VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202005-0845 CVE-2020-9475 S. Siedle & Soehne SG 150-0 Smart Gateway Vulnerability related to authority management in CVSS V2: 6.9
CVSS V3: 7.0
Severity: HIGH
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access to the network can get root access on the gateway. (DoS) It may be put into a state. Siedle & Soehne SG 150-0 Smart Gateway is a home smart gateway product of S. Siedle & Soehne in Germany
VAR-202005-0002 CVE-2012-0953 Nvidia Race condition vulnerabilities in graphics CVSS V2: 4.4
CVSS V3: 5.0
Severity: MEDIUM
A race condition was discovered in the Linux drivers for Nvidia graphics which allowed an attacker to exfiltrate kernel memory to userspace. This issue was fixed in version 295.53. (DoS) It may be put into a state
VAR-202005-0001 CVE-2012-0952 Nvidia Graphics card Out-of-bounds write vulnerability in CVSS V2: 4.4
CVSS V3: 5.0
Severity: MEDIUM
A heap buffer overflow was discovered in the device control ioctl in the Linux driver for Nvidia graphics cards, which may allow an attacker to overflow 49 bytes. This issue was fixed in version 295.53. Nvidia A graphics card contains an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
VAR-202005-0417 CVE-2020-12679 Mitel ShoreTel Conference Web Application Cross-site scripting vulnerability in CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. Mitel ShoreTel Conference Web Application Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with
VAR-202005-0427 CVE-2020-12719 plural WSO2 In the product XML External entity vulnerabilities CVSS V2: 6.5
CVSS V3: 7.2
Severity: HIGH
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. plural WSO2 The product has XML There is a vulnerability in an external entity.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. WSO2 API Manager, etc. are all products of the American WSO2 company. WSO2 API Manager is a set of API lifecycle management solutions. WSO2 Identity Server (IS) is an identity authentication server. WSO2 Enterprise Integrator is an open source hybrid integration platform. A security vulnerability exists in several WSO2 products. Attackers can exploit this vulnerability to obtain local files, cause denial of service, forge server-side requests, scan ports, or cause other damage
VAR-202005-0224 CVE-2020-10176 ASSA ABLOY Yale WIPC-301W On the device OS Command injection vulnerabilities CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. ASSA ABLOY Yale WIPC-301W On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ASSA ABLOY Yale WIPC-301W is a home network camera of ASSA ABLO Group in Sweden. There are security vulnerabilities in ASSA ABLOY Yale WIPC-301W version 2.x.2.29 to 2.x.2.43_p1. Attackers can use this vulnerability to inject commands
VAR-202005-0100 CVE-2020-10794 Gira TKS-IP-Gateway Past Traversal Vulnerability in CVSS V2: 5.0
CVSS V3: 9.8
Severity: CRITICAL
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access. Gira TKS-IP-Gateway Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
VAR-202005-0101 CVE-2020-10795 Gira TKS-IP-Gateway operating system command injection vulnerability CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. This can be combined with CVE-2020-10794 for remote root access. Gira TKS-IP-Gateway To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Gira TKS-IP-Gateway is a network communication gateway product of German Gira company. There is a security hole in Gira TKS-IP-Gateway version 4.0.7.7
VAR-202005-0095 CVE-2020-10973 Wavlink WL-WN530HG4 Inadequate protection of credentials on devices CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available. Wavlink WL-WN530HG4 Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained
VAR-202005-0093 CVE-2020-10971 plural Wavlink Input verification vulnerabilities on devices CVSS V2: 9.3
CVSS V3: 8.8
Severity: HIGH
An issue was discovered on Wavlink Jetstream devices where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there is an active session at the same time. The POST request itself is not validated to ensure it came from the active session. Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000. Wavlink WL-WN579G3 , WL-WN575A3 , WL-WN530HG4b The device contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. An issue exists on Wavlink WL-WN579G3 M79X3.V5030.180719, WL-WN575A3 RPT75A3.V4300.180801, and WL-WN530HG4 M30HG4.V5030.191116 devices
VAR-202005-0094 CVE-2020-10972 Wavlink WL-WN530HG4 Inadequate protection of credentials on devices CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3. Wavlink WL-WN530HG4 Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained
VAR-202005-0990 CVE-2020-5895 NGINX Controller Vulnerability in CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket. NGINX Controller There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. A security vulnerability exists in the F5 NGINX Controller version 3.1.0 to 3.3.0 due to AVRD setting its sockets to be world readable and writable
VAR-202005-0989 CVE-2020-5894 NGINX Controller Session fixation vulnerability in CVSS V2: 5.8
CVSS V3: 8.1
Severity: HIGH
