Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0117 Tenable Industrial Security patches internal OpenSSL 18 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Industrial Security Operating System: Windows Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-0739 CVE-2018-0733 CVE-2017-3738 Member content until: Sunday, June 17 2018 Reference: ASB-2018.0113 ESB-2018.1100 ESB-2017.3144.2 OVERVIEW Vulnerabilities have been identified in Tenable Industrial Security prior to version 1.1.0.0. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "Industrial Security leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled OpenSSL to address the potential impact of these issues. Industrial Security 1.1.0 updates OpenSSL to version 1.0.2o to address the identified vulnerabilities. CVE ID: CVE-2017-3738 CVE-2018-0733 CVE-2018-0739 Tenable Advisory ID: TNS-2018-06 Risk Factor: Medium CVSSv2 Base / Temporal Score: 4.3 / 3.4 CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C" [1] MITIGATION The vendor advises updating to Industrial Security version 1.1.0. [1] REFERENCES [1] Industrial Security 1.1.0 Fixes One Third-party Vulnerability https://www.tenable.com/security/tns-2018-06 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWv4oU4x+lLeg9Ub1AQiX+Q//YsY4HB53qCXP0fzixaiN3c/JqfpZN8fK ICJqz5E6dfAZ/6iNqRtBkg785wtOwc2git62GIoW1S0owsmsTPuMFHhD8orcrcKx igM5vZ9/KAVnuXwCWOpLFI8C6fKX2wAxcLlxD6GoD2LiL94/a+r7SNSUKqFuIYJj ghqgqplwhx2V+bcHo5HSZcCHWMF1jASFOi9BrUZk2ZD8s8tJb/WlK73vlvCEOarm IWibZblLLcOg15XSjPV1EQoLzzWmtzVCHF3XZnbyTbdama+p0VWIhzKYVl+JBHtM s0V6iSxoaWNRRXG18lqZg13GiYwvt2Bh++X7TCNOc4Xt/wMmuPCmJLFvqIM/RVjZ 4CCYGJr236zs+QAv8Zboe8lHtKNV7mIVVJKgfql3j6STJInDHuhHS8+zMdzeEltp zGJ/XCDtdOsYyandccogsiKJD5tXapDpz0yUBvRyHfbhOzWVOBZQ6xKJthaTvLLu 5pNnISwrzhmk+oo0LBMUCdaz5uv+ftM5pBXYqtK3G84r+UKnNSIFN/oioYcvbX2n vIxww4nqAUf3lIIFm4UcgNSFA8jMy9+E/qNLzn+H4mzrwQkibqWUoIklWU8MptlR MW4iWOtDqdR1jCMlIirBnplLn8kJa2OR5NU9pJDbHbKpv/M25QOFhzOEm/7yY4ty W6DsCgFOx4E= =zOD4 -----END PGP SIGNATURE-----