VARIoT IoT vulnerabilities database
| VAR-202005-0845 | CVE-2020-9475 | S. Siedle & Soehne SG 150-0 Smart Gateway Vulnerability related to authority management in |
CVSS V2: 6.9 CVSS V3: 7.0 Severity: HIGH |
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access to the network can get root access on the gateway. (DoS) It may be put into a state. Siedle & Soehne SG 150-0 Smart Gateway is a home smart gateway product of S. Siedle & Soehne in Germany
| VAR-202005-0002 | CVE-2012-0953 | Nvidia Race condition vulnerabilities in graphics |
CVSS V2: 4.4 CVSS V3: 5.0 Severity: MEDIUM |
A race condition was discovered in the Linux drivers for Nvidia graphics which allowed an attacker to exfiltrate kernel memory to userspace. This issue was fixed in version 295.53. (DoS) It may be put into a state
| VAR-202005-0001 | CVE-2012-0952 | Nvidia Graphics card Out-of-bounds write vulnerability in |
CVSS V2: 4.4 CVSS V3: 5.0 Severity: MEDIUM |
A heap buffer overflow was discovered in the device control ioctl in the Linux driver for Nvidia graphics cards, which may allow an attacker to overflow 49 bytes. This issue was fixed in version 295.53. Nvidia A graphics card contains an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
| VAR-202005-0417 | CVE-2020-12679 | Mitel ShoreTel Conference Web Application Cross-site scripting vulnerability in |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. Mitel ShoreTel Conference Web Application Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with
| VAR-202005-0427 | CVE-2020-12719 | plural WSO2 In the product XML External entity vulnerabilities |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. plural WSO2 The product has XML There is a vulnerability in an external entity.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. WSO2 API Manager, etc. are all products of the American WSO2 company. WSO2 API Manager is a set of API lifecycle management solutions. WSO2 Identity Server (IS) is an identity authentication server. WSO2 Enterprise Integrator is an open source hybrid integration platform. A security vulnerability exists in several WSO2 products. Attackers can exploit this vulnerability to obtain local files, cause denial of service, forge server-side requests, scan ports, or cause other damage
| VAR-202005-0224 | CVE-2020-10176 | ASSA ABLOY Yale WIPC-301W On the device OS Command injection vulnerabilities |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. ASSA ABLOY Yale WIPC-301W On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ASSA ABLOY Yale WIPC-301W is a home network camera of ASSA ABLO Group in Sweden.
There are security vulnerabilities in ASSA ABLOY Yale WIPC-301W version 2.x.2.29 to 2.x.2.43_p1. Attackers can use this vulnerability to inject commands
| VAR-202005-0100 | CVE-2020-10794 | Gira TKS-IP-Gateway Past Traversal Vulnerability in |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access. Gira TKS-IP-Gateway Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
| VAR-202005-0101 | CVE-2020-10795 | Gira TKS-IP-Gateway operating system command injection vulnerability |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. This can be combined with CVE-2020-10794 for remote root access. Gira TKS-IP-Gateway To OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Gira TKS-IP-Gateway is a network communication gateway product of German Gira company.
There is a security hole in Gira TKS-IP-Gateway version 4.0.7.7
| VAR-202005-0095 | CVE-2020-10973 | Wavlink WL-WN530HG4 Inadequate protection of credentials on devices |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available. Wavlink WL-WN530HG4 Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained
| VAR-202005-0093 | CVE-2020-10971 | plural Wavlink Input verification vulnerabilities on devices |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on Wavlink Jetstream devices where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there is an active session at the same time. The POST request itself is not validated to ensure it came from the active session. Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000. Wavlink WL-WN579G3 , WL-WN575A3 , WL-WN530HG4b The device contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. An issue exists on Wavlink WL-WN579G3 M79X3.V5030.180719, WL-WN575A3 RPT75A3.V4300.180801, and WL-WN530HG4 M30HG4.V5030.191116 devices
| VAR-202005-0094 | CVE-2020-10972 | Wavlink WL-WN530HG4 Inadequate protection of credentials on devices |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3. Wavlink WL-WN530HG4 Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained
| VAR-202005-0990 | CVE-2020-5895 | NGINX Controller Vulnerability in |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket. NGINX Controller There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. A security vulnerability exists in the F5 NGINX Controller version 3.1.0 to 3.3.0 due to AVRD setting its sockets to be world readable and writable
| VAR-202005-0989 | CVE-2020-5894 | NGINX Controller Session fixation vulnerability in |
CVSS V2: 5.8 CVSS V3: 8.1 Severity: HIGH |
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. NGINX Controller There is a session fixation vulnerability in.Information may be obtained and tampered with. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. A remote attacker could exploit this vulnerability to gain unauthorized access to other user sessions
| VAR-202005-0022 | CVE-2020-10719 | Undertow In HTTP Request Smagling Vulnerability |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Undertow To HTTP There is a vulnerability related to Request Smagling.Information may be obtained and tampered with. Red Hat Undertow is a Java-based embedded Web server of American Red Hat (Red Hat) Company and the default Web server of Wildfly (Java Application Server).
