Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0088 Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities 27 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nessus Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-1559 CVE-2017-18214 CVE-2016-4055 Member content until: Friday, April 26 2019 Reference: ESB-2019.0913 ESB-2019.0895 ESB-2019.0799 ASB-2018.0160 OVERVIEW Tenable has identified a number of vulnerabilities in Tenable Nessus prior to version 8.2.3. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "[R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities Medium Synopsis Nessus leverages third-party software to help provide underlying functionality. Two separate third-party components (OpenSSL and Moment.js) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled libraries to address the potential impact of these issues in Nessus. Nessus 8.3.0 updates OpenSSL to version 1.0.2r and Moment.js to 2.19.3 to address the identified vulnerabilities. Note: The CVSSv2 score used in this advisory reflects CVE-2016-4055, as it is considered the highest risk. Risk Information CVE ID: CVE-2019-1559 CVE-2017-18214 CVE-2016-4055 Tenable Advisory ID: TNS-2019-02 Risk Factor: Medium CVSSv2 Base / Temporal Score: 7.8 / 6.1 (CVE-2016-4055) 5.0 / 3.9 (CVE-2017-18214) 4.3 / 3.4 (CVE-2019-1559) CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C - CVE-2016-4055 AV:N/AC:L/Au:N/C:N/I:N/A:P - CVE-2017-18214 AV:N/AC:M/Au:N/C:P/I:N/A:N - CVE-2019-1559 Affected Products Nessus 8.2.3 and earlier" [1] MITIGATION The vendor advises users to upgrade to Nessus version 8.3.0 to address these issues. [1] REFERENCES [1] [R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities https://www.tenable.com/security/tns-2019-02 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJrZJGaOgq3Tt24GAQjTjg//ep3W+gcgRnVg5jAlh+t101bCV/FyqGQE KHr6/0f1amsjzyc5BhM5AikIef2M7hVjhIwdX5esvAWHlPuRI6IFrHlmeBlCz5Nz DD4JMKrNkB9CnpJjYUPDmrDaTBExdaCGeIVJE9Gvn4WPeHH/hlD4qLsri9usP4Oa L2yKZPYIr1g6PgtPEBp0Udomdlh5Ye642Ux/aCcUwlncI5Ts4uxhVbTs3k4MLBBw LAWagz8TKKAqMEBAx4I0sOeiuGD+M0gKY1K+o5+PqgV0bBEJPPI2/NClTvCFAkJ7 Z7M7Be6sEVzTTweAYgyimlCiM6Jf6xcImqHvw7DbuFe7IRGulM2B+dSjwFwRpfxR 0RJ0LmtbZ6dAl4lEkG7htUGo8RZsR3GbUcZb59Nd6Ex++JcbcDkNN2W4RNLKrHTR mGG/BzOvvVoLcXcQE53dhHZTuJZNcKs5m1oinYBAfRKOwQfx1ROG0sNl+8glSC6V EbpZi0NvxQKSUPKPNeiL5Qed2toIaJgIfpy6BBqkH6sw8OrlcmltGBEiESit4o+H Nn85YVhFqDdZXuQWKkVyV885nu+zzaF7hz/9O2Y+T+563l6ueOsHe2tqDTMzf9f2 vollySWEdzX5xDunR+xIJqNfaEyH/OZpckXW5JiYd53AMU1vC6hfwPuqODd7anI4 /C7R6p3ClPI= =5nvs -----END PGP SIGNATURE-----