VARIoT IoT vulnerabilities database

A vulnerability in the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software does not sufficiently sanitize user-supplied HTTP input. An attacker could exploit this vulnerability by sending an HTTP POST request that contains crafted, deserialized user data to the affected software. A successful exploit could allow the attacker to execute arbitrary commands with root-level privileges on the affected system, which the attacker could use to conduct further attacks. Cisco Bug IDs: CSCvd14591. Vendors have confirmed this vulnerability Bug ID CSCvd14591 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out

Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. Zyxel WRE6505 The device contains a certificate / password management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) An attack could be made. The Zyxel WRE6505 is a wireless AC750 range extender. Remote attackers can exploit this vulnerability to implement DNS hijacking attacks

A vulnerability in the detection engine parsing of Pragmatic General Multicast (PGM) protocol packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process unexpectedly restarting. The vulnerability is due to improper input validation of the fields in the PGM protocol packet. An attacker could exploit this vulnerability by sending a crafted PGM packet to the detection engine on the targeted device. An exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or traffic is dropped. This vulnerability affects Cisco Firepower System Software that has one or more file action policies configured and is running on any of the following Cisco products: Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services; Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls; Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances; Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances; Firepower 4100 Series Security Appliances; FirePOWER 7000 Series Appliances; FirePOWER 8000 Series Appliances; Firepower 9300 Series Security Appliances; FirePOWER Threat Defense for Integrated Services Routers (ISRs); Industrial Security Appliance 3000; Sourcefire 3D System Appliances; Virtual Next-Generation Intrusion Prevention System (NGIPSv) for VMware. Fixed versions: 5.4.0.10 5.4.1.9 6.0.1.3 6.1.0 6.2.0. Cisco Bug IDs: CSCuz00876. Cisco Firepower System The software contains a resource management vulnerability. Vendors have confirmed this vulnerability Bug ID CSCuz00876 It is released as.Service operation interruption (DoS) An attack may be carried out. are all products of Cisco (Cisco)

A vulnerability in the TCP normalizer of Cisco Adaptive Security Appliance (ASA) Software (8.0 through 8.7 and 9.0 through 9.6) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause Cisco ASA and FTD to drop any further incoming traffic on all interfaces, resulting in a denial of service (DoS) condition. The vulnerability is due to improper limitation of the global out-of-order TCP queue for specific block sizes. An attacker could exploit this vulnerability by sending a large number of unique permitted TCP connections with out-of-order segments. An exploit could allow the attacker to exhaust available blocks in the global out-of-order TCP queue, causing the dropping of any further incoming traffic on all interfaces and resulting in a DoS condition. Cisco Bug IDs: CSCvb46321. Vendors have confirmed this vulnerability Bug ID CSCvb46321 It is released as.Service operation interruption (DoS) An attack may be carried out. An attacker can exploit this issue to cause denial-of-service conditions. The former is an operating system running on the firewall. The latter is a unified software suite that provides next-generation firewall services

A vulnerability in the Session Initiation Protocol (SIP) UDP throttling process of Cisco Unified Communications Manager (Cisco Unified CM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient rate limiting protection. An attacker could exploit this vulnerability by sending the affected device a high rate of SIP messages. An exploit could allow the attacker to cause the device to reload unexpectedly. The device and services will restart automatically. This vulnerability affects Cisco Unified Communications Manager (CallManager) releases prior to the first fixed release; the following list indicates the first minor release that includes the fix for this vulnerability: 10.5.2.14900-16 11.0.1.23900-5 11.5.1.12900-2. Cisco Bug IDs: CSCuz72455. Cisco Unified Communications Manager (Cisco Unified CM) Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Bug ID CSCuz72455 It is released as.Service operation interruption (DoS) An attack may be carried out. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 and 15.0 through 15.6) and Cisco IOS XE (3.2 through 3.18) could allow an unauthenticated, remote attacker to cause a buffer overflow condition or a reload of an affected device, leading to a denial of service (DoS) condition. These vulnerabilities are due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit these vulnerabilities by sending crafted EnergyWise packets to be processed by an affected device. An exploit could allow the attacker to cause a buffer overflow condition or a reload of the affected device, leading to a DoS condition. Cisco IOS Software and Cisco IOS XE Software support EnergyWise for IPv4 communication. Only IPv4 packets destined to a device configured as an EnergyWise domain member can trigger these vulnerabilities. IPv6 packets cannot be used to trigger these vulnerabilities. Cisco Bug ID CSCur29331. Vendors have confirmed this vulnerability Bug ID CSCur29331 It is released as.Service operation interruption (DoS) An attack may be carried out. EnergyWise is one of the energy management architecture modules

