OpenVAS Security Advisory (OVSA20141128)
Date: 28th November 2014
Product: OpenVAS Manager < 4.0.6 and < 5.0.7
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Medium, CVSS 6,8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
It has been identified that OpenVAS Manager is vulnerable to sql injections due to a improper handling of the timezone parameter in modify_schedule OMP command. It has been identified that this vulnerability may allow read-access via sql for authorized user account which have permission to modify schedule objects.
As of the 28th November, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of OpenVAS Manager for stable releases OpenVAS-6 and OpenVAS-7 also have been created which incorporate these patches.
OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r21055 (for OpenVAS Manager 4.0.x of OpenVAS-6) or r21053 (for OpenVAS Manger 5.0.x of OpenVAS-7) should be obtained from the OpenVAS SVN repository. For trunk (beta status of OpenVAS-8, this was solved with r21051.
A fresh tarball containing the latest stable release of OpenVAS Manager 5.0 (OpenVAS-7) can be obtained from:
A fresh tarball containing the latest stable release of OpenVAS Manager 4.0 (OpenVAS-6) can be obtained from:
In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch.
On the 28th November 2014, Michael Eissele of Greenbone Networks reported the vulnerability. The same day, patches were applied, tarballs released and announcement published.
OpenVAS would like to thank Michael Eissele of Greenbone for the initial report.