VARIoT IoT vulnerabilities database

Unauthorized access may be allowed by the SCP11 Crypto Services TA will processing commands from other TA in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile and Snapdragon Voice & Music in versions MDM9607, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439, Snapdragon_High_Med_2016. plural Snapdragon The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-111092812, A-111093241 and A-117119136. Qualcomm MDM9607, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) for different platforms. Cyrpto Services is one of the encryption service components. Permission and access control vulnerabilities exist in Cyrpto Services in several Qualcomm products. The following products are affected: Qualcomm MDM9607; MDM9650; MDM9655; MSM8996AU; SD 210; SD 212; SD 205; SD 615/16; SD 415; SD 625; SD 632; SD 650/52; SD 820; SD 820A; SD 835; SD 8CX; SDM439; Snapdragon_High_Med_2016

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. Apache Thrift Contains an input validation vulnerability.Information may be tampered with. Apache Thrift is prone to a security-bypass vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. Apache Thrift versions 0.5.0 through 0.11.0 are vulnerable. The Java client library is one of the client libraries. Attackers can exploit this vulnerability to bypass security detection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Fuse 7.4.0 security update Advisory ID: RHSA-2019:2413-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413 Issue date: 2019-08-08 CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320 CVE-2018-8088 CVE-2018-10899 CVE-2018-15758 CVE-2019-0192 CVE-2019-3805 ==================================================================== 1. Summary: A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hazelcast: java deserialization in join cluster procedure leading to remote code execution (CVE-2016-10750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899) * spring-security-oauth: Privilege escalation by manipulating saved authorization request (CVE-2018-15758) * solr: remote code execution due to unsafe deserialization (CVE-2019-0192) * thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320) * spring-security-core: Unauthorized Access with Spring Security Method Security (CVE-2018-1258) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security 1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution 1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class 1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization 1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution 5. References: https://access.redhat.com/security/cve/CVE-2016-10750 https://access.redhat.com/security/cve/CVE-2018-1258 https://access.redhat.com/security/cve/CVE-2018-1320 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/cve/CVE-2018-10899 https://access.redhat.com/security/cve/CVE-2018-15758 https://access.redhat.com/security/cve/CVE-2019-0192 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g 4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc 90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+ 7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3 Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu NNAto03aZgE=rpUB -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php. Vtiger CRM Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. There are security vulnerabilities in the actions/CompanyDetailsSave.php file, actions/UpdateCompanyLogo.php file, and models/CompanyDetails.php file in versions prior to Vtiger CRM 7.1.0 Hotfix2

Cross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter. VIVOTEKNetworkCameraSeries is a series of network camera products from China VIVOTEK. A cross-site scripting vulnerability exists in the event_script.js file in the VIVOTEKNetworkCamera family of products from 0x06x to 0x08x

Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter. VIVOTEK Network Camera Series is a series of network camera products of VIVOTEK Corporation in China

Cross-site scripting in syslog.html in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript code via an HTTP Referer Header. VIVOTEKNetworkCameraSeries is a series of network camera products from China VIVOTEK

WebUploader is a simple modern file uploading component developed by Baidu WebFE (FEX) team. It is mainly based on HTML5 and supplemented by FLASH. A file upload vulnerability exists in the Baidu WebUploader component. This vulnerability is caused by the WebUploader component upload page's lax filtering of file types or file extensions. Attackers can use the vulnerability to upload directly or simply bypass the upload upload script file, execute system commands, and obtain website server permissions.

LJ1680 Home Edition is a black and white laser printer with a black and white print speed of 16ppm and a maximum resolution of 1200x1200dpi. Lenovo LJ1680 Home Edition (Win7 64bit) has a memory corruption vulnerability. The vulnerability is due to the SSPORT.sys driver failing to properly check input parameters when processing IO request 0x9C402408. An attacker could exploit the vulnerability to cause memory write corruption and cause the operating system to crash.

