Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0071 Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities 14 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable.sc Operating System: Windows Virtualisation UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-5737 CVE-2019-11358 Member content until: Thursday, May 14 2020 Reference: ASB-2019.0353 OVERVIEW Multiple vulnerabilities have been identified affecting the following versions of Tenable.sc: < 5.14.0 IMPACT Tenable has provided the following details regarding the vulnerabilities: "Tenable.sc leverages third-party software to help provide underlying functionality. One third-party component (jQuery) was found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled libraries to address the potential impact of these issues. Tenable.sc 5.14.0 updates jQuery to version 3.4.1 to address the identified vulnerabilities." [1] "Additionally, Tenable.sc 5.14.0 addresses a stored cross-site scripting (XSS) vulnerability specific to Microsoft Internet Explorer and Edge web browsers. The stored XSS could allow an authenticated remote attacker to craft a request to execute arbitrary script code in a user's browser session. Updated input validation techniques have been implemented to correct this issue. (CVE-2020-5737)" [1] MITIGATION Tenable recommend that 5.14.0 is downloaded to mitigate vulnerabilities: "Tenable has released Tenable.sc 5.14.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal ( https:// www.tenable.com/downloads/tenable-sc)" [1] REFERENCES [1] [R1] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities https://www.tenable.com/security/tns-2020-02 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXpVDpWaOgq3Tt24GAQgQ8A/8D35KNUr9eR/+KlPwwb/c73iByNhiPl3e bRNrnbrMCxFuyZIRK23i56cTMWZNkFnep5EmBq4zqs/mxJCFyL11VkifpmRjT0o+ TIDzlCd6AbSXzENCSd+HD/ZO/AVaMH2kvdJQCb3XP6tLodotYTcPjHzjQQ/dMjgO 9QuF3gpiU7HnlarcHi2JiJqGc4VLhxixSgIfhGJAnKNRD1OqPNtixJUiHBTCwERY Uzv2MAEFQJOvrlR779dMFIfcKABXKtAQkodPOhZKl6h8rShd00ABGetm4xgRaAUh UTolFyCKB5i1lqie+xo2ZUxgQ6eKg8VWX0ynlgeLy7hr3PiOd9Jwa6QrK7sJ1eA7 ShvMWQF2BVSns0tr+IjO9NDRoKCoapCaLMjuGPAoxAS1QF/K0FQCdVOMsKKIie74 J2Odlfqr9qQsbCHPt3QpDUB91DGdaMIAmNAQcZLY+PnwV4oVubNTcn0GRQx0bcRR OF7R0KT4RglLu1zo2w3zFS6tc7Lnse8d75b+zzrX4RyJcMZLqigEB46zzVP4TAOc WZpbAa3/peBrQTUOk/9LsCNgHpURmnr3uIdpOmwDRs+Zo5OMpzBlE0CrSs74Ja9u EDUk7Qxg+aAqNJ3ZGP93hHshiVGIppJ7JakAjp9xIZbMTiBIQYnGV4SHSR020/BZ EK882HGxlVE= =MpQx -----END PGP SIGNATURE-----