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. NGINX Controller There is a session fixation vulnerability in.Information may be obtained and tampered with. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. A remote attacker could exploit this vulnerability to gain unauthorized access to other user sessions
VAR-202005-0022 CVE-2020-10719 Undertow In HTTP Request Smagling Vulnerability CVSS V2: 6.4
CVSS V3: 6.5
Severity: MEDIUM
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Undertow To HTTP There is a vulnerability related to Request Smagling.Information may be obtained and tampered with. Red Hat Undertow is a Java-based embedded Web server of American Red Hat (Red Hat) Company and the default Web server of Wildfly (Java Application Server). Red Hat Undertow 2.1.1.Final version has an environmental problem vulnerability. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Security Fix(es): * hawtio-osgi (CVE-2017-5645) * prometheus-jmx-exporter: snakeyaml (CVE-2017-18640) * apache-commons-compress (CVE-2019-12402) * karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445) * tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996) * spring-cloud-config-server (CVE-2020-5410) * velocity (CVE-2020-13936) * httpclient: apache-httpclient (CVE-2020-13956) * shiro-core: shiro (CVE-2020-17510) * hibernate-core (CVE-2020-25638) * wildfly-openssl (CVE-2020-25644) * jetty (CVE-2020-27216, CVE-2021-28165) * bouncycastle (CVE-2020-28052) * wildfly (CVE-2019-14887, CVE-2020-25640) * resteasy-jaxrs: resteasy (CVE-2020-1695) * camel-olingo4 (CVE-2020-1925) * springframework (CVE-2020-5421) * jsf-impl: Mojarra (CVE-2020-6950) * resteasy (CVE-2020-10688) * hibernate-validator (CVE-2020-10693) * wildfly-elytron (CVE-2020-10714) * undertow (CVE-2020-10719) * activemq (CVE-2020-13920) * cxf-core: cxf (CVE-2020-13954) * fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040) * jboss-ejb-client: wildfly (CVE-2020-14297) * xercesimpl: wildfly (CVE-2020-14338) * xnio (CVE-2020-14340) * flink: apache-flink (CVE-2020-17518) * resteasy-client (CVE-2020-25633) * xstream (CVE-2020-26258) * mybatis (CVE-2020-26945) * pdfbox (CVE-2021-27807, CVE-2021-27906) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Installation instructions are available from the Fuse 7.9.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/ 4. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. Summary: This is a security update for JBoss EAP Continuous Delivery 20. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1790759 - CVE-2020-1694 keycloak: verify-token-audience support is missing in the NodeJS adapter 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 1836786 - CVE-2020-10748 keycloak: top-level navigations to data URLs resulting in XSS are possible (incomplete fix of CVE-2020-1697) 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 8 security update Advisory ID: RHSA-2020:2060-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2060 Issue date: 2020-05-11 CVE Names: CVE-2019-10172 CVE-2019-12423 CVE-2019-17573 CVE-2020-1719 CVE-2020-1729 CVE-2020-1732 CVE-2020-1745 CVE-2020-1757 CVE-2020-7226 CVE-2020-10705 CVE-2020-10719 ==================================================================== 1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.2 for RHEL 8 - noarch 3. Description: This release of Red Hat JBoss Enterprise Application Platform 7.2.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.7, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * cxf: reflected XSS in the services listing page (CVE-2019-17573) * smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) * jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) * wildfly: Soteria: security identity corruption across concurrent threads (CVE-2020-1732) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) * wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * undertow: invalid HTTP request with large chunk size (CVE-2020-10719) * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header (CVE-2020-10705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation 1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads 1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-18071 - [GSS](7.2.z) Upgrade RESTEasy from 3.6.1.SP7 to 3.6.1.SP8 JBEAP-18267 - [GSS] (7.2.z) Upgrade Undertow from 2.0.28.SP1-redhat-00001 to 2.0.30.SP1-redhat-00001 JBEAP-18278 - [GSS](7.2.z) Upgrade JBoss JSF API from 2.3.5.SP2-redhat-00001 to 2.3.5.SP2-redhat-00003 JBEAP-18423 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00005 to 2.3.5.SP3-redhat-00008 JBEAP-18438 - (7.2.z) Upgrade jboss-ejb-client from 4.0.28.Final to 4.0.31.Final JBEAP-18503 - (7.2.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final JBEAP-18506 - [GSS](7.2.z) Upgrade HAL from 3.0.20.Final to 3.0.21.Final JBEAP-18536 - [GSS](7.2.z) Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002 JBEAP-18595 - [GSS](7.2.z) Upgrade JBoss Modules from 1.8.8 to 1.8.9 JBEAP-18616 - [Runtimes] (7.2.z) Update components in line with EAP 7.3 stream JBEAP-18628 - [Runtimes] (7.2.x) Upgrade EAP components to latest Runtimes supported version JBEAP-18631 - [Runtimes] (7.2.x) WFCORE - Upgrade components to latest versions from EAP 7.3 JBEAP-18639 - [Runtimes] (7.2.