VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201102-0182 CVE-2010-4741 Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability

Related entries in the VARIoT exploits database: VAR-E-201011-0390
CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321. An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
VAR-201102-0174 CVE-2010-4733 WebSCADA Multiple Product Weak Password Vulnerabilities CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
VAR-201102-0197 CVE-2010-4730 WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability
VAR-201102-0173 CVE-2010-4732 WebSCADA Multiple products cgi-bin/read.cgi Remote code execution vulnerability CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists
VAR-201102-0172 CVE-2010-4731 WebSCADA Multiple products cgi-bin/read.cgi Absolute path traversal vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists
VAR-201102-0159 CVE-2011-0782 Google Chrome Service disruption in ( Application crash ) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
VAR-201102-0149 CVE-2011-0776 Mac OS X Run on Google Chrome Vulnerability in obtaining important information in sandbox implementation CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
VAR-201102-0280 CVE-2010-4476 IBM Lotus vulnerable to denial-of-service (DoS)

Related entries in the VARIoT exploits database: VAR-E-201003-0021, VAR-E-201102-0765
CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. plural Oracle Product Java Runtime Environment Components include Java language and APIs There are vulnerabilities that affect availability due to flaws in the handling of.Service disruption by a third party (DoS) An attack may be carried out. IBM WebSphere Application Server (WAS) contains a denial-of-service (DoS) vulnerability. IBM WebSphere Application Server contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). According to the developer: " For other IBM software products that contain an affected version of WAS, require an update. Specifically, WebSphere Process Server (WPS), WebSphere Enterprise Service Bus (WESB), WebSphere Virtual Enterprise (WVE), WebSphere Commerce and others are applicable. Also, IBM HTTP Server is not affected by this vulnerability."A remote attacker may cause a denial-of-service (DoS). Oracle Java is prone to a remote denial-of-service vulnerability. Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition. This issue affects both the Java compiler and Runtime Environment. =========================================================== Ubuntu Security Notice USN-1079-1 March 01, 2011 openjdk-6 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1 openjdk-6-jre 6b20-1.9.7-0ubuntu1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Prei\xdfer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.diff.gz Size/MD5: 132023 8f8f9a8e3c033dbb852547dcfaa9213b http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.dsc Size/MD5: 3018 9a6f0f82ce6e6963199fa5f1e0da963a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 19980542 c56f9b378efdad1e9f0e6612eedb14f7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 6168608 3193825377cfc1b486c2ab8ad1995d5a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 26867734 4764b5997e7f34e22a0cde19ea31e230 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 433362 194f199c99819e8230676d9f5d370520 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 83644 1850fd6280ba241df9afde6ebe99912f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119625978 0d16cfb58e678ba32291d17c6d549d9c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 2364474 d4eaa941ec07ca4514c52c76d05fa25d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 10865094 d7640162bc43f00bbe3f12dc2e49bac7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 25652090 e8558953483cec1a6ae3dadf60cfb368 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 270614 2fcec193a6f2f8ad0a22463af666be35 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 5595434 2c2e3038fe36644ccdb150442f166976 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 418330 b3381b114b8f3d75dcf889b047695a9f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 79216 1fe94a88a1519ed36fc6b02e383e8730 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 173001600 360b4b602a9d47c8849d8ed34f6fbb36 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 2351062 f12b8f456b08e941c8fc72cf175cc6c2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 10860096 f8a4b1b7b634bf676c49d8c10e98e90d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 27503578 b2268b855dd46ab7d09d687018dc1bab http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 255760 eaa165fe5896e278c1556e06b359ba5a http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 5090354 3200d4375dc339d7bea9bf6891371e8a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 422460 c1860838f90962bd062bc94e15a54882 http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 81886 fe55f899cbd5229d2a0bc700c5adcbaf http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 173186376 5f012c5e1da278fd45768c0f3d03fdbd http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 2348232 c299fb1a25242f12d5ac6d64bbee37b9 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 10856042 01d04643edafefa871c3097c20620004 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 27546882 cac5bed09db3d8ab61d037bb4f072c9d http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 251964 f6cf95b2324ccdc94c32ca6f028a05c2 http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 5080344 e539a9d0ccaed2e5ab986439d5b936d1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 79628 2d9343fbbfb3354635ff44ad959f675a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 119246950 959d148ae623498f4771b5a5c047c144 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 2364678 efa3630d68a7dd14a310661f306287ad http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 10861170 3fd7739be63e6a7db17bfa1feb699743 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 27390710 0f1a7e8cd028570183bc794d3829657a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 256834 9e9918705b010beb561d4c3d954ab1c9 Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~10.04.1.diff.gz Size/MD5: 131924 fb001ec87e0d1eede115ebea43284a18 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~10.04.1.dsc Size/MD5: 3077 83502b062785deb8f22fc8e4041b47f9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 19980692 4c61d9b4f4083542287ae07afac74ca1 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 6155846 8dc7a0e065b6fd89eef7a709187ce2de http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 26867826 304a038eeeae71442b4e501b3e283714 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 434572 e1fc47200cf11b3c81a8e6639c80e382 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 84120 3bcde6d60e334229526d60db1b498938 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 119346732 c7629c22f432fb7fc10231d6897a946d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 2385162 d4353bd1f6c45d0651e603866121664d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 11089866 0184ade5d87685c2a7307c575a540e9f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 25658636 9c13db46dcb373942672f3967d5548a2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 270708 f6d713158d9932df48164c891d3eb145 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 2267148 a44010b2453cce581860e870f32dd087 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 415624 d15cc6c0c52d503c38f98faff1bc30e2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 79614 077be5976430a61454f8523a0c95e9b9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 172710800 fd4c441fe3d9f0c774cca6a67a895bff http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 2351412 b085460c2ba7349a7958272976655f05 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 10866004 fdd33f76031612cd89241c10985e7f57 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 27524020 34ba802f981629a53afb5873be695257 