Red Hat Undertow 2.1.1.Final version has an environmental problem vulnerability.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Security Fix(es):
* hawtio-osgi (CVE-2017-5645)
* prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)
* apache-commons-compress (CVE-2019-12402)
* karaf-transaction-manager-narayana: netty (CVE-2019-16869,
CVE-2019-20445)
* tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934,
CVE-2020-13935, CVE-2020-11996)
* spring-cloud-config-server (CVE-2020-5410)
* velocity (CVE-2020-13936)
* httpclient: apache-httpclient (CVE-2020-13956)
* shiro-core: shiro (CVE-2020-17510)
* hibernate-core (CVE-2020-25638)
* wildfly-openssl (CVE-2020-25644)
* jetty (CVE-2020-27216, CVE-2021-28165)
* bouncycastle (CVE-2020-28052)
* wildfly (CVE-2019-14887, CVE-2020-25640)
* resteasy-jaxrs: resteasy (CVE-2020-1695)
* camel-olingo4 (CVE-2020-1925)
* springframework (CVE-2020-5421)
* jsf-impl: Mojarra (CVE-2020-6950)
* resteasy (CVE-2020-10688)
* hibernate-validator (CVE-2020-10693)
* wildfly-elytron (CVE-2020-10714)
* undertow (CVE-2020-10719)
* activemq (CVE-2020-13920)
* cxf-core: cxf (CVE-2020-13954)
* fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)
* jboss-ejb-client: wildfly (CVE-2020-14297)
* xercesimpl: wildfly (CVE-2020-14338)
* xnio (CVE-2020-14340)
* flink: apache-flink (CVE-2020-17518)
* resteasy-client (CVE-2020-25633)
* xstream (CVE-2020-26258)
* mybatis (CVE-2020-26945)
* pdfbox (CVE-2021-27807, CVE-2021-27906)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Installation instructions are available from the Fuse 7.9.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/
4.
The References section of this erratum contains a download link (you must
log in to download the update).
The JBoss server process must be restarted for the update to take effect. Summary:
This is a security update for JBoss EAP Continuous Delivery 20. Description:
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):
1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
1790759 - CVE-2020-1694 keycloak: verify-token-audience support is missing in the NodeJS adapter
1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config
1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap
1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
1836786 - CVE-2020-10748 keycloak: top-level navigations to data URLs resulting in XSS are possible (incomplete fix of CVE-2020-1697)
1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
5. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 8 security update
Advisory ID: RHSA-2020:2060-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2060
Issue date: 2020-05-11
CVE Names: CVE-2019-10172 CVE-2019-12423 CVE-2019-17573
CVE-2020-1719 CVE-2020-1729 CVE-2020-1732
CVE-2020-1745 CVE-2020-1757 CVE-2020-7226
CVE-2020-10705 CVE-2020-10719
====================================================================
1.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.2 for RHEL 8 - noarch
3. Description:
This release of Red Hat JBoss Enterprise Application Platform 7.2.8 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.7,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.2.8 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* cxf: reflected XSS in the services listing page (CVE-2019-17573)
* smallrye-config: SmallRye: SecuritySupport class is incorrectly public
and contains a static method to access the current threads context class
loader (CVE-2020-1729)
* jackson-databind: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)
* wildfly: Soteria: security identity corruption across concurrent threads
(CVE-2020-1732)
* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
* cryptacular: excessive memory allocation during a decode operation
(CVE-2020-7226)
* cxf-core: cxf: OpenId Connect token service does not properly validate
the clientId (CVE-2019-12423)
* undertow: servletPath in normalized incorrectly leading to dangerous
application mapping which could result in security bypass (CVE-2020-1757)
* wildfly: EJBContext principal is not popped back after invoking another
EJB using a different Security Domain (CVE-2020-1719)
* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
* undertow: Memory exhaustion issue in HttpReadListener via "Expect:
100-continue" header (CVE-2020-10705)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId
1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page
1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation
1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads
1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader
1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header
1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-18071 - [GSS](7.2.z) Upgrade RESTEasy from 3.6.1.SP7 to 3.6.1.SP8
JBEAP-18267 - [GSS] (7.2.z) Upgrade Undertow from 2.0.28.SP1-redhat-00001 to 2.0.30.SP1-redhat-00001
JBEAP-18278 - [GSS](7.2.z) Upgrade JBoss JSF API from 2.3.5.SP2-redhat-00001 to 2.3.5.SP2-redhat-00003
