VARIoT IoT vulnerabilities database

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. Apache Struts2 Contains a vulnerability that allows execution of arbitrary code. Note that this vulnerability was used proof-of-concept The code has been released. National Vulnerability Database (NVD) Then CWE-77 It is published as CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) http://cwe.mitre.org/data/definitions/77.htmlA remote attacker could execute arbitrary code on the server where the product is running. Apache Struts is prone to a remote code-execution vulnerability. Failed exploit attempts may cause a denial-of-service condition. Oracle has released advance notification regarding the July 2016 Critical Patch Update (CPU) to be released on July 19, 2016. The update addresses 276 vulnerabilities affecting the following software: Oracle Application Express Oracle Database Server Oracle Access Manager Oracle BI Publisher Oracle Business Intelligence Enterprise Edition Oracle Directory Server Enterprise Edition Oracle Exalogic Infrastructure Oracle Fusion Middleware Oracle GlassFish Server Oracle HTTP Server Oracle JDeveloper Oracle Portal Oracle WebCenter Sites Oracle WebLogic Server Outside In Technology Hyperion Financial Reporting Enterprise Manager Base Platform Enterprise Manager for Fusion Middleware Enterprise Manager Ops Center Oracle E-Business Suite Oracle Agile Engineering Data Management Oracle Agile PLM Oracle Demand Planning Oracle Engineering Data Management Oracle Transportation Management PeopleSoft Enterprise FSCM PeopleSoft Enterprise PeopleTools JD Edwards EnterpriseOne Tools Siebel Applications Oracle Fusion Applications Oracle Communications ASAP Oracle Communications Core Session Manager Oracle Communications EAGLE Application Processor Oracle Communications Messaging Server Oracle Communications Network Charging and Control Oracle Communications Operations Monitor Oracle Communications Policy Management Oracle Communications Session Border Controller Oracle Communications Unified Session Manager Oracle Enterprise Communications Broker Oracle Banking Platform Oracle Financial Services Lending and Leasing Oracle FLEXCUBE Direct Banking Oracle Health Sciences Clinical Development Center Oracle Health Sciences Information Manager Oracle Healthcare Analytics Data Integration Oracle Healthcare Master Person Index Oracle Documaker Oracle Insurance Calculation Engine Oracle Insurance Policy Administration J2EE Oracle Insurance Rules Palette MICROS Retail XBRi Loss Prevention Oracle Retail Central Oracle Back Office Oracle Returns Management Oracle Retail Integration Bus Oracle Retail Order Broker Oracle Retail Service Backbone Oracle Retail Store Inventory Management Oracle Utilities Framework Oracle Utilities Network Management System Oracle Utilities Work and Asset Management Oracle In-Memory Policy Analytics Oracle Policy Automation Oracle Policy Automation Connector for Siebel Oracle Policy Automation for Mobile Devices Primavera Contract Management Primavera P6 Enterprise Project Portfolio Management Oracle Java SE Oracle Java SE Embedded Oracle JRockit 40G 10G 72/64 Ethernet Switch Fujitsu M10-1 Servers Fujitsu M10-4 Servers Fujitsu M10-4S Servers ILOM Oracle Switch ES1-24 Solaris Solaris Cluster SPARC Enterprise M3000 Servers SPARC Enterprise M4000 Servers SPARC Enterprise M5000 Servers SPARC Enterprise M8000 Servers SPARC Enterprise M9000 Servers Sun Blade 6000 Ethernet Switched NEM 24P 10GE Sun Data Center InfiniBand Switch 36 Sun Network 10GE Switch 72p Sun Network QDR InfiniBand Gateway Switch Oracle Secure Global Desktop Oracle VM VirtualBox MySQL Server Exploiting the most severe of these vulnerabilities may potentially compromise the database server or the host operating system

SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 use the same hardcoded encryption key across different customers' installations, which allows attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. The SysLINK SL-1000 M2M (Machine-to-Machine) Modular Gateway contains multiple vulnerabilities. A hard-coded password authentication-bypass vulnerability 2. A command-injection vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to execute arbitrary commands in context of the affected application and to read and modify intercepted traffic. Systech SysLINK SL-1000 M2M ((Machine-to-Machine) Modular Gateway is a router product of Systech Corporation of the United States that provides DHCP, NAT, VPN and firewall functions

flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlBy a remotely authenticated user 5066 ( alias dnsmasq) An arbitrary command may be executed via a parameter. SystechSysLINKSL-1000M2M (Machine-to-Machine) ModularGateway is a router product from Systech, USA that provides DHCP, NAT, VPN and firewall functions. The vulnerability is constructed with root privileges and runs arbitrary commands with the '5066' parameter in the POST request of the flu.cgi file. A hard-coded password authentication-bypass vulnerability 2. A command-injection vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to execute arbitrary commands in context of the affected application and to read and modify intercepted traffic

Chengdu Feiyuxing Technology Co., Ltd. is committed to providing intelligent and easy-to-use network communication products and services. There is a SQL injection vulnerability in the online behavior auditing gateway of Chengdu Feiyuxing Technology Development Co., Ltd. Allows an attacker to log in to the system and gain administrator privileges.

WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports the setting up of personal blog websites on PHP and MySQL servers. The WordPress Simple Add Pages or Posts plugin has a cross-site request forgery vulnerability. Allows remote attackers to construct malicious URIs, seduce users to resolve, and perform malicious operations on the target user context.

ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, GX400, GX440, GX450, and LS300 devices allows remote attackers to read the filteredlogs.txt file, and consequently discover potentially sensitive boot-sequence information, via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-538: File and Directory Information Exposure ( Leakage of file and directory information ) Has been identified. https://cwe.mitre.org/data/definitions/538.htmlBy a third party filteredlogs.txt The file can be read and as a result, important boot sequence information can be obtained. The SierraWirelessALEOSonES440, ES450, GX400, GX440, GX450 and LS300 are a suite of application frameworks running on the ES440, ES450, GX400, GX440, GX450 and LS300 Smart Gateway devices. A security vulnerability exists in ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on several Sierra Wireless devices. The following products are affected: Sierra Wireless ES440, ES450, GX400, GX440, GX450, LS300

The DHCPv6 relay implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 allows remote attackers to cause a denial of service (device reload) via crafted DHCPv6 packets, aka Bug ID CSCus23248. The CiscoASA5500 Series Adaptive Security Appliance is a modular platform for providing security and VPN services with firewall, IPS, anti-X and VPN services. Sending a constructed DHCPv6 message to the affected device can cause a denial of service. Successful exploits may allow an attacker to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCus23248

Buffer overflow in tibemsd in the server in TIBCO Enterprise Message Service (EMS) before 8.3.0 and EMS Appliance before 2.4.0 allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via crafted inbound data. Multiple TIBCO Products are prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. The following TIBCO products are affected: TIBCO Enterprise Message Service (EMS) 8.2.2 and prior versions are affected. TIBCO Enterprise Message Service Appliance 2.3.1 and prior versions are affected. The former is a set of standards-based message middleware for simplifying and accelerating high-performance integration and data distribution management, and enterprise environments, and the latter is a message middleware product. There is a buffer overflow vulnerability in tibemsd in servers of TIBCO EMS 8.2.2 and earlier versions and EMS Appliance 2.3.1 and earlier versions

Cisco AireOS 4.1 through 7.4.120.0, 7.5.x, and 7.6.100.0 on Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service (device reload) via a crafted HTTP request, aka Bug ID CSCun86747. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Attackers can exploit this issue to crash and reload the affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCun86747. Cisco WLC Up Cisco AireOS There are security holes in . The following versions are affected: Cisco AireOS 4.1 version to 7.4.120.0 Version, 7.5.x Version, 7.6.100.0 Version

Buffer overflow in the redirection functionality in Cisco Wireless LAN Controller (WLC) Software 7.2 through 7.4 before 7.4.140.0(MD) and 7.5 through 8.0 before 8.0.115.0(ED) allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCus25617. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. An attacker can exploit this issue to execute arbitrary code on the affected device. Failed exploit attempts will result in denial-of-service conditions. This issue is being tracked by Cisco bug ID CSCus25617. The following releases are affected: Cisco WLC Release 7.2, Release 7.3, Release 7.4 prior to 7.4.140.0(MD), Release 7.5, Release 7.6, Release 8.0 prior to 8.0.115.0(ED)

