Security Scan flagging several vulnerabilities in Aria Operations Master Pack builder 2.0 (24180955)
search cancel

Security Scan flagging several vulnerabilities in Aria Operations Master Pack builder 2.0 (24180955)

book

Article ID: 387701

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Security scanner, flagging the following CVE's against MPB 2.0

Note: the issue is not with Aria Operations 8.17x or later, but with MPB 2.0

CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602

Remote package installed : glibc-2.32-14.ph4
Should be                : glibc-2.32-18.ph4

Environment

Aria Operations 8.17.x and later

Master Pack Builder 2.0 (24180955) Latest release

Cause

CVE's getting flagged by the security software as vulnerable pertain to the utility "nscd"

nscd is Name Service Cache Daemon, which was introduced in glibc (a dependency of ncsd)

Aria Operations and Master Pack Builder 2.0  do "not" include this nscd utility. 

the vulnerabilities getting flagged are specific to the older version of glibc (glibc-2.32-18.ph4) which is not exploitable, but not in conjunction with nscd. 

glibc 2.32-14ph4 is the release shipped with MPB 2.0.0 and if fine its own, but not when combined with nscd. 

Resolution

make sure nscd is not installed on the node being scanned. 

Additional Information

Powered by Wolken Software