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001 JBEAP-18646 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00009 to 2.9.0.redhat-00010 JBEAP-18652 - (7.2.z) Upgrade Apache CXF from 3.2.11.redhat-00001 to 3.2.12.redhat-00001 JBEAP-18664 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-00003 to 3.0.1.b08-redhat-00004 JBEAP-18724 - (7.2.z) Upgrade Soteria to 1.0.0-redhat-00002 JBEAP-18729 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.9.Final-redhat-00001 to 1.1.10.Final-redhat-00001 JBEAP-18787 - (7.2.z) Upgrade wss4j from 2.2.2.redhat-00002 to 2.2.5.redhat-00001 JBEAP-18789 - (7.2.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001 JBEAP-18817 - (7.2.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006 JBEAP-18827 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.17-redhat-00001 to 5.0.18-redhat-00001 JBEAP-18835 - [GSS](7.2.z) Upgrade Remoting JMX from 3.0.3 to 3.0.4 JBEAP-18885 - Tracker bug for the EAP 7.2.8 release for RHEL-6 JBEAP-18887 - Tracker bug for the EAP 7.2.8 release for RHEL-8 JBEAP-18931 - [GSS](7.2.z) Upgrade WildFly Elytron from 1.6.5.Final-redhat-00001 to 1.6.6.Final-redhat-00001 JBEAP-18988 - (7.2.z) Upgrade jasypt from 1.9.2 to 1.9.3 JBEAP-18989 - (7.2.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002 JBEAP-19233 - (7.2.z) Upgrade undertow from 2.0.30.SP1-redhat-00001 to 2.0.30.SP2-redhat-00001 JBEAP-19234 - (7.2.z) Upgrade WildFly Core from 6.0.26.Final-redhat-00001 to 6.0.27.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.2 for RHEL 8: Source: eap7-activemq-artemis-2.9.0-4.redhat_00010.1.el8eap.src.rpm eap7-apache-cxf-3.2.12-1.redhat_00001.1.el8eap.src.rpm eap7-bouncycastle-1.60.0-2.redhat_00002.1.el8eap.src.rpm eap7-codehaus-jackson-1.9.13-10.redhat_00007.1.el8eap.src.rpm eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.src.rpm eap7-glassfish-el-3.0.1-5.b08_redhat_00004.1.el8eap.src.rpm eap7-glassfish-javamail-1.6.2-2.redhat_00001.1.el8eap.src.rpm eap7-glassfish-jsf-2.3.5-10.SP3_redhat_00008.1.el8eap.src.rpm eap7-hal-console-3.0.21-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-commons-annotations-5.0.5-1.Final_redhat_00002.1.el8eap.src.rpm eap7-hibernate-search-5.10.7-1.Final_redhat_00001.1.el8eap.src.rpm eap7-httpcomponents-client-4.5.4-1.redhat_00001.1.el8eap.src.rpm eap7-httpcomponents-core-4.4.5-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-databind-2.9.10.2-2.redhat_00002.1.el8eap.src.rpm eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.src.rpm eap7-javaee-security-soteria-1.0.0-3.redhat_00002.1.el8eap.src.rpm eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap.src.rpm eap7-jboss-batch-api_1.0_spec-1.0.2-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-common-beans-2.0.1-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-ejb-api_3.2_spec-1.0.2-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-ejb-client-4.0.31-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-invocation-1.5.2-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-jsf-api_2.3_spec-2.3.5-5.SP2_redhat_00003.1.el8eap.src.rpm eap7-jboss-modules-1.8.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_00002.1.el8eap.src.rpm eap7-jboss-remoting-5.0.18-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-security-negotiation-3.0.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.3.1-10.Final_redhat_00011.1.el8eap.src.rpm eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-websocket-api_1.1_spec-1.1.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jgroups-4.0.20-2.Final_redhat_00002.1.el8eap.src.rpm eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00001.1.el8eap.src.rpm eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el8eap.src.rpm eap7-narayana-5.9.8-1.Final_redhat_00002.1.el8eap.src.rpm eap7-opensaml-3.3.1-1.redhat_00002.1.el8eap.src.rpm eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8eap.src.rpm eap7-resteasy-3.6.1-9.SP8_redhat_00001.1.el8eap.src.rpm eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00001.1.el8eap.src.rpm eap7-smallrye-config-1.3.6-1.SP01_redhat_00001.1.el8eap.src.rpm eap7-smallrye-health-1.0.2-2.redhat_00002.1.el8eap.src.rpm eap7-undertow-2.0.30-2.SP2_redhat_00001.1.el8eap.src.rpm eap7-weld-cdi-2.0-api-2.0.0-4.SP1_redhat_00004.1.el8eap.src.rpm eap7-wildfly-7.2.8-3.GA_redhat_00002.1.el8eap.src.rpm eap7-wildfly-elytron-1.6.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-naming-client-1.0.12-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-transaction-client-1.1.10-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1.el8eap.src.rpm eap7-wss4j-2.2.5-1.redhat_00001.1.el8eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm eap7-apache-cxf-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-rt-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-services-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-tools-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm eap7-bouncycastle-mail-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm eap7-bouncycastle-pkix-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm eap7-bouncycastle-prov-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm eap7-codehaus-jackson-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm eap7-codehaus-jackson-core-asl-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm eap7-codehaus-jackson-jaxrs-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm eap7-codehaus-jackson-mapper-asl-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm eap7-codehaus-jackson-xc-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-el-3.0.1-5.b08_redhat_00004.1.el8eap.noarch.rpm eap7-glassfish-el-impl-3.0.1-5.b08_redhat_00004.1.el8eap.noarch.rpm eap7-glassfish-javamail-1.6.2-2.redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-jsf-2.3.5-10.SP3_redhat_00008.1.el8eap.noarch.rpm eap7-hal-console-3.0.