Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2515
Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities
23 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable.sc Products
Publisher: Tenable
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23358 CVE-2021-21705 CVE-2021-21704
CVE-2021-21702 CVE-2020-15358 CVE-2020-13632
CVE-2020-13631 CVE-2020-13630 CVE-2020-13435
CVE-2020-13434 CVE-2020-11656 CVE-2020-11655
CVE-2020-11022 CVE-2020-8184 CVE-2020-7071
CVE-2020-7070 CVE-2020-7069 CVE-2020-7068
CVE-2020-7067 CVE-2020-7066 CVE-2020-7065
CVE-2020-7064 CVE-2020-7063 CVE-2020-7062
CVE-2020-7061 CVE-2020-7060 CVE-2020-7059
CVE-2019-19919 CVE-2019-19646 CVE-2019-19645
CVE-2019-16168 CVE-2019-11050 CVE-2019-11049
CVE-2019-11048 CVE-2019-11047 CVE-2019-11046
CVE-2019-11045 CVE-2019-11044 CVE-2019-11043
CVE-2019-11042 CVE-2019-11041 CVE-2019-8331
CVE-2018-20677 CVE-2018-20676 CVE-2018-14042
CVE-2018-14041 CVE-2018-14040 CVE-2017-5661
CVE-2016-10735
Reference: ASB-2021.0156
ASB-2021.0073
ASB-2021.0023
Original Bulletin:
https://www.tenable.com/security/tns-2021-14
- --------------------------BEGIN INCLUDED TEXT--------------------
[R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities
Critical
Synopsis
Tenable.sc leverages third-party software to help provide underlying
functionality. Multiple third-party components were found to contain
vulnerabilities, and updated versions have been made available by the
providers.
Out of caution, and in line with best practice, Tenable has upgraded the
bundled components to address the potential impact of these issues. Tenable.sc
5.19.0 updates the following components:
1. Handlebars
CVE-2019-19919
Severity: Critical
2. Underscore
CVE-2021-23358
Severity: High
3. Apache FOP
CVE-2017-5661
Severity: High
4. Bootstrap
CVE-2019-8331, CVE-2018-20676, CVE-2018-20677, CVE-2018-14040, CVE-2018-14042,
CVE-2016-10735
Highest Severity: Medium
5. PHP
CVE-2019-11041, CVE-2019-11042, CVE-2019-11043, CVE-2019-11044, CVE-2019-11045,
CVE-2019-11046, CVE-2019-11047, CVE-2019-11048, CVE-2019-11049, CVE-2019-11050,
CVE-2020-7059, CVE-2020-7060, CVE-2020-7061, CVE-2020-7062, CVE-2020-7063,
CVE-2020-7064, CVE-2020-7065, CVE-2020-7066, CVE-2020-7067, CVE-2020-7068,
CVE-2020-7069, CVE-2020-7070, CVE-2020-7071, CVE-2021-21702, CVE-2021-21704,
CVE-2021-21705
Highest Severity: Critical
6. sqlite
CVE-2019-16168, CVE-2019-19645, CVE-2019-19646, CVE-2020-11655, CVE-2020-11656,
CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632,
CVE-2020-15358
Highest Severity: Critical
7. SimpleSAMLPHP
CVE-2020-11022
Severity: Medium
Solution
Tenable has released Tenable.sc 5.19.0 to address these issues. The
installation files can be obtained from the Tenable Downloads Portal ( https://
www.tenable.com/downloads/tenable-sc ).
Additional References
https://docs.tenable.com/tenablesc/5_19/Content/Welcome.htm
https://docs.tenable.com/releasenotes/Content/tenablesc/tenablesc5190.htm
This page contains information regarding security vulnerabilities that may
impact Tenable's products. This may include issues specific to our software, or
due to the use of third-party libraries within our software. Tenable strongly
encourages users to ensure that they upgrade or apply relevant patches in a
timely manner.
Tenable takes product security very seriously. If you believe you have found a
vulnerability in one of our products, we ask that you please work with us to
quickly resolve it in order to protect customers. Tenable believes in
responding quickly to such reports, maintaining communication with researchers,
and providing a solution in short order.
For more details on submitting vulnerability information, please see our
Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email
Risk Information
CVE ID: CVE-2019-19919
CVE-2021-23358
CVE-2017-5661
CVE-2019-8331
CVE-2018-20676
CVE-2018-20677
CVE-2018-14040
CVE-2018-14042
CVE-2016-10735
CVE-2019-11041
CVE-2019-11042
CVE-2019-11043
CVE-2019-11044
CVE-2019-11045
CVE-2019-11046
CVE-2019-11047
CVE-2019-11048
CVE-2019-11049
CVE-2019-11050
CVE-2020-7059
CVE-2020-7060
CVE-2020-7061
CVE-2020-7062
CVE-2020-7063
CVE-2020-7064
CVE-2020-7065
CVE-2020-7066
CVE-2020-7067
CVE-2020-7068
CVE-2020-7069
CVE-2020-7070
CVE-2020-7071
CVE-2021-21702
CVE-2021-21704
CVE-2021-21705
CVE-2019-16168
CVE-2019-19645
CVE-2019-19646
CVE-2020-11655
CVE-2020-11656
Tenable Advisory ID:
TNS-2021-14
Risk Factor:
Critical
CVSSv3 Base / Temporal Score:
9.8 / 8.5
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected Products
Tenable.sc versions 5.18.0 and earlier
Advisory Timeline
2021-07-22 - [R1] Initial Release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYPoj2eNLKJtyKPYoAQgVqw/8CoyhlQ85Xdsztgv5Z0p20RmEZ2Z5cSHK
CVaD3jDD5uBd1Ys7KD11Gsl6EcLE3viTrAWySJncurCE5VlRyTKW0S7Rid1pqjj9
Jx5wVZT4ZjxZRqOC8ktN/qcso0U6zkuWCWxpYvV95m1Ki6R4BprJkvgK2qG69SHK
4q9YciEVsNwfmJhu6bZWlbsZD8DFOJPymU7HzPx+PNFWi5K4OajIFZ2WJcIVmBbM
KYmhDy+TdCsUjHtAqJhflXTgRl5b7FdbfaOh3q33nWhzqsKxPigSoUt4KdhLhaFa
I48obbV2sEScUZWNXBFOJzJHR75AK2D2hKKl6om56FuJYcm93mWXtuxrImlDURk7
0Kdg0Utv7CyBJewJRZaMKG4upl6rSE8tkx6OI+KjRrVjbPxPCd+FxQwxMfIO4vbV
a67h6qK/DMPa7n+vQ8o6um7Ul139NfG4Vv/P1no2J2pGfvAww/zrFDRZRGoMi7/4
5Lx8Fo8pkq+gpMUkgtmBgs9kKF+yhR8g2oxATvkXdtY2cj+mlSoyMxjIKyFc6BtQ
kFtF8lQmTPJ7Y+TP9OdGtnsuDDPV6baYZa+PYuqO3das7CExq96TdHFfLCcSgnnS
TspeBVXakxjcI8ev4IlwAmWNBxAP6VatlDvIpAb+znOecKKuvIOUvFZBuTh3r2nh
OcUIZyGzEsw=
=5oRI
-----END PGP SIGNATURE-----