SEIL/x86 Fuji 1.70 to 5.62, SEIL/BPV4 5.00 to 5.62, SEIL/X1 1.30 to 5.62, SEIL/X2 1.30 to 5.62, SEIL/B1 1.00 to 5.62 allows remote attackers to cause a denial of service via specially crafted IPv4 UDP packets. The DNS forwarder, the PPP Access Concentrator (L2TP) and the Measure(iPerf server) function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. coordinated under the Information Security Early Warning Partnership.Receiving a specially crafted SSTP packet may result in the device becoming unresponsive. The following products and versions are affected: SEIL/x86 Fuji versions 1.70 to 5.62, SEIL/BPV4 versions 5.00 to 5.62, SEIL/X1 versions 1.30 to 5.62, SEIL/X2 versions 1.30 to 5.62, SEIL/B1 versions 1.00 to 5.62

A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 through 5.2.10 allows attacker to execute unauthorized code or commands via the srcintf parameter during Firewall Policy Creation. Fortinet FortiOS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet FortiOS 5.2.0 through 5.2.10 are vulnerable. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration

A Cross-Site Scripting vulnerability in Fortinet FortiWeb versions 5.7.1 and below allows attacker to execute unauthorized code or commands via an improperly sanitized POST parameter in the FortiWeb Site Publisher feature. Fortinet Fortiweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fortinet Fortiweb versions prior to 5.7.1 are vulnerable

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The vulnerability can be exploited over the 'HTTP' protocol. The 'Web Access' sub component is affected

D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header. D-Link DCS-936L The device firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDCS-936Ldevices is a network camera from D-Link. The vulnerability stems from the program's use of an inappropriate CSRF protection mechanism. An attacker could exploit the vulnerability to create a new user, replace the original firmware with a malicious firmware, or connect the user device to a malicious wireless network

VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attacker to execute code on the security gateway. The former is a secure gateway that accesses remote desktops and applications outside the corporate firewall; the latter is a device that can access VMwareHorizon desktops from any location. A heap buffer overflow vulnerability exists in VMware Unified AccessGateway and HorizonView. An attacker could exploit the vulnerability to execute arbitrary code in the context of an affected application or could result in a denial of service. Failed exploits may result in denial-of-service conditions. x version

Vulnerability in the Oracle Communications Security Gateway component of Oracle Communications Applications (subcomponent: Network). The supported version that is affected is 3.0.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via ICMP Ping to compromise Oracle Communications Security Gateway. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Security Gateway. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The vulnerability can be exploited over the 'ICMP Ping' protocol. The 'Network' sub component is affected. Attackers can exploit this vulnerability to cause denial of service and affect data availability

Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera Gateway accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway. CVSS 3.0 Base Score 8.7 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H). The vulnerability can be exploited over the 'HTTP' protocol. The following versions are affected: Oracle Primavera Gateway 1.0, version 1.1, version 14.2, version 15.1, version 15.2, version 16.1, version 16.2

Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Primavera Gateway. CVSS 3.0 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability can be exploited over the 'HTTP' protocol. An attacker could exploit this vulnerability to take control of components and affect the availability of data. The following versions are affected: Oracle Primavera Products Suite 1.0, Release 1.1, Release 14.2, Release 15.1, Release 15.2, Release 16.1, Release 16.2

Vulnerability in the Oracle API Gateway component of Oracle Fusion Middleware (subcomponent: Oracle API Gateway). The supported version that is affected is 11.1.2.4.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle API Gateway. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle API Gateway accessible data as well as unauthorized access to critical data or complete access to all Oracle API Gateway accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The vulnerability can be exploited over the 'HTTP' protocol. Oracle Fusion Middleware (Oracle Fusion Middleware) is a business innovation platform for enterprises and cloud environments of Oracle Corporation, which provides functions such as middleware and software collection

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1. plural D-Link DCS The camera contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. D-LinkDCS-933L is a wireless surveillance camera device from D-Link. There are security holes in several D-LinkDCS cameras. D-Link DCS-933L, etc. The following products are affected: D-Link DCS-5030L; DCS-5020L; DCS-2530L; DCS-2630L;

ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote attackers to bypass access restriction and change configurations of the switch via SOAP requests. ProSAFE Plus Configuration Utility provided by NETGEAR is a Windows application to configure and manage NETGEAR's ProSAFE Plus and Click Switches. An operator uses the utility to login and configure NETGEAR switches. When the utility is invoked, it starts listening on a certain port for SOAP requests. The utility accepts connections from network, hence unintended operation may be conducted on the switches through the utility (CWE-284). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. NetGearProSafe is a smart switch product that monitors and configures the network

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. Apache Log4j is a Java-based open source logging tool developed by the Apache Software Foundation. A code issue vulnerability exists in Apache Log4j 2.x versions prior to 2.8.2. An attacker could exploit this vulnerability to execute arbitrary code. (CVE-2017-5645) 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update Advisory ID: RHSA-2017:1801-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2017:1801 Issue date: 2017-07-25 CVE Names: CVE-2017-5645 CVE-2017-5647 CVE-2017-5648 CVE-2017-5664 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, x86_64 Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. (CVE-2017-5645) * A vulnerability was discovered in tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647) * A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664) * A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648) 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used 1441223 - CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism 6. JIRA issues fixed (https://issues.jboss.org/): JWS-657 - tomcat-native installs RHEL apr in addition to jbcs-httpd24-httpd-libs JWS-667 - Subject incorrectly removed from user session JWS-695 - tomcat7_t and tomcat8_t domains are in unconfined_domain JWS-709 - RPM missing selinux-policy dependency JWS-716 - Backport 60087 for Tomcat 8 JWS-717 - RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites JWS-721 - CORS filter Vary header missing JWS-725 - /usr/share/tomcat7 needs world execute permissions to function on openshift v2 JWS-741 - Configurations in conf.d are not applied JWS-760 - [ASF BZ 59961] Provide an option to enable/disable processing of Class-Path entry in a jar's manifest file 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.src.rpm tomcat-native-1.2.8-10.redhat_10.ep7.el6.src.rpm tomcat7-7.0.70-22.ep7.el6.src.rpm tomcat8-8.0.36-24.ep7.el6.src.rpm i386: tomcat-native-1.2.8-10.redhat_10.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.i686.rpm noarch: log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.noarch.rpm tomcat7-7.0.70-22.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-22.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-22.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-22.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-22.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-22.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-22.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-22.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-22.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-22.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-22.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-22.ep7.el6.noarch.rpm tomcat8-8.0.36-24.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-24.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-24.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-24.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-24.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-24.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-24.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-24.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-24.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-24.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-24.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-24.ep7.el6.noarch.rpm x86_64: tomcat-native-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.src.rpm tomcat-native-1.2.8-10.redhat_10.ep7.el7.src.rpm tomcat7-7.0.70-22.ep7.el7.src.rpm tomcat8-8.0.36-24.ep7.el7.src.rpm noarch: log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.noarch.rpm tomcat7-7.0.70-22.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-22.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-22.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-22.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-22.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-22.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-22.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-22.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-22.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-22.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-22.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-22.ep7.el7.noarch.rpm tomcat8-8.0.36-24.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-24.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-24.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-24.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-24.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-24.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-24.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-24.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-24.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-24.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-24.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-24.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-5647 https://access.redhat.com/security/cve/CVE-2017-5648 https://access.redhat.com/security/cve/CVE-2017-5664 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZd3byXlSAg2UNWIIRAtRWAJ9Te0IfpivK9CimMmNplSEKse3isgCePN1K uf6N2qA8ipjhxaVXeCqG0P4= =57v0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Security Fix(es): * bsh2: remote code execution via deserialization (CVE-2016-2510) * log4j: Socket receiver deserialization vulnerability (CVE-2017-5645) * uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691) * mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258) * thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Installation instructions are available from the Fuse 7.3.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1572463 - CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code 1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) 1667188 - CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path 5. (CVE-2017-5645) * It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957) 3. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). (CVE-2017-7525) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. Description: The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). (CVE-2017-5645) * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644) * It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582) * It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). JIRA issues fixed (https://issues.jboss.org/): JBEAP-11487 - jboss-ec2-eap for EAP 7.0.8 7

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause denials of services to underlying database tables leading to potential information disclosure, modification of system states, and partial to full denial of services relying upon data modified by an attacker. Juniper Networks NorthStar Controller Applications have vulnerabilities related to authorization, permissions, and access control.Information is obtained, tampered with, and disrupted by network-based attackers (DoS) An attack may be carried out. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. An unrecognized denial of service vulnerability exists in versions prior to JuniperNetworksNorthStarControllerApplication2.1.0ServicePack1