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-commons-annotations-5.0.5-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-search-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-search-backend-jgroups-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-search-backend-jms-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-search-engine-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-search-orm-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-search-serialization-avro-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-httpcomponents-client-4.5.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-httpcomponents-core-4.4.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-databind-2.9.10.2-2.redhat_00002.1.el8eap.noarch.rpm eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.noarch.rpm eap7-javaee-security-soteria-1.0.0-3.redhat_00002.1.el8eap.noarch.rpm eap7-javaee-security-soteria-enterprise-1.0.0-3.redhat_00002.1.el8eap.noarch.rpm eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-batch-api_1.0_spec-1.0.2-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-common-beans-2.0.1-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-ejb-api_3.2_spec-1.0.2-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-ejb-client-4.0.31-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-invocation-1.5.2-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-2.3.5-5.SP2_redhat_00003.1.el8eap.noarch.rpm eap7-jboss-modules-1.8.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-remoting-5.0.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-security-negotiation-3.0.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-websocket-api_1.1_spec-1.1.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jgroups-4.0.20-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-compensations-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-jbossxts-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-jts-idlj-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-jts-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-restat-api-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-restat-bridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-restat-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-restat-util-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-narayana-txframework-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-core-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-profile-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-security-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-security-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-soap-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xacml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xacml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xacml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xacml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xmlsec-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-opensaml-xmlsec-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8eap.noarch.rpm eap7-picketbox-infinispan-5.0.3-7.Final_redhat_00006.1.el8eap.noarch.rpm eap7-resteasy-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-atom-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-cdi-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-client-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-client-microprofile-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-crypto-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jackson-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jackson2-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jaxb-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jaxrs-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jettison-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jose-jwt-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jsapi-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-json-binding-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-json-p-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-multipart-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-rxjava2-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-spring-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-validator-provider-11-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-yaml-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00001.1.el8eap.noarch.rpm eap7-smallrye-config-1.3.6-1.SP01_redhat_00001.1.el8eap.noarch.rpm eap7-smallrye-health-1.0.2-2.redhat_00002.1.el8eap.noarch.rpm eap7-undertow-2.0.30-2.SP2_redhat_00001.1.el8eap.noarch.rpm eap7-weld-cdi-2.0-api-2.0.0-4.SP1_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.6.