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 255930 e0399bdfc68f3d5f62a584bb95b48a8d http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 1950358 a284c70b9f14e1b5c867fd1202d08f4c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 445820 d6a7b3a6c5f189778835cf34628b7ddd http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 83644 c0257ca2ef07736055eb16433168af41 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 103439294 f09b1899938c0182f7ce902edfaaf317 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 2365544 274fe490551a9b1f401f8fa5553520c8 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 8800212 198652d4cdfdf0c556d2bbb8bef737d8 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 23984718 cdc5f5218f5a52e43e851669c83bc78a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 275112 d6d1d43bdc1ffc183ff445ab13520d99 http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 2081124 8331f8dd7984affdf80b6f9d23730092 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 77768 5c106bae12bb4179d85fff87223c99e1 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 119229200 36817084227488a4e1a492f7e31401fc http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 2365852 820fbb1e9582d1d873d91628212b9318 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 10890122 44edcc5ec2865e1ccf83fa6078f2ba41 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 27312064 b14155e1c81c72e8cc417b048e0bd248 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 257342 b32c4d79c2c40d7e4fbb64eaf2526855 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1.diff.gz Size/MD5: 134634 7aedf5fbd40f1f2130973bfefe27967f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1.dsc Size/MD5: 3004 51ee24f36d60d02346ee005c0aee2088 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 20562864 46095f1897eea0e6d70423d7a23269c6 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 6198968 774addae41a72893e60f02650de568b7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 26928136 10019899c8fc6063e8b643a3d0829aa7 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 433966 6c101b0579693816e711cdc9d76c3bab http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 83388 359c1e0d27682752a895345af75b47f4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 119379672 d136a0ab23a9bf7c07b24812599d07bb http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 2380008 37eb9917cd8fcf9f08f7ca77890277e0 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 11087378 a77b777520f47ce4bff9437eb26129ed http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 25646582 1f645f4e5c95b63633baae8f7ab9fda8 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 266940 de3f27cae5f34810e42c470d18fefecc http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 2268542 f23b61fe5f230e554fb41a3ff323672f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 417050 9c003b4582a4e6b7d97ba8bbb18b80b2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 78710 771ce5238b907b978b3a7b67230dbca4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 172785086 09ec100605da4543d8231f4ca6cf4704 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 2356270 4286ca0e879d8f3f5eca9c25cf9164a3 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 11080866 7c7b7961c81029664a5c06f2760574f9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 27498842 f697dde85d12ccd09b03278ad1f82d4b http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 251716 d7780c05caa3795f8d85f0377fe8cb33 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 1948114 ad3d65cf6efa37624c258e3402403a2e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 445086 c7b85f64fb0604452ff4cbb93330cc3b http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 82778 a0b66d5cc190a476807f6e62c9a760bb http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 103486780 19b9ec766df638f96405821ca0cf3ee9 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 2363402 8fbddd30efec8ec28b18ebe2d483d657 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 8794584 7c9fc5c447ec6d8c8a8e10ec263c87b0 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 23970202 11a3b23dc513235f424a2839f36c6dad http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 270480 40f0248590069e6cdc330fe0f7d42abf http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 2080594 d3662a60a1d921f02a4594991c54c7e2 . Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack. For technical reasons, this update will be released separately. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your openjdk-6 packages. HP OpenVMS running J2SE 1.42 on Alpha platforms: v 1.42-9 and earlier. HP OpenVMS running J2SE 1.42 on I64 platforms: v 1.42-6 and earlier. HP OpenVMS running J2SE 5.0 on Alpha platforms: v 1.50-7 and earlier. HP OpenVMS running J2SE 5.0 on I64 platforms: v 1.50-6 and earlier. HP OpenVMS running Java SE 6 on Alpha and I64 platforms: v 6.0-2 and earlier. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability SECUNIA ADVISORY ID: SA43262 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43262/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43262 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43262/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43262/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43262 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Konstantin Preiber has reported a vulnerability in Sun Java, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point and can be exploited to cause an infinite loop. * Sun SDK 1.4.2_29 and prior. SOLUTION: Apply patch via the FPUpdater tool. PROVIDED AND/OR DISCOVERED BY: Konstantin Preiber ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html Konstantin Preiber: http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information see vulnerability #1 in: SA43262 Please see the vendor's advisory for the list of affected products. Please see the vendor's advisory for more details. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite 5.4.1 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Relevant releases/architectures: Red Hat Network Satellite Server 5.4 (RHEL v.5) - i386, s390x, x86_64 3. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476) Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to these updated java-1.6.0-ibm packages, which contain the IBM 1.6.0 SR9-FP1 Java release. For this update to take effect, Red Hat Network Satellite must be restarted. Refer to the Solution section for details. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 Run the following command to restart the Red Hat Network Satellite server: # rhn-satellite restart 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) 642558 - CVE-2010-3555 JDK unspecified vulnerability in Deployment component 642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component 642573 - CVE-2010-3560 JDK unspecified vulnerability in Networking component 642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component 642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component 642589 - CVE-2010-3563 JDK unspecified vulnerability in Deployment component 642593 - CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component 642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component 674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service 675984 - CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) 676019 - CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) 676023 - CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) 677957 - CVE-2010-4475 JDK unspecified vulnerability in Deployment component 677958 - CVE-2010-4473 JDK unspecified vulnerability in Sound component 677959 - CVE-2010-4468 JDK unspecified vulnerability in JDBC component 677960 - CVE-2010-4467 JDK unspecified vulnerability in Deployment component 677961 - CVE-2010-4466 JDK unspecified vulnerability in Deployment component 677963 - CVE-2010-4463 JDK unspecified vulnerability in Deployment component 677966 - CVE-2010-4462 JDK unspecified vulnerability in Sound component 677967 - CVE-2010-4454 JDK unspecified vulnerability in Sound component 677968 - CVE-2010-4452 JDK unspecified vulnerability in Deployment component 677970 - CVE-2010-4447 JDK unspecified vulnerability in Deployment component 677971 - CVE-2010-4422 JDK unspecified vulnerability in Deployment component 6. Package List: Red Hat Network Satellite Server 5.4 (RHEL v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.src.rpm i386: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.i386.rpm s390x: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02729756 Version: 1 HPSBUX02633 SSRT100387 rev.1 - HP-UX running Java, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-02-23 Last Updated: 2011-02-23 ------------------------------------------------------------------------------ Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP-UX running Java. The vulnerability could be remotely exploited to create a Denial of Service (DoS). References: CVE-2010-4476 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Any version of Java running on HP-UX 11.11, HP-UX 11.23, or HP-UX 11.31. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software tool available to resolve the vulnerability. This tool can be used to update all versions of HP-UX Java. To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool An HP Passport user ID is required to download the FPUpdater tool and its Readme file. For information on registering for an HP Passport user ID, refer to: https://passport2.hp.com MANUAL ACTIONS: Yes - Update Update using FPUpdater The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 =========== action: update using FPUpdater if Java is installed END AFFECTED VERSIONS PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version:1 (rev.1) - 23 February 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0013 Synopsis: VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX Issue date: 2011-10-27 Updated on: 2011-10-27 (initial release of advisory) CVE numbers: --- openssl --- CVE-2008-7270 CVE-2010-4180 --- libuser --- CVE-2011-0002 --- nss, nspr --- CVE-2010-3170 CVE-2010-3173 --- Oracle (Sun) JRE 1.6.0 --- CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553 CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561 CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462 CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467 CVE-2010-4468 CVE-2010-4469 CVE-2010-4470 CVE-2010-4471 CVE-2010-4472 CVE-2010-4473 CVE-2010-4474 CVE-2010-4475 CVE-2010-4476 --- Oracle (Sun) JRE 1.5.0 --- CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4454 CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4468 CVE-2010-4469 CVE-2010-4473 CVE-2010-4475 CVE-2010-4476 CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0864 CVE-2011-0802 CVE-2011-0814 CVE-2011-0871 CVE-2011-0867 CVE-2011-0865 --- SFCB --- CVE-2010-2054 - ------------------------------------------------------------------------ 1. Summary Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 addresses several security issues. 2. Relevant releases vCenter Server 4.1 without Update 2 vCenter Update Manager 4.1 without Update 2 ESXi 4.1 without patch ESX410-201110201-SG. ESX 4.1 without patches ESX410-201110201-SG, ESX410-201110204-SG, ESX410-201110206-SG,ESX410-201110214-SG. 3. Problem Description a. ESX third party update for Service Console openssl RPM The Service Console openssl RPM is updated to openssl-0.9.8e.12.el5_5.7 resolving two security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-7270 and CVE-2010-4180 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any any not affected ESX 4.1 ESX ESX410-201110204-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. b. ESX third party update for Service Console libuser RPM The Service Console libuser RPM is updated to version 0.54.7-2.1.el5_5.2 to resolve a security issue. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-0002 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110206-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. c. ESX third party update for Service Console nss and nspr RPMs The Service Console Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1 and nss-3.12.8-4 resolving multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3170 and CVE-2010-3173 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110214-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. d. vCenter Server and ESX, Oracle (Sun) JRE update 1.6.0_24 Oracle (Sun) JRE is updated to version 1.6.0_24, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_24: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475 and CVE-2010-4476. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_22: CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573 and CVE-2010-3574. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 5.0 Windows not affected vCenter 4.1 Windows Update 2 vCenter 4.0 Windows not applicable ** VirtualCenter 2.5 Windows not applicable ** Update Manager 5.0 Windows not affected Update Manager 4.1 Windows not applicable ** Update Manager 4.0 Windows not applicable ** hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110201-SG ESX 4.0 ESX not applicable ** ESX 3.5 ESX not applicable ** ESX 3.0.3 ESX not applicable ** * hosted products are VMware Workstation, Player, ACE, Fusion. ** this product uses the Oracle (Sun) JRE 1.5.0 family e. vCenter Update Manager Oracle (Sun) JRE update 1.5.0_30 Oracle (Sun) JRE is updated to version 1.5.0_30, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_30: CVE-2011-0862, CVE-2011-0873, CVE-2011-0815, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814, CVE-2011-0871, CVE-2011-0867 and CVE-2011-0865. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_28: CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 5.0 Windows not applicable ** vCenter 4.1 Windows not applicable ** vCenter 4.0 Windows patch pending VirtualCenter 2.5 Windows patch pending Update Manager 5.0 Windows not applicable ** Update Manager 4.1 Windows Update 2 Update Manager 4.0 Windows patch pending hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX not applicable ** ESX 4.0 ESX patch pending ESX 3.5 ESX patch pending ESX 3.0.3 ESX affected, no patch planned * hosted products are VMware Workstation, Player, ACE, Fusion. ** this product uses the Oracle (Sun) JRE 1.6.0 family f. Integer overflow in VMware third party component sfcb This release resolves an integer overflow issue present in the third party library SFCB when the httpMaxContentLength has been changed from its default value to 0 in in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2054 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi 5.0 ESXi not affected ESXi 4.1 ESXi ESXi410-201110201-SG ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESX 4.1 ESX ESX410-201110201-SG ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vCenter Server 4.1 ---------------------------------------------- vCenter Server 4.1 Update 2 The download for vCenter Server includes VMware Update Manager. Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html https://www.vmware.com/support/pubs/vum_pubs.html File: VMware-VIMSetup-all-4.1.0-493063.iso md5sum: d132326846a85bfc9ebbc53defeee6e1 sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541 File: VMware-VIMSetup-all-4.1.0-493063.zip md5sum: 7fd7b09e501bd8fde52649b395491222 sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware ESXi 4.1 --------------- VMware ESXi 4.1 Update 2 Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso md5sum: 0aa78790a336c5fc6ba3d9807c98bfea sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip md5sum: 459d9142a885854ef0fa6edd8d6a5677 sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33 File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip md5sum: 3047fac78a4aaa05cf9528d62fad9d73 sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f File: VMware-tools-linux-8.3.12-493255.iso md5sum: 63028f2bf605d26798ac24525a0e6208 sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG. VMware ESX 4.1 -------------- VMware ESX 4.1 Update 2 Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html File: ESX-4.1.0-update02-502767.iso md5sum: 9a2b524446cbd756f0f1c7d8d88077f8 sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c File: pre-upgrade-from-esx4.0-to-4.1-502767.zip md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4 File: upgrade-from-esx4.0-to-4.1-update02-502767.zip md5sum: 4b60f36ee89db8cb7e1243aa02cdb549 sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f File: VMware-tools-linux-8.3.12-493255.iso md5sum: 63028f2bf605d26798ac24525a0e6208 sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware ESX 4.1 Update 2 contains ESX410-201110204-SG, ESX410-201110206-SG, ESX410-201110201-SG and ESX410-201110214-SG. 