The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 through 3.17 allows remote attackers to modify the system time via crafted packets, aka Bug ID CSCux46898. Vendors have confirmed this vulnerability Bug ID CSCux46898 It is released as.A third party could change the system time via crafted packets. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS/CiscoIOSXESoftware failed to effectively check certain ntp messages, allowing remote attackers to inject malicious messages into the ntp daemon to control the affected devices. Attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks. This issue is being tracked by Cisco bug ID CSCux46898. The vulnerability is caused by the fact that the program does not perform authentication on ntp packets

Cross-site scripting (XSS) vulnerability in Huawei Policy Center before V100R003C10SPC020 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to "special characters on pages.". Huawei Policy Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Huawei Policy Center is a set of policy management center software of China Huawei (Huawei). The software provides functions such as visitor management and customized Portal login interface

The Huawei Wear App application before 15.0.0.307 for Android does not validate SSL certificates, which allows local users to have unspecified impact via unknown vectors, aka HWPSIRT-2016-03008. Vendors have confirmed this vulnerability HWPSIRT-2016-03008 It is released as. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) ,and CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/254.html http://cwe.mitre.org/data/definitions/345.htmlLocal users may be affected unspecified. Successfully exploiting this issue allows local attackers to perform man-in-the-middle attacks and bypass certain security restrictions. The following technolgies are affected: WearAPP versions prior to 15.0.0.307 are vulnerable HiLink APP versions prior to 3.19.2 are vulnerable Note: This issue was previously titled 'Huawei Wear APP CVE-2016-3677 SSL Certificate Validation Local Security Bypass Vulnerability'. The title has been changed to better reflect the vulnerability information. Huawei WearAPP is a set of APPs used in conjunction with smart wearable devices by China Huawei (Huawei). There is a security vulnerability in Huawei WearAPP versions earlier than 15.0.0.307 (Android). The vulnerability is caused by the program not verifying the SSL certificate. A local attacker can use this vulnerability to launch a man-in-the-middle attack to obtain sensitive information

The Huawei Hilink App application before 3.19.2 for Android does not validate SSL certificates, which allows local users to have unspecified impact via unknown vectors, aka HWPSIRT-2016-03008. Vendors have confirmed this vulnerability HWPSIRT-2016-03008 It is released as.Local users may be affected unspecified. Successfully exploiting this issue allows local attackers to perform man-in-the-middle attacks and bypass certain security restrictions. The following technolgies are affected: WearAPP versions prior to 15.0.0.307 are vulnerable HiLink APP versions prior to 3.19.2 are vulnerable Note: This issue was previously titled 'Huawei Wear APP CVE-2016-3677 SSL Certificate Validation Local Security Bypass Vulnerability'. The title has been changed to better reflect the vulnerability information. Both Huawei WearAPP and HiLink are products of the Chinese company Huawei. The former is a set of APPs used in conjunction with smart wearable devices, and the latter is a unified management platform for Huawei network connection terminals. There are security vulnerabilities in Huawei WearAPP versions earlier than 15.0.0.307 (Android) and HiLink versions earlier than 3.19.2 (Android)

The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. http://cwe.mitre.org/data/definitions/74.htmlThrough the input of a crafted terminal window by a local user, root May be granted shell permissions. This may aid in further attacks. Versions prior to Symantec Messaging Gateway 10.6.0-7 are vulnerable. Symantec Messaging Gateway is a spam filter that integrates anti-spam, anti-virus, advanced content filtering and data leakage prevention technologies from Symantec

Untrusted search path vulnerability in Cisco WebEx Productivity Tools 2.40.5001.10012 allows local users to gain privileges via a Trojan horse cryptsp.dll, dwmapi.dll, msimg32.dll, ntmarta.dll, propsys.dll, riched20.dll, rpcrtremote.dll, secur32.dll, sxs.dll, or uxtheme.dll file in the current working directory, aka Bug ID CSCuy56140. Vendors have confirmed this vulnerability Bug ID CSCuy56140 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. cryptsp.dll , dwmapi.dll , msimg32.dll , ntmarta.dll , propsys.dll , riched20.dll , rpcrtremote.dll , secur32.dll , sxs.dll Or uxtheme.dll It may be possible to get permission through the file. A local attacker can leverage these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service condition. dll, uxtheme.dll) exploit this vulnerability to gain permissions

