID": "CVE-2022-2255", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255", + "Source": "CVE" + } + ], + "Description": "This update upgrades apache2-mod_wsgi to version 4.9.4-alt0.c10f2.1. \nSecurity Fix(es):\n\n * BDU:2022-05209: Уязвимость модуля mod_wsgi веб-сервера Apache, связанная с ошибками при обработке заголовока X-Client-IP, позволяющая нарушителю получить несанкционированный доступ к сетевым службам\n\n * CVE-2022-2255: A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2023 BaseALT Ltd.", + "Issued": { + "Date": "2024-02-13" + }, + "Updated": { + "Date": "2024-02-13" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:H/Au:N/C:P/I:P/A:P", + "Cvss3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "Cwe": "CWE-348", + "Href": "https://bdu.fstec.ru/vul/2022-05209", + "Impact": "Low", + "Public": "20220718", + "CveID": "BDU:2022-05209" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "Cwe": "CWE-345", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255", + "Impact": "High", + "Public": "20220825", + "CveID": "CVE-2022-2255" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:5001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242026001", + "Comment": "apache2-mod_wsgi is earlier than 0:4.9.4-alt0.c10f2.1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242026002", + "Comment": "apache2-mod_wsgi-py3 is earlier than 0:4.9.4-alt0.c10f2.1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-2026/objects.json b/oval/c10f2/ALT-PU-2024-2026/objects.json new file mode 100644 index 0000000000..f8fb3938b2 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-2026/objects.json @@ -0,0 +1,40 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:5001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242026001", + "Version": "1", + "comment": "apache2-mod_wsgi is installed", + "Name": "apache2-mod_wsgi" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242026002", + "Version": "1", + "comment": "apache2-mod_wsgi-py3 is installed", + "Name": "apache2-mod_wsgi-py3" + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-2026/states.json b/oval/c10f2/ALT-PU-2024-2026/states.json new file mode 100644 index 0000000000..843351ae43 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-2026/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:5001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242026001", + "Version": "1", + "Comment": "package EVR is earlier than 0:4.9.4-alt0.c10f2.1", + "Arch": {}, + "Evr": { + "Text": "0:4.9.4-alt0.c10f2.1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f2/ALT-PU-2024-2026/tests.json b/oval/c10f2/ALT-PU-2024-2026/tests.json new file mode 100644 index 0000000000..3a5a299c54 --- /dev/null +++ b/oval/c10f2/ALT-PU-2024-2026/tests.json @@ -0,0 +1,42 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:5001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:5001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:5001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242026001", + "Version": "1", + "Check": "all", + "Comment": "apache2-mod_wsgi is earlier than 0:4.9.4-alt0.c10f2.1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242026001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242026001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242026002", + "Version": "1", + "Check": "all", + "Comment": "apache2-mod_wsgi-py3 is earlier than 0:4.9.4-alt0.c10f2.1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242026002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242026001" + } + } + ] +} \ No newline at end of file diff --git a/oval/p9/ALT-PU-2022-3039/definitions.json b/oval/p9/ALT-PU-2022-3039/definitions.json index b02911a71f..219ac4cbf0 100644 --- a/oval/p9/ALT-PU-2022-3039/definitions.json +++ b/oval/p9/ALT-PU-2022-3039/definitions.json @@ -105,7 +105,7 @@ "Source": "CVE" } ], - "Description": "This update upgrades mongo to version 4.0.28-alt1. \nSecurity Fix(es):\n\n * BDU:2020-03363: Уязвимость документоориентированной системы управления базами данных MongoDB, связанная с ошибками авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-03388: Уязвимость системы управления базами данных MongoDB, связанная с недостаточной обработкой регулярных выражений, позволяющая нарушителю вызвать отказ в обслуживании или повысить свои привилегии\n\n * BDU:2022-01838: Уязвимость системы управления базами данных MongoDB, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2018-20804: A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.\n\n\n\n * CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.\n\n\n\n * CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n\n\n * CVE-2019-2389: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.\n\n * CVE-2019-2392: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.\n\n * CVE-2019-2393: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.\n\n\n\n * CVE-2020-7921: \nImproper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n\n\n * CVE-2020-7923: A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.\n\n\n\n * CVE-2020-7928: A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.\n\n\n\n * CVE-2020-7929: A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.\n\n\n\n * CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.\n\n\n\n * CVE-2021-20333: Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.\n\n", + "Description": "This update upgrades mongo to version 4.0.28-alt1. \nSecurity Fix(es):\n\n * BDU:2020-03363: Уязвимость документоориентированной системы управления базами данных MongoDB, связанная с ошибками авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-03388: Уязвимость системы управления базами данных MongoDB, связанная с недостаточной обработкой регулярных выражений, позволяющая нарушителю вызвать отказ в обслуживании или повысить свои привилегии\n\n * BDU:2022-01838: Уязвимость системы управления базами данных MongoDB, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2018-20804: A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.\n\n\n\n * CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24.\n\n\n\n * CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22.\n\nWorkaround: \nAfter deleting one or more users, restart any nodes which may have had active user authorization sessions.\n\nRefrain from creating user accounts with the same name as previously deleted accounts.\n\n\n\n * CVE-2019-2389: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.\n\n * CVE-2019-2392: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.\n\n\n\n * CVE-2019-2393: A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.\n\n\n\n * CVE-2020-7921: \nImproper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18.\n\n\n\n\n\n * CVE-2020-7923: A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.\n\n\n\n * CVE-2020-7928: A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects MongoDB Server v4.4 versions prior to 4.4.1; MongoDB Server v4.2 versions prior to 4.2.9; MongoDB Server v4.0 versions prior to 4.0.20 and MongoDB Server v3.6 versions prior to 3.6.20.\n\n\n\n * CVE-2020-7929: A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.\n\n\n\n * CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.\n\n\n\n * CVE-2021-20333: Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.\n\n", "Advisory": { "From": "errata.altlinux.org", "Severity": "High",