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0873 - ------------------------------------------------------------------------ 6. Change log 2011-10-27 VMSA-2011-0013 Initial security advisory in conjunction with the release of Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6qRrIACgkQDEcm8Vbi9kPemwCeM4Q4S8aRp8X/8/LQ8NGVdU8l lJkAmweROyq5t0iWwM0EN2iP9ly6trbc =Dm8O -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. The updates are available for download from http://software.hp.com Note: HP-UX Web Server Suite v3.20 contains HP-UX Tomcat-based Servlet Engine v5.5.34.01 Web Server Suite Version Apache Depot name HP-UX Web Server Suite v.3.20 HP-UX B.11.23 HPUXWS22ATW-B320-64.depot HP-UX B.11.23 HPUXWS22ATW-B320-32.depot HP-UX B.11.31 HPUXWS22ATW-B320-64.depot HP-UX B.11.31 HPUXWS22ATW-B320-32.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.20 or subsequent. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com
VAR-201101-0544 No CVE Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities CVSS V2: -
CVSS V3: -
Severity: -
Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability. Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/NETM/DM Products Two Vulnerabilities SECUNIA ADVISORY ID: SA43140 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43140/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43140 RELEASE DATE: 2011-02-01 DISCUSS ADVISORY: http://secunia.com/advisories/43140/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43140/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43140 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in various Hitachi products, which can be exploited by malicious, local users to potentially gain knowledge of sensitive information and malicious people to cause a DoS (Denial of Service). 1) The permissions for certain files are not properly set, which allows local users to access files that they are not intended to access. 2) An unspecified error can be exploited to cause a DoS. SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS11-001 (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201102-0052 CVE-2010-3269 Cisco WRF and ARF Player T27LB Vulnerable to stack-based buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Cisco WebEx .atp and .wrf Overflow Vulnerabilities 1. *Advisory Information* Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities Advisory ID: CORE-2010-1001 Advisory URL: [http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities] Date published: 2011-01-31 Date of last update: 2011-01-31 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Information* Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3269, CVE-2010-3270 Bugtraq ID: N/A 3. *Vulnerability Description* There are stack overflows on WebEx [1] that can be exploited by sending maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When opened, these files trigger a reliably exploitable stack based buffer overflow. In the .atp case an exception handler can be overwritten on the stack, and most registers can be trivially overwritten. 4. *Vulnerable packages* . Contact Cisco for a list of vulnerable versions. 5. *Non-vulnerable packages* . Contact Cisco. 6. *Vendor Information, Solutions and Workarounds* All clients of WebEx Meeting Center should now be running a patched version according to Cisco. A non-vulnerable version of WebEx Player should be available at [http://www.webex.com/downloadplayer.html]. 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The publication of this advisory was coordinated by Pedro Varangot. 8. *Technical Description* 8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]* WebEx Player can be used to playback recordings of WebEx sessions. These recordings can be stored using the .wrf closed and undocumented file format. This vulnerability can also be exploited by publishing a .wrf video file in a meeting, resulting in the compromise of the meeting's participants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]* WebEx Meeting Center allows polls to be conducted between all participants of a WebEx session. By serving a specially crafted .atp file (used for conducting polls) the meeting host can then abruptly disconnect from the server, and when another client becomes host and tries to share the .atp file with the other clients arbitrary code execution is possible on his workstation. If his connection to the server is then severed by a malicious payload, the .atp file will be cycled to the next connected client. We developed trivial examples that take control of EIP using arbitrary characters. 9. *Report Timeline* . 2010-10-04: Core Security Technologies contacts Cisco PSIRT using their provided PGP key notifying them of the vulnerabilities and sending an advisory draft, a proof of concept for the WebEx Player vulnerability, and a proof of concept for the Meeting Center vulnerability including details of how to reproduce both vulnerabilities, and details about the behaviour of the PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP with 0x41414141 on that platform). October 18th 2010 (a two weeks timeframe) is set as a potential release date for the advisory. 2010-10-05: Cisco PSIRT contacts Core stating that their development team is out of the office till Friday October 8th. November 15th 2010 is mentioned as an estimated release date for a fix. 2010-10-05: Core replies to Cisco PSIRT postponing the release date of this advisory for one week, to Monday October 25th, in order to contemplate the fact that Cisco's development team is away from office for the week. Further changes to the release date will be made after receiving technical feedback. November the 15th is mentioned to be a possible date to settle on. 2010-10-11: Cisco PSIRT replies acknowledging "an exception in WebEx player" but that doesn't overwrite EIP as Core Security Technologies indicated. Cisco notifies that they were not able to reproduce the crash in WebEx Meeting Center. Cisco PSIRT also asks for more detailed information about the version of WebEx Player used. 2010-10-12: Core sends the requested information, also attaching new proof of concept exploits for the WebEx Player vulnerability (that now executes code and launches "calc.exe"), and further details about the steps needed to reproduce the WebEx Meeting Center crash. Details about the system where the proof of concept for the WebEx Player vulnerability was run are asked. Details about the "exception" are also asked, specially noting that if other registers are overwritten this should be considered as a vulnerability that would possibly lead to reliable code execution even if EIP was not modified (as noted by Core on the e-mail where the PoC was attached). No reply is received to this e-mail. 2010-10-19: Core resends the previous e-mail asking for news about reproduction of the vulnerability on Cisco's side and asking if there was any problem in the reception or interpretation of the last communication. No reply is received to this e-mail. 2010-10-28: Core Security Technologies resends the last e-mail, unilaterally rescheduling the publication of this advisory to November 8th 2010, which is closer to Cisco's initial estimation for the release of a fix. Core states its willingness to reschedule this publication date but only under firm commitment from Cisco to working seriously towards fixing this issue in a scheduled timeframe. An updated advisory draft is attached which includes an updated timeline. 