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-modules-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-naming-client-1.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-transaction-client-1.1.10-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-bindings-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-policy-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-ws-security-common-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-ws-security-dom-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-ws-security-policy-stax-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-wss4j-ws-security-stax-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1729 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrmzftzjgjWX9erEAQglcA//Ul/o5e7Mh00T3ifNtXxk1EzSfiBf1Jqd xsCTDD3V59LFnDA2OoZsgNKtldqmuzer4xvpZqttDXCIXfOIPah1I7/0CDwVqkFL WmUl/pVixbszSVsVn900GNuN2GdIUDK3Dz9VV7Jv85lQ8XxjNG7iXc1K3hlygMPw BTurUxgVXej/diQh8tzqVrBRYZy8juym8+VBHOro0FX7Rg64yxsWVQXYCAj9wctG I5LOWpAjpeMkbnTI5L/BtWOOL6+Hq/yoJmWn78pI39xlB+m8d1kJ2gKpd4jC5ElP mr9Idpnj6auhcKEcoBdbCJvYf+s5oibisHi343splQxFgyuYh92ppN4eo4BeXutc NdJ4hU9vabbMSI+UQtPO8DIhfRlcEmK4syjcOM/swol5NcZF1GUySxVwtjqXybYV x4wjWrZybuQAqhRQU5H78c4xaUpkS4a3ndmyMffhNonZSEuX303gbFSi6FvUqWKg 9LfRORGhPipk7VZ/hory/w+HHpsWO4zBS6I9lpABZAU0Tz4eEtj5P+x4ij5dSHlI R+tbl+jMQHuncvRbm7uLiVdh83HRMN+dvuYv9WRROcziukx78t/yMoh7RDEgXmvn pq+UWOPCh/5Q5iKkAIcyY8pESYaMwA1qdtCvlaxIyV2rT2B+x8DLuSy+uVzbHVoV zWfxpJtlx0M=+71R -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-202005-0694 CVE-2020-3255 Cisco Firepower Threat Defense Software exhaustion vulnerabilities CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a high rate of IPv4 or IPv6 traffic through an affected device. This traffic would need to match a configured block action in an access control policy. An exploit could allow the attacker to cause a memory exhaustion condition on the affected device, which would result in a DoS for traffic transiting the device, as well as sluggish performance of the management interface. Once the flood is stopped, performance should return to previous states
VAR-202005-0688 CVE-2020-3191 Cisco Adaptive Security Appliance software and Firepower Threat Defense Input verification vulnerabilities in software CVSS V2: 5.0
CVSS V3: 8.6
Severity: HIGH
A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper length validation of a field in an IPv6 DNS packet. An attacker could exploit this vulnerability by sending a crafted DNS query over IPv6, which traverses the affected device. An exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. This vulnerability is specific to DNS over IPv6 traffic only. The platform provides features such as highly secure access to data and network resources
VAR-202005-0704 CVE-2020-3303 Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software exhaustion vulnerabilities CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of system memory. An attacker could exploit this vulnerability by sending malicious IKEv1 traffic to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device. The platform provides features such as highly secure access to data and network resources. The IKEv1 function in Cisco ASA and FTD has a resource management error vulnerability, which is caused by the program not properly managing system memory. The following products and versions are affected: Cisco ASA 9.5 and earlier, 9.6, 9.7, 9.8, 9.9, 9.10, 9.12; FTD 6.1.0 and earlier, 6.2.0, 6.2.1, Version 6.2.2, Version 6.2.3, Version 6.3.0, Version 6.4.0
VAR-202005-0693 CVE-2020-3254 Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software exhaustion vulnerabilities CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP) inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerabilities are due to inefficient memory management. An attacker could exploit these vulnerabilities by sending crafted MGCP packets through an affected device. An exploit could allow the attacker to cause memory exhaustion resulting in a restart of an affected device, causing a DoS condition for traffic traversing the device. The platform provides features such as highly secure access to data and network resources
VAR-202005-0686 CVE-2020-3188 Cisco Firepower Threat Defense Input verification vulnerabilities in software CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only. Cisco Firepower Threat Defense (FTD) The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state
VAR-202005-0689 CVE-2020-3195 Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software exhaustion vulnerabilities CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
A vulnerability in the Open Shortest Path First (OSPF) implementation in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. The vulnerability is due to incorrect processing of certain OSPF packets. An attacker could exploit this vulnerability by sending a series of crafted OSPF packets to be processed by an affected device. A successful exploit could allow the attacker to continuously consume memory on an affected device and eventually cause it to reload, resulting in a denial of service (DoS) condition. The platform provides features such as highly secure access to data and network resources