Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0071
Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities
14 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable.sc
Operating System: Windows
Virtualisation
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-5737 CVE-2019-11358
Member content until: Thursday, May 14 2020
Reference: ASB-2019.0353
OVERVIEW
Multiple vulnerabilities have been identified affecting the following
versions of Tenable.sc:
< 5.14.0
IMPACT
Tenable has provided the following details regarding the vulnerabilities:
"Tenable.sc leverages third-party software to help provide underlying
functionality. One third-party component (jQuery) was found to contain
vulnerabilities, and updated versions have been made available by the
providers.
Out of caution and in line with good practice, Tenable opted to upgrade
the bundled libraries to address the potential impact of these issues.
Tenable.sc 5.14.0 updates jQuery to version 3.4.1 to address the identified
vulnerabilities." [1]
"Additionally, Tenable.sc 5.14.0 addresses a stored cross-site scripting (XSS)
vulnerability specific to Microsoft Internet Explorer and Edge web browsers.
The stored XSS could allow an authenticated remote attacker to craft a request
to execute arbitrary script code in a user's browser session. Updated input
validation techniques have been implemented to correct this issue.
(CVE-2020-5737)" [1]
MITIGATION
Tenable recommend that 5.14.0 is downloaded to mitigate vulnerabilities:
"Tenable has released Tenable.sc 5.14.0 to address these issues. The
installation files can be obtained from the Tenable Downloads Portal ( https://
www.tenable.com/downloads/tenable-sc)" [1]
REFERENCES
[1] [R1] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2020-02
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXpVDpWaOgq3Tt24GAQgQ8A/8D35KNUr9eR/+KlPwwb/c73iByNhiPl3e
bRNrnbrMCxFuyZIRK23i56cTMWZNkFnep5EmBq4zqs/mxJCFyL11VkifpmRjT0o+
TIDzlCd6AbSXzENCSd+HD/ZO/AVaMH2kvdJQCb3XP6tLodotYTcPjHzjQQ/dMjgO
9QuF3gpiU7HnlarcHi2JiJqGc4VLhxixSgIfhGJAnKNRD1OqPNtixJUiHBTCwERY
Uzv2MAEFQJOvrlR779dMFIfcKABXKtAQkodPOhZKl6h8rShd00ABGetm4xgRaAUh
UTolFyCKB5i1lqie+xo2ZUxgQ6eKg8VWX0ynlgeLy7hr3PiOd9Jwa6QrK7sJ1eA7
ShvMWQF2BVSns0tr+IjO9NDRoKCoapCaLMjuGPAoxAS1QF/K0FQCdVOMsKKIie74
J2Odlfqr9qQsbCHPt3QpDUB91DGdaMIAmNAQcZLY+PnwV4oVubNTcn0GRQx0bcRR
OF7R0KT4RglLu1zo2w3zFS6tc7Lnse8d75b+zzrX4RyJcMZLqigEB46zzVP4TAOc
WZpbAa3/peBrQTUOk/9LsCNgHpURmnr3uIdpOmwDRs+Zo5OMpzBlE0CrSs74Ja9u
EDUk7Qxg+aAqNJ3ZGP93hHshiVGIppJ7JakAjp9xIZbMTiBIQYnGV4SHSR020/BZ
EK882HGxlVE=
=MpQx
-----END PGP SIGNATURE-----