2010-10-30: Cisco PSIRT replies acknowledging the vulnerability, stating that they were able to reproduce code execution results in the currently released version of WebEx, and a crash in their current development version. Cisco also states that there is not information yet from their development team about when a fix for this vulnerability will be released. 2010-11-09: Core replies offering more technical details about exploitation if they are needed, and reminding Cisco that the crash in their development version may also be exploitable even if the current proof of concept exploit only crashes it. The publication date for this advisory is rescheduled to November 22nd 2010. Core states that they will like to schedule a firm date for the release of information about this vulnerability to the public and hence would like to get more information from Cisco about the schedule for the release of a fix. 2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code. 2010-12-06: Cisco contacts Core since no reply was received in the past two weeks, and clarifies that a fix will be deployed on December 15th and should be done on January 11th 2011. 2010-12-06: Core states that they believe this advisory should be released as soon as the fix is deployed, since diffing the WebEx binary on the client side gives full details about the WebEx Meeting Center vulnerability to an average skilled reverse engineer. Core schedules the publication of this advisory to December 15th 2010. 2010-12-07: Cisco contacts Core stating that releasing details about this vulnerability would endanger customers, since there is no action they can take to protect themselves because the responsibility of upgrading the code ran by the customer falls on Cisco. Cisco mentions that "many of these customers are probably shared between Cisco and Core Security". 2010-12-10: Cisco contacts Core stating that they have just discovered the WebEx Meeting Center Vulnerability affects a new set of customers that where not accounted for originally. These are customers running T27SP21 that can not be upgraded to SP22. An emergency patch will be released for SP21 in January 2011, and this sets back the date when all clients should be running an updated version to the "end of January, beginning of February." . 2010-12-14: Core proposes to split this advisory into two different advisories to better accommodate the WebEx Meeting Center SaaS release cycle. On one advisory, the .wrf client side vulnerability would be described, and the other would be dedicated to the WebEx Meeting Center vulnerability that may compromise a meeting's host computer. Core believes this mitigates the risk in a more effective way, since clients can update WebEx Player by themselves on December 15th (the date when Cisco stated the fixed version would be released) and no details of the Meeting Center vulnerability would be released until all clients are running an updated version. 2010-12-15: Cisco states they wouldn't like the advisory to be splitted, and that they prefer Core Security Technologies to go ahead and release information about both vulnerabilities. 2010-12-15: Core states that they prefer to release two advisories because these are two different bugs, in two pieces of software, each one of them with a differently working update channel determined by the vendor. Core also informs Cisco that the download link for WebEx Player points to a vulnerable version as of today, and asks Cisco to clarify what date they meant as mid-December, since Core would like to know when a fixed version of WebEx Player will be available for download to be able to publish the WebEx Player vulnerability. 2010-12-16: Cisco replies saying that releasing two advisories seems like a good plan to them. Cisco also states that since many of their customers observe a lockdown policy during the holidays season, they take a "don't upgrade" policy of their own until Monday January 10th, 2011. That is the reason why the download link of WebEx Player has not been changed yet. 2011-01-10: Core states that they are ready to release this advisory on January 11th, and that releasing two separate advisories seems pointless now because the release date of both would be very similar, and the original idea was to mitigate the risk posed by the .wrf vulnerability. Core also states that they are reviewing the best course of action to take with the issue regarding clients running the old version of WebEx (T27SP21) that according to Cisco are unable to upgrade to SP22 since this was not accounted for previously. 2011-01-13: Core states that since they have committed previously to release the advisory taking into account Cisco's consideration about their SaaS patch deploy model, when factoring the issue of clients running the SP21 version of Meeting Center scheduled by Cisco for emergency update on January, a release date of January the 31st seems reasonable. This date should be taken as final and Core Security Technologies believes it takes into account all information given by Cisco about SaaS updating timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14: Cisco confirms that the timeframe (publishing both vulnerabilities on January 31st) works for them. 2011-01-31: The advisory CORE-2010-1001 is published. 10. *References* [1] [http://www.webex.com/] [2] [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0307 CVE-2010-3041 Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3042, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----
VAR-201102-0310 CVE-2010-3044 Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3043. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----
VAR-201102-0308 CVE-2010-3042 Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----
VAR-201102-0309 CVE-2010-3043 Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----
VAR-201102-0053 CVE-2010-3270 Cisco WebEx ATP File Remote Stack Buffer Overflow Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Stack-based buffer overflow in Cisco WebEx Meeting Center T27LB before SP21 EP3 and T27LC before SP22 allows user-assisted remote authenticated users to execute arbitrary code by providing a crafted .atp file and then disconnecting from a meeting. NOTE: since this is a site-specific issue with no expected action for consumers, it might be REJECTed. Since this site has been identified, no general user action is required. Cisco WebEx is a web conferencing solution. There is a stack overflow in the .atp file format provided by Cisco WebEx. The function pointers in the stack can be overwritten, and the DEP and ASLR are disabled, resulting in very stable use of the code. Cisco WebEx is prone to a remote code-execution vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. WebEx is the world's largest provider of network communication services, providing carrier-class network conferencing solutions. Currently WebEx has been acquired by Cisco. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Cisco WebEx .atp and .wrf Overflow Vulnerabilities 1. *Advisory Information* Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities Advisory ID: CORE-2010-1001 Advisory URL: [http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities] Date published: 2011-01-31 Date of last update: 2011-01-31 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Description* There are stack overflows on WebEx [1] that can be exploited by sending maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When opened, these files trigger a reliably exploitable stack based buffer overflow. In the .atp case an exception handler can be overwritten on the stack, and most registers can be trivially overwritten. 