The admin web interface on Technicolor MediaAccess TG789vac v2 HP devices with firmware v16.3.7190-2761005-20161004084353 displays unsanitised user input, which allows an unauthenticated malicious user to embed JavaScript into the Log viewer interface via a crafted HTTP Referer header, aka XSS. Technicolor MediaAccess TG789vac v2 HP The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. TechnicolorMediaAccessTG789vacv2HP is a gateway device of the French Technicolor group. A cross-site scripting vulnerability exists in the adminweb interface of the TechnicolorMediaAccess TG789vacv2HP device using firmware version 16.3.7190-2761005-20161004084353. A remote attacker can exploit this vulnerability to inject JavaScript code into the Logviewer interface with a specially crafted HTTPReferer header

The web application on Xerox AltaLink B80xx before 100.008.028.05200, C8030/C8035 before 100.001.028.05200, C8045/C8055 before 100.002.028.05200, and C8070 before 100.003.028.05200 allows unauthenticated command injection. plural Xerox AltaLink The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FujiXeroxAltaLinkB80xx and others are all multi-function printer devices from Fuji Xerox. There are currently no detailed details of the vulnerability provided

EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies. EPON CPE-WiFi Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. EPON CPE-WiFi is a wireless router

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. file Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. file is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Failed exploit attempts will likely result in denial-of-service conditions. file 5.35 is vulnerable; other versions may also be affected. file is a set of command-line tools used in Unix-like to view file information. The vulnerability stems from the fact that the memory copy function is not used correctly. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] file (SSA:2019-054-01) New file packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/file-5.36-i586-1_slack14.2.txz: Upgraded. Fix out-of-bounds read and denial-of-service security issues: For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/file-5.36-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/file-5.36-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/file-5.36-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/file-5.36-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/file-5.36-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/file-5.36-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/file-5.36-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/file-5.36-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: d774a800d99acb0ad52f312ed83a072f file-5.36-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7be0a75f9f31f23b9c38b7ebf0192961 file-5.36-x86_64-1_slack14.0.txz Slackware 14.1 package: 0ec7575d2786bb8c8abe7b568cab262f file-5.36-i486-1_slack14.1.txz Slackware x86_64 14.1 package: ca23033d9beedda72c0793b796ad10b2 file-5.36-x86_64-1_slack14.1.txz Slackware 14.2 package: 4dfa9268d6415052d99681543a884227 file-5.36-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 2e26d570e7b3c957155905b9150b1af0 file-5.36-x86_64-1_slack14.2.txz Slackware -current package: 039ec7588178a2026e77bd96d2c98552 a/file-5.36-i586-1.txz Slackware x86_64 -current package: 20d07d173c3a2314eabe27620f662195 a/file-5.36-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg file-5.36-i586-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlxxohgACgkQakRjwEAQIjM9ygCdHLmg1G9oSJsutsUaVk2G2kN1 Xa4AoI+VR7MyhQxXRJ1DRDb6HPDSm0Ld EIS -----END PGP SIGNATURE-----

An issue was discovered on August Connect devices. Insecure data transfer between the August app and August Connect during configuration allows attackers to discover home Wi-Fi credentials. This data transfer uses an unencrypted access point for these credentials, and passes them in an HTTP POST, using the AugustWifiDevice class, with data encrypted with a fixed key found obfuscated in the app. August Connect The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. August Connect is a bridge device that supports Wi-Fi and Smart Lock connections. An attacker could use this vulnerability to obtain home Wi-Fi credentials

On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530. D-Link DIR-818LW and DIR-860L The device includes OS A command injection vulnerability exists. This vulnerability CVE-2018-6530 This is due to an incomplete fix for.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-818LWRev.A and DIR-860LRev.B are both D-Link wireless router products