The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges. Symantec Messaging Gateway is prone to a local password-disclosure vulnerability Local attackers can exploit this issue to disclose sensitive information. Information obtained may lead to further attacks. Versions prior to Symantec Messaging Gateway 10.6.0-7 are vulnerable. Symantec Messaging Gateway is a spam filter that integrates anti-spam, anti-virus, advanced content filtering and data leakage prevention technologies from Symantec. A security vulnerability exists in the management console of SMG Appliance versions prior to 10.6.1

Array index error in the msm_sensor_config function in kernel/SM-G9008V_CHN_KK_Opensource/Kernel/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c in Samsung devices with Android KK(4.4) or L and an APQ8084, MSM8974, or MSM8974pro chipset allows local users to have unspecified impact via the gpio_config.gpio_name value. Samsumgandroidphone is a series of mobile phones based on the Android platform developed by South Korea's Samsung. There is a memory corruption vulnerability in the smsm_sensor_config' function in the v4l-subdev driver of samsumgandroidphone. This vulnerability is caused by the failure to perform boundary checking when the program writes gpio_config.gpio_name as an index to the buffer. An attacker could exploit this vulnerability to cause memory corruption. Samsung is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition

Cisco Wireless LAN Controller (WLC) Software 7.4 before 7.4.130.0(MD) and 7.5, 7.6, and 8.0 before 8.0.110.0(ED) allows remote attackers to cause a denial of service (device reload) via crafted Bonjour traffic, aka Bug ID CSCur66908. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Attackers can exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCur66908. A security vulnerability exists in Cisco WLC. The following releases are affected: Cisco WLC Release 7.4 prior to 7.4.130.0(MD), Release 7.5, Release 7.6, Release 8.0 prior to 8.0.110.0(ED)

HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Supplementary information : CWE Vulnerability type by CWE-502: Deserialization of Untrusted Data ( Deserialization of unreliable data ) Has been identified. http://cwe.mitre.org/data/definitions/502.htmlSkillfully crafted serialized by a third party Java An arbitrary command may be executed through the object. HPXPP9000CommandViewAdvancedEdition is a multi-function device manager for HPXPP9500 and XPDiskArray products. HPEP9000CommandViewAdvancedEditionSoftware (CVAE) and XP7CVAE have security vulnerabilities. Multiple HP products are prone to remote code execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. The following products are vulnerable: HP XP7 Command View Advanced Edition Suite 7.0.0-02 through versions prior to 8.4.0-00 HP P9000 Command View Advanced Edition Software 7.0.0-02 through versions prior to 8.4.0-00. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05085438 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05085438 Version: 2 HPSBST03576 rev.2 - HP P9000, XP7 Command View Advanced Edition (CVAE) Suite including Device Manager and Tiered Storage Manager using Java Deserialization, Remote Arbitrary Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-04-15 Last Updated: 2016-04-15 Potential Security Impact: Remote Arbitrary Code Execution Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed by HP P9000 and HP XP7 Command View Advanced Edition (CVAE) Suite including Device Manager and Tiered Storage Manager. References: CVE-2016-2003 JPCERT-VU#576313 PSRT110077 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Customers unable to apply the updates should please contact HPE Technical Support to discuss options. HISTORY Version:1 (rev.1) - 15 April 2016 Initial release Version:2 (rev.2) - 15 April 2016 Text alignment for impacted product name Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXFQp4AAoJEGIGBBYqRO9/DIEIAIrEUwoavbvJ0LXL7DevhcMm UcKW7ACUONQnk70xxAxDXDoIdSuoSiv5bCkLh4KpMA8gm5OvtRMR8NHj/h/BZYa3 UbkyMGoytxsDCxWV+M+FsPVy/7fXm4lxvcfx2AJgEEbnoF5oVGagK5oTzkzbvTGd 6u8VACsK+mb4zCy8kPkqE9SzdcEd1ad2ciuNLQa4zl374TMPRpLjRBsk7VVKkkoT m40jXz+6MBL9RbbJAUo6kjQUV9m2WBksqwnwD5R3Q508h7DRMCxwcF3lKF/hLVdz h013I2TC8rpK3uTiI2KjfWbl/m4K4A8aFHIaZ1hy2NPJqVhy/ohCm+dqWKkDVlk= =U3/g -----END PGP SIGNATURE-----