4. *Vulnerable packages* . Contact Cisco for a list of vulnerable versions. 5. *Non-vulnerable packages* . Contact Cisco. 6. *Vendor Information, Solutions and Workarounds* All clients of WebEx Meeting Center should now be running a patched version according to Cisco. A non-vulnerable version of WebEx Player should be available at [http://www.webex.com/downloadplayer.html]. 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The publication of this advisory was coordinated by Pedro Varangot. 8. *Technical Description* 8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]* WebEx Player can be used to playback recordings of WebEx sessions. These recordings can be stored using the .wrf closed and undocumented file format. This vulnerability can also be exploited by publishing a .wrf video file in a meeting, resulting in the compromise of the meeting's participants. /----- .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j .text:6070C272 test esi, esi .text:6070C274 jnz short loc_6070C28F .text:6070C276 push ebx .text:6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack .text:6070C27A add esp, 4 .text:6070C27D test al, al .text:6070C27F jz loc_6070C374 .text:6070C285 mov edi, [ebp+0] .text:6070C288 mov esi, [ebp+4] .text:6070C28B mov eax, [esp+0D98h+var_D80] .text:6070C28F .text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j .text:6070C28F mov cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file .text:6070C291 dec esi .text:6070C292 mov [esp+eax+0D98h+var_C8C], cl ; this mov overflows the stack with user controlled values .text:6070C299 mov ecx, [esp+0D98h+var_D84] .text:6070C29D inc edi .text:6070C29E inc eax .text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax .text:6070C2A5 jl short loc_6070C272 - -----/ 8.2. If his connection to the server is then severed by a malicious payload, the .atp file will be cycled to the next connected client. We developed trivial examples that take control of EIP using arbitrary characters. 9. *Report Timeline* . 2010-10-04: Core Security Technologies contacts Cisco PSIRT using their provided PGP key notifying them of the vulnerabilities and sending an advisory draft, a proof of concept for the WebEx Player vulnerability, and a proof of concept for the Meeting Center vulnerability including details of how to reproduce both vulnerabilities, and details about the behaviour of the PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP with 0x41414141 on that platform). October 18th 2010 (a two weeks timeframe) is set as a potential release date for the advisory. 2010-10-05: Cisco PSIRT contacts Core stating that their development team is out of the office till Friday October 8th. November 15th 2010 is mentioned as an estimated release date for a fix. 2010-10-05: Core replies to Cisco PSIRT postponing the release date of this advisory for one week, to Monday October 25th, in order to contemplate the fact that Cisco's development team is away from office for the week. Further changes to the release date will be made after receiving technical feedback. November the 15th is mentioned to be a possible date to settle on. 2010-10-11: Cisco PSIRT replies acknowledging "an exception in WebEx player" but that doesn't overwrite EIP as Core Security Technologies indicated. Cisco PSIRT also asks for more detailed information about the version of WebEx Player used. 2010-10-12: Core sends the requested information, also attaching new proof of concept exploits for the WebEx Player vulnerability (that now executes code and launches "calc.exe"), and further details about the steps needed to reproduce the WebEx Meeting Center crash. Details about the system where the proof of concept for the WebEx Player vulnerability was run are asked. Details about the "exception" are also asked, specially noting that if other registers are overwritten this should be considered as a vulnerability that would possibly lead to reliable code execution even if EIP was not modified (as noted by Core on the e-mail where the PoC was attached). No reply is received to this e-mail. 2010-10-19: Core resends the previous e-mail asking for news about reproduction of the vulnerability on Cisco's side and asking if there was any problem in the reception or interpretation of the last communication. No reply is received to this e-mail. 2010-10-28: Core Security Technologies resends the last e-mail, unilaterally rescheduling the publication of this advisory to November 8th 2010, which is closer to Cisco's initial estimation for the release of a fix. Core states its willingness to reschedule this publication date but only under firm commitment from Cisco to working seriously towards fixing this issue in a scheduled timeframe. An updated advisory draft is attached which includes an updated timeline. 2010-10-30: Cisco PSIRT replies acknowledging the vulnerability, stating that they were able to reproduce code execution results in the currently released version of WebEx, and a crash in their current development version. Cisco also states that there is not information yet from their development team about when a fix for this vulnerability will be released. 2010-11-09: Core replies offering more technical details about exploitation if they are needed, and reminding Cisco that the crash in their development version may also be exploitable even if the current proof of concept exploit only crashes it. The publication date for this advisory is rescheduled to November 22nd 2010. Core states that they will like to schedule a firm date for the release of information about this vulnerability to the public and hence would like to get more information from Cisco about the schedule for the release of a fix. 2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code. 2010-12-06: Cisco contacts Core since no reply was received in the past two weeks, and clarifies that a fix will be deployed on December 15th and should be done on January 11th 2011. 2010-12-06: Core states that they believe this advisory should be released as soon as the fix is deployed, since diffing the WebEx binary on the client side gives full details about the WebEx Meeting Center vulnerability to an average skilled reverse engineer. Core schedules the publication of this advisory to December 15th 2010. 2010-12-07: Cisco contacts Core stating that releasing details about this vulnerability would endanger customers, since there is no action they can take to protect themselves because the responsibility of upgrading the code ran by the customer falls on Cisco. Cisco mentions that "many of these customers are probably shared between Cisco and Core Security". 2010-12-10: Cisco contacts Core stating that they have just discovered the WebEx Meeting Center Vulnerability affects a new set of customers that where not accounted for originally. These are customers running T27SP21 that can not be upgraded to SP22. An emergency patch will be released for SP21 in January 2011, and this sets back the date when all clients should be running an updated version to the "end of January, beginning of February." . 2010-12-14: Core proposes to split this advisory into two different advisories to better accommodate the WebEx Meeting Center SaaS release cycle. On one advisory, the .wrf client side vulnerability would be described, and the other would be dedicated to the WebEx Meeting Center vulnerability that may compromise a meeting's host computer. Core believes this mitigates the risk in a more effective way, since clients can update WebEx Player by themselves on December 15th (the date when Cisco stated the fixed version would be released) and no details of the Meeting Center vulnerability would be released until all clients are running an updated version. 2010-12-15: Cisco states they wouldn't like the advisory to be splitted, and that they prefer Core Security Technologies to go ahead and release information about both vulnerabilities. 