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698. GNU Binutils Contains a resource management vulnerability. This vulnerability CVE-2018-12698 Vulnerability associated with.Service operation interruption (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to cause denial-of-service condition, denying service to legitimate users. Archive tools. GNU libiberty is a collection of subroutines used by one of the GNU programs. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: gdb security, bug fix, and enhancement update Advisory ID: RHSA-2019:3352-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3352 Issue date: 2019-11-05 CVE Names: CVE-2018-20657 ===================================================================== 1. Summary: An update for gdb is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The GNU Debugger (GDB) allows users to debug programs written in various programming languages including C, C++, and Fortran. Security Fix(es): * libiberty: Memory leak in demangle_template function resulting in a denial of service (CVE-2018-20657) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: gdb-8.2-6.el8.src.rpm aarch64: gdb-8.2-6.el8.aarch64.rpm gdb-debuginfo-8.2-6.el8.aarch64.rpm gdb-debugsource-8.2-6.el8.aarch64.rpm gdb-gdbserver-8.2-6.el8.aarch64.rpm gdb-headless-8.2-6.el8.aarch64.rpm noarch: gdb-doc-8.2-6.el8.noarch.rpm ppc64le: gdb-8.2-6.el8.ppc64le.rpm gdb-debuginfo-8.2-6.el8.ppc64le.rpm gdb-debugsource-8.2-6.el8.ppc64le.rpm gdb-gdbserver-8.2-6.el8.ppc64le.rpm gdb-headless-8.2-6.el8.ppc64le.rpm s390x: gdb-8.2-6.el8.s390x.rpm gdb-debuginfo-8.2-6.el8.s390x.rpm gdb-debugsource-8.2-6.el8.s390x.rpm gdb-gdbserver-8.2-6.el8.s390x.rpm gdb-headless-8.2-6.el8.s390x.rpm x86_64: gdb-8.2-6.el8.x86_64.rpm gdb-debuginfo-8.2-6.el8.x86_64.rpm gdb-debugsource-8.2-6.el8.x86_64.rpm gdb-gdbserver-8.2-6.el8.x86_64.rpm gdb-headless-8.2-6.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-20657 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcHrINzjgjWX9erEAQi+BRAApZdXPJJ26zUlJTvuQukcZEph27vRQB/d jQIODuXd1gftbKvUKpiPkMzt7mBMNZx1uwM+QGlxswbA8G72XqEhK8YfjnhuphfA svSWZJ9I98YWclkZuuFwK4jzmDfpnGjbmlSTDee7yIhJVLptGU/kLDbE88ZoNe1j HWbRoW6BGYUSR8/G+boDYRlyGK4qjdK13mwveieJCJ+8Ahd2fXkHQR6lyYX1g6OI qwW6UyTh6M2NJehlkq71YWpDtxi1lJDw126gMxBknd76DP5qTANUwLrbqJuim8t0 Vrw5k6QxZSXHjCDkHg227RwrZ7vt/NdsO3GGTWi4ScxrX6XWMITB3bpOZB74T8B2 GXkAoW/stnDezwMFgJAg1IeDvSDtY7Q//GT27fLPEXO7vQXsgkIqhJUPaFlIds3t PhdY3rBRt3H55QRS+m+P9+yVO8PRaOLDZnTLR360N849uT7HbXqlHhptBuSvO0+t dKkO0uSLcRVhm7A+cnBVsRMFnOMOLHpzXMYOZy4EhRN73YKscW4DDIJscFx/Dzcs uqDOgHLUTUctXw8MAK+eIR+408CbxTMgCh0e08TL9lLsDFPUvPRh6ztYMvTLlTiQ JlxBtFxuumruXU7wUutceMzO9naY0gzeHo0ZsaPzQ86a4H1t1q91Q+UAIkxKhR/4 DlNm9fiTI8c= =hzsQ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283) * SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169) * grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) * npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769) * kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013) * nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) * npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662) * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) * grafana: stored XSS (CVE-2020-11110) * grafana: XSS annotation popup vulnerability (CVE-2020-12052) * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245) * nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822) * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * openshift/console: text injection on error page via crafted url (CVE-2020-10715) * kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743) * openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking 1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser 1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability 1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions 1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip 1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures 1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function 1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets 1861044 - CVE-2020-11110 grafana: stored XSS 1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4] 5

A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests. HHVM Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Facebook HHVM (also known as HipHop Virtual Machine) is a virtual machine that can significantly improve the performance of PHP loading dynamic pages. There are security vulnerabilities in Facebook HHVM 3.25.2 and earlier, 3.24.6 and earlier, and 3.21.10 and earlier. An attacker could use this vulnerability to cause a denial of service

Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below). HHVM Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Facebook HHVM (also known as HipHop Virtual Machine) is a virtual machine that can significantly improve the performance of PHP loading dynamic pages. There are security vulnerabilities in Facebook HHVM 3.25.1 and earlier, 3.24.5 and earlier, and 3.21.9 and earlier. No detailed vulnerability details are provided at this time

The TK_set_deviceModel_req_handle function in the cloud communication component in Guardzilla GZ621W devices with firmware 0.5.1.4 has a Buffer Overflow. Guardzilla GZ621W The device firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Guardzilla GZ621W is a home security surveillance camera. A remote attacker could exploit the vulnerability to execute code

The remote upgrade feature in Guardzilla GZ180 devices allow command injection via a crafted new firmware version parameter. Guardzilla GZ180 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Guardzilla GZ180 is a home security surveillance camera

Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an '{' or '[' character. Contiki-NG Contains a buffer error vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Contiki-NG is an open source cross-platform operating system for next-generation IoT devices. Attackers can use this vulnerability to cause a denial of service (application crash)