Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1765 [R1] Nessus 7.1.1 Fixes Multiple Third-party Vulnerabilities 14 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nessus Publisher: Tenable Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-11214 CVE-2018-9251 CVE-2017-1000061 CVE-2017-18258 CVE-2017-16932 CVE-2017-16931 CVE-2017-11742 CVE-2017-9233 CVE-2017-9050 CVE-2017-9049 CVE-2017-9048 CVE-2017-9047 CVE-2017-8872 CVE-2017-7375 CVE-2017-7246 CVE-2017-7245 CVE-2017-7244 CVE-2017-7186 CVE-2017-6004 CVE-2017-5969 CVE-2017-5029 CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 CVE-2016-9318 CVE-2016-9063 CVE-2016-5300 CVE-2016-5131 CVE-2016-4472 CVE-2016-3191 CVE-2016-1684 CVE-2016-1683 CVE-2016-1283 CVE-2016-0718 CVE-2015-9019 CVE-2015-8395 CVE-2015-8394 CVE-2015-8392 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8384 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-7995 CVE-2015-5073 CVE-2015-3217 CVE-2015-2328 CVE-2015-2327 CVE-2014-9769 CVE-2014-8964 CVE-2012-6702 CVE-2012-6139 CVE-2012-0876 Reference: ASB-2017.0219 ASB-2017.0202 ASB-2017.0173 ESB-2012.1093 ESB-2012.0742 ESB-2012.0552 Original Bulletin: https://www.tenable.com/security/tns-2018-08 - --------------------------BEGIN INCLUDED TEXT-------------------- [R1] Nessus 7.1.1 Fixes Multiple Third-party Vulnerabilities Risk Information CVE ID: Please see 'Synopsis' for CVE IDs Tenable Advisory ID: TNS-2018-08 Risk Factor: High CVSSv2 Base / Temporal Score: 9.0 / 6.3 CVSSv2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UR) Affected Products Nessus 7.1.0 and earlier Advisory Timeline 2018-06-13 - [R1] Initial Release Synopsis Nessus leverages third-party software to help provide underlying functionality. Some of the third-party components were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled third-party components to address the potential impact of these issues. Nessus 7.1.1 updates the following components: expat has been updated from 2.2.1 to 2.2.5 - CVE-2017-11742, CVE-2017-9233, CVE-2016-9063, CVE-2016-0718, CVE-2016-5300, CVE-2012-0876, CVE-2016-4472, CVE-2012-6702 libjpeg has been updated from 8d to 9c - CVE-2018-11214 libXML2 has been updated from 2.9.4 to 2.9.7 - CVE-2017-18258, CVE-2017-16932, CVE-2017-16931, CVE-2017-9050, CVE-2017-9049, CVE-2017-9048, CVE-2017-9047, CVE-2017-8872, CVE-2017-7375, CVE-2017-5969, CVE-2016-9318, CVE-2016-5131, CVE-2018-9251 libXMLSEC has been updated from 1.2.18 to 1.2.25 - CVE-2017-1000061 libXSLT has been updated from 1.1.27 to 1.1.32 - CVE-2012-6139, CVE-2015-7995, CVE-2015-9019, CVE-2016-1683, CVE-2016-1684, CVE-2017-5029 Zlib has been updated from 1.2.8 to 1.2.11 - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 libPCRE has been updated from 7.8 to 8.42 - CVE-2014-8964, CVE-2014-9769, CVE-2015-2327, CVE-2015-2328, CVE-2015-3217, CVE-2015-5073, CVE-2015-8380, CVE-2015-8381, CVE-2015-8382, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8394, CVE-2015-8395, CVE-2016-1283, CVE-2016-3191, CVE-2017-6004, CVE-2017-7186, CVE-2017-7244, CVE-2017-7245, CVE-2017-7246 Note: The CVSSv2 score used in this advisory reflects CVE-2015-8391, as it is considered the highest risk. To view information on the remaining CVE IDs mentioned above, please visit https://nvd.nist.gov/vuln/search. Solution Tenable has released Nessus version 7.1.1 to address these third-party vulnerabilities. The installation files can be obtained from the Tenable Downloads Portal (https://www.tenable.com/downloads/nessus) Additional References https://nvd.nist.gov/vuln/search This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner. Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order. For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWyHxbGaOgq3Tt24GAQgh+g//eC4Ko36Rp6ozETF/qkCuOuaiNQma0dYO 22Mh+zvLf3QdIAffL0pcSnt+Z32iDytUc6AWD2RKND9MmFIbjpsg+dtmHJ4Bxcto vPTJoGAWqJXWV1LHQqR5/kGq4pdricfT3ObOfNgu9/3el/6lo/gQdF8sK6L+oOpD 0ok1Jb4stURRMhM1gB8zzcpH+fVk9uPqA5n7Ka4k00PxwYa3UGp0OGABDPQ1EBKC la6Cw4Tyvoc2elv0cqO1j3in8SC8oevXI3wETaiRvaKFIv6oN86HHjqcGsTSUBPH Iz2Offz1toytGufpnohwD+NoR86FM0monTksj2RW4kOqjnEDYtWZwDWiojVNyhWm 9Nv3x4lUVWTCTLXpF/gJ/F8aPvbe49QIOYB7Ts3KKnKagpg+04Q92K5mlrsj5zYh 5wYNCMHua35kEkkb9oMtvcytoAzQG0N1GruQD6puLlAcSe/toZxMdMWckUSztTR9 2lAPTROX9hfmkyWPqLJrb8/FIEV/HiTXvuJ2qd3DWFlKTd2DpO1Q1df8fzuJK4Yt nwzGloeL/e2Rg2lNtsvq4xYpXYCXJkf+UEoBGyX/VGO1DxP7r/Y9ppM+4sTo11Yi I6AC7L/hJV3uA6PuK27tVR6qSe5gaAqHZWVTF1mBhNnumxf9ixttIgS8lqD6fZMU Wdm5JECLo0Q= =RrCO -----END PGP SIGNATURE-----