2010-12-15: Core states that they prefer to release two advisories because these are two different bugs, in two pieces of software, each one of them with a differently working update channel determined by the vendor. Core also informs Cisco that the download link for WebEx Player points to a vulnerable version as of today, and asks Cisco to clarify what date they meant as mid-December, since Core would like to know when a fixed version of WebEx Player will be available for download to be able to publish the WebEx Player vulnerability. 2010-12-16: Cisco replies saying that releasing two advisories seems like a good plan to them. Cisco also states that since many of their customers observe a lockdown policy during the holidays season, they take a "don't upgrade" policy of their own until Monday January 10th, 2011. That is the reason why the download link of WebEx Player has not been changed yet. 2011-01-10: Core states that they are ready to release this advisory on January 11th, and that releasing two separate advisories seems pointless now because the release date of both would be very similar, and the original idea was to mitigate the risk posed by the .wrf vulnerability. Core also states that they are reviewing the best course of action to take with the issue regarding clients running the old version of WebEx (T27SP21) that according to Cisco are unable to upgrade to SP22 since this was not accounted for previously. 2011-01-13: Core states that since they have committed previously to release the advisory taking into account Cisco's consideration about their SaaS patch deploy model, when factoring the issue of clients running the SP21 version of Meeting Center scheduled by Cisco for emergency update on January, a release date of January the 31st seems reasonable. This date should be taken as final and Core Security Technologies believes it takes into account all information given by Cisco about SaaS updating timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14: Cisco confirms that the timeframe (publishing both vulnerabilities on January 31st) works for them. 2011-01-31: The advisory CORE-2010-1001 is published. 10. *References* [1] [http://www.webex.com/] [2] [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0365 CVE-2011-1034 IBM Rational Build Forge Cross-Site Scripting Vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Build Forge 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter to the fullcontrol program. NOTE: some of these details are obtained from third party information. IBM Rational Build Forge is an automated process execution software that helps customers build, test and publish automated software. Part of the input passed to fullcontrol/ is not properly filtered before returning to the user, and the attacker can exploit the vulnerability for arbitrary HTML and script code attacks to obtain sensitive information or hijack the target user session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: IBM Rational Build Forge Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA43180 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43180/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43180 RELEASE DATE: 2011-02-04 DISCUSS ADVISORY: http://secunia.com/advisories/43180/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43180/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43180 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in IBM Rational Build Forge, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain input passed to fullcontrol/ is not properly sanitised before being returned to the user. The vulnerability is reported in version 7.02. SOLUTION: Apply APAR PM05187. PROVIDED AND/OR DISCOVERED BY: The vendor credits a customer. ORIGINAL ADVISORY: IBM (PM05187): http://www.ibm.com/support/docview.wss?uid=swg1PM05187 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201102-0369 CVE-2011-1042 Google Chrome OS of flimflamd Service disruption in (DoS) Vulnerabilities CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Use-after-free vulnerability in flimflamd in flimflam in Google Chrome OS before 0.9.130.14 Beta allows user-assisted remote attackers to cause a denial of service (daemon crash) by providing the name of a hidden WiFi network that does not respond to connection attempts. Google Chrome OS is a lightweight computer operating system development program developed by Google to develop a cloud operating system dedicated to the Internet. A post-release vulnerability exists in flimflamd in flimflam prior to Google Chrome OS 0.9.130.14 Beta. Successful exploits will cause the affected application to crash, effectively denying service to legitimate users. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed
VAR-201101-0497 No CVE Huwea HG520/HG530 Wireless Routers Weak Cipher Security Weakness CVSS V2: -
CVSS V3: -
Severity: -
Huwea HG520/HG530 are prone to a security weakness that may allow attackers to generate default WEP/WPA keys. Successfully exploiting this issue may allow attackers to generate the WEP/WPA key using the MAC address. This may lead to other attacks.
VAR-201101-0212 CVE-2011-0349 CSG2 Run on Cisco IOS Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth17178, a different vulnerability than CVE-2011-0350. The problem is Bug ID CSCth17178 It is a problem. This vulnerability CVE-2011-0350 Is a different vulnerability.Skillfully crafted by a third party TCP Service disruption via packets (DoS) There is a possibility of being put into a state. Under certain configurations this vulnerability could allow: * Customers to access sites that would normally match a billing policy to be accessed without being charged to the end customer * Customers to access sites that would normally be denied based on configured restriction policies Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco CSG2 contains two vulnerabilities that can be exploited by a remote, unauthenticated attacker to create a denial of service condition that prevents traffic from passing through the CSG2. A three-way handshake is not required to exploit either of these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml. Affected Products ================= The service policy bypass vulnerability affects all versions of the Cisco IOS Software for the CSG2 prior to the first fixed release, as indicated in the "Software Versions and Fixes" section of this advisory. No other Cisco IOS Software releases are affected. Vulnerable Products +------------------ To determine the version of Cisco IOS Software that is running on the Cisco CSG2, issue the "show module" command from Cisco IOS Software on the switch on which the Cisco CSG2 module is installed to identify what modules and sub-modules are installed on the system. Cisco CSG2 runs on the Cisco Service and Application Module for IP (SAMI) card, and is identified in the following example in slot 2 via the WS-SVC-SAMI-BB-K9 identification: C7600#show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS 2 1 SAMI Module (csgk9) WS-SVC-SAMI-BB-K9 SAD113906P1 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok 2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok 4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8 Ok 1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1 Ok 2 SAMI Daughterboard 1 SAMI-DC-BB SAD114400L9 1.1 Other 2 SAMI Daughterboard 2 SAMI-DC-BB SAD114207FU 1.1 Other 4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0 Ok Mod Online Diag Status ---- ------------------- 1 Pass 2 Pass 4 Pass C7600# After locating the correct slot, issue the "session slot <module number> processor <3-9>" command to open a console connection to the respective Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version" command: The following example shows that the Cisco CSG2 is running software Release 12.4(24)MD1: CSG2#show version Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version 12.4(24)MD1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco Content Services Gateway - Second Generation (CSG2) provides intelligent network capabilities such as flexible policy management and billing based on deep-packet inspection, as well as subscriber and application awareness capabilities that enable mobile operators to quickly and easily offer value-added, differentiated services over their mobile data networks. The service policy bypass vulnerability affects configurations that allow end users to first access non-accounted or billed sites. After a user accesses a non-accounted site, it is possible to access other sites that are defined by a billing service policy or to access sites that may be blocked by other policies by sending specially crafted HTTP packets. This vulnerability only affects HTTP content traffic. HTTPS and other traffic types are not affected. A three-way handshake is not required to exploit either of these vulnerabilities. The vulnerabilities are triggered by TCP traffic that transits the Cisco CSG2. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtk35917 ("Service Policy Bypass Vulnerability") CVSS Base Score - 6.4 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 5.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth41891/CSCth17178 ("Crafted TCP packet causes CSG2 to restart") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the service policy bypass can allow customers to obtain access to sites that would normally be accounted and billed according to the billing policy without the billing policy being engaged. Additionally, customers could gain access to URLs that are configured in the Cisco CSG2 to be explicitly denied. Due to Cisco Bug ID CSCtg50821, the Cisco CSG2 may not automatically recover and may require a manual reload of the SAMI card by issuing the "hw-module module <x> reset" CLI command from the switch. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS Software table (below) names a Cisco IOS release train. If a release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +---------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+--------------------------------------------------| | Affected | | | 12.x-Based | First Fixed Release | | Releases | | |------------+--------------------------------------------------| | 12.0 - | 12.0 through 12.3 based releases are not | | 12.3 | affected | |------------+--------------------------------------------------| | Affected | First Fixed Release | | 12.4-Based |--------------------------------------------------| | Releases | DoS | Service Policy Bypass | | | Vulnerabilities | Vulnerability | |------------+------------------+-------------------------------| | | All 12.4(11)MD | | | | releases are not | All 12.4(11)MD releases are | | | affected. | affected. Migrate to a fixed | | | | release. | | | All 12.4(15)MD | | | | releases are not | All 12.4(15)MD releases are | | | affected. | affected. Migrate to a fixed | | | | release. | | | All 12.4(22)MD | | | 12.4MD | releases are not | All 12.4(22)MD releases are | | | affected. | affected. Migrate to a fixed | | | | release. | | | Releases prior | | | | to 12.4(24)MD1 | All 12.4(24)MD releases prior | | | are not | to 12.4(24)MD3 are affected. | | | affected. | | | | | First fixed in 12.4(24)MD3 | | | First fixed in | | | | 12.4(24)MD2 | | |------------+------------------+-------------------------------| | | | All 12.4(22)MDA releases | | | | prior to 12.4(22)MDA5 are | | | | affected. First fixed in 12.4 | | | No releases | (22)MDA5 | | 12.4MDA | affected. | | | | | All 12.4(24)MDA releases | | | | prior to 12.4(24)MDA3 are | | | | affected. First fixed in 12.4 | | | | (24)MDA3 | |------------+--------------------------------------------------| | Affected | | | 15.X-Based | First Fixed Release | | Releases | | |------------+--------------------------------------------------| | 15.0 - | 15.0 through 15.1 based releases are not | | 15.1 | affected | +---------------------------------------------------------------+ Cisco IOS Software for the CSG2 is located on Cisco Software Download center at the following location: Cisco Interfaces and Modules --> Cisco Services Modules --> Cisco Service Application Module for IP. Workarounds =========== There are no workarounds for these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is aware of public announcements of the service billing bypass vulnerability on some external blog sites. However the Cisco PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found by both internal testing and when handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-January-26 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1APx0ACgkQQXnnBKKRMNBE4QD/WfH2GXgAJub+4ech0JhHizBO 98PLNKENutVsJpa0eCUA/2hKwfofNSloEh7i5JZXrwKFcjgBYJcPnDa1W2JRHSfZ =EZt9 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco Content Services Gateway Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA43052 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43052/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43052 RELEASE DATE: 2011-01-27 DISCUSS ADVISORY: http://secunia.com/advisories/43052/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43052/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43052 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Content Services Gateway (CSG2), which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). SOLUTION: Apply fixes (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20110126-csg2: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6791d.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor
VAR-201101-0398 No CVE SAP Crystal Reports Server Directory Traversal Vulnerability CVSS V2: -
CVSS V3: -
Severity: HIGH
To successfully exploit this vulnerability, you need to verify the information legally. SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. A security vulnerability exists in SAP Crystal Reports Server that allows malicious users to obtain sensitive information and manipulate the database. (1) ActiveX control (scriptinghelpers.dll) can use the unsafe \"CreateTextFile()\" method to overwrite existing files; (2) ActiveX control (scriptinghelpers.dll) can use the unsafe \"LaunchProgram()\" method to execute arbitrary programs. (3) ActiveX control (scriptinghelpers.dll) can use the unsafe \"DeleteFile()\" method to delete any program; (4) ActiveX control (scriptinghelpers.dll) can use the unsafe \"Kill()\" method to end any process. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SAP Crystal Reports Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43060 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43060/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43060 RELEASE DATE: 2011-01-26 DISCUSS ADVISORY: http://secunia.com/advisories/43060/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43060/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43060 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Dmitry Chastuhin has reported multiple vulnerabilities in SAP Crystal Reports Server 2008, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting attacks, manipulate certain data, and compromise a user's system. 1) Input passed to the "actId" parameter in InfoViewApp/jsp/common/actionNav.jsp, "backUrl" parameter in InfoViewApp/jsp/common/error.jsp, and "logonAction" parameter in InfoViewApp/logon.jsp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. This can be exploited to display arbitrary files from local resources via directory traversal attacks. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Dmitry Chastuhin, Digital Security Research Group (DSecRG). ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1458310 https://service.sap.com/sap/support/notes/1458309 https://service.sap.com/sap/support/notes/1476930 DSecRG: http://dsecrg.com/pages/vul/show.php?id=301 http://dsecrg.com/pages/vul/show.php?id=302 http://dsecrg.com/pages/vul/show.php?id=303 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------