JBEAP-18423 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00005 to 2.3.5.SP3-redhat-00008
JBEAP-18438 - (7.2.z) Upgrade jboss-ejb-client from 4.0.28.Final to 4.0.31.Final
JBEAP-18503 - (7.2.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final
JBEAP-18506 - [GSS](7.2.z) Upgrade HAL from 3.0.20.Final to 3.0.21.Final
JBEAP-18536 - [GSS](7.2.z) Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002
JBEAP-18595 - [GSS](7.2.z) Upgrade JBoss Modules from 1.8.8 to 1.8.9
JBEAP-18616 - [Runtimes] (7.2.z) Update components in line with EAP 7.3 stream
JBEAP-18628 - [Runtimes] (7.2.x) Upgrade EAP components to latest Runtimes supported version
JBEAP-18631 - [Runtimes] (7.2.x) WFCORE - Upgrade components to latest versions from EAP 7.3
JBEAP-18639 - [Runtimes] (7.2.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001
JBEAP-18646 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00009 to 2.9.0.redhat-00010
JBEAP-18652 - (7.2.z) Upgrade Apache CXF from 3.2.11.redhat-00001 to 3.2.12.redhat-00001
JBEAP-18664 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-00003 to 3.0.1.b08-redhat-00004
JBEAP-18724 - (7.2.z) Upgrade Soteria to 1.0.0-redhat-00002
JBEAP-18729 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.9.Final-redhat-00001 to 1.1.10.Final-redhat-00001
JBEAP-18787 - (7.2.z) Upgrade wss4j from 2.2.2.redhat-00002 to 2.2.5.redhat-00001
JBEAP-18789 - (7.2.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001
JBEAP-18817 - (7.2.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006
JBEAP-18827 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.17-redhat-00001 to 5.0.18-redhat-00001
JBEAP-18835 - [GSS](7.2.z) Upgrade Remoting JMX from 3.0.3 to 3.0.4
JBEAP-18885 - Tracker bug for the EAP 7.2.8 release for RHEL-6
JBEAP-18887 - Tracker bug for the EAP 7.2.8 release for RHEL-8
JBEAP-18931 - [GSS](7.2.z) Upgrade WildFly Elytron from 1.6.5.Final-redhat-00001 to 1.6.6.Final-redhat-00001
JBEAP-18988 - (7.2.z) Upgrade jasypt from 1.9.2 to 1.9.3
JBEAP-18989 - (7.2.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002
JBEAP-19233 - (7.2.z) Upgrade undertow from 2.0.30.SP1-redhat-00001 to 2.0.30.SP2-redhat-00001
JBEAP-19234 - (7.2.z) Upgrade WildFly Core from 6.0.26.Final-redhat-00001 to 6.0.27.Final-redhat-00001
7. Package List:
Red Hat JBoss EAP 7.2 for RHEL 8:
Source:
eap7-activemq-artemis-2.9.0-4.redhat_00010.1.el8eap.src.rpm
eap7-apache-cxf-3.2.12-1.redhat_00001.1.el8eap.src.rpm
eap7-bouncycastle-1.60.0-2.redhat_00002.1.el8eap.src.rpm
eap7-codehaus-jackson-1.9.13-10.redhat_00007.1.el8eap.src.rpm
eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.src.rpm
eap7-glassfish-el-3.0.1-5.b08_redhat_00004.1.el8eap.src.rpm
eap7-glassfish-javamail-1.6.2-2.redhat_00001.1.el8eap.src.rpm
eap7-glassfish-jsf-2.3.5-10.SP3_redhat_00008.1.el8eap.src.rpm
eap7-hal-console-3.0.21-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-hibernate-commons-annotations-5.0.5-1.Final_redhat_00002.1.el8eap.src.rpm
eap7-hibernate-search-5.10.7-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-httpcomponents-client-4.5.4-1.redhat_00001.1.el8eap.src.rpm
eap7-httpcomponents-core-4.4.5-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-databind-2.9.10.2-2.redhat_00002.1.el8eap.src.rpm
eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.src.rpm
eap7-javaee-security-soteria-1.0.0-3.redhat_00002.1.el8eap.src.rpm
eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap.src.rpm
eap7-jboss-batch-api_1.0_spec-1.0.2-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-common-beans-2.0.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-ejb-api_3.2_spec-1.0.2-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-ejb-client-4.0.31-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-invocation-1.5.2-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-jsf-api_2.3_spec-2.3.5-5.SP2_redhat_00003.1.el8eap.src.rpm
eap7-jboss-modules-1.8.9-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_00002.1.el8eap.src.rpm
eap7-jboss-remoting-5.0.18-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-security-negotiation-3.0.6-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-server-migration-1.3.1-10.Final_redhat_00011.1.el8eap.src.rpm
eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-websocket-api_1.1_spec-1.1.4-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jgroups-4.0.20-2.Final_redhat_00002.1.el8eap.src.rpm
eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-narayana-5.9.8-1.Final_redhat_00002.1.el8eap.src.rpm
eap7-opensaml-3.3.1-1.redhat_00002.1.el8eap.src.rpm
eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8eap.src.rpm
eap7-resteasy-3.6.1-9.SP8_redhat_00001.1.el8eap.src.rpm
eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00001.1.el8eap.src.rpm
eap7-smallrye-config-1.3.6-1.SP01_redhat_00001.1.el8eap.src.rpm
eap7-smallrye-health-1.0.2-2.redhat_00002.1.el8eap.src.rpm
eap7-undertow-2.0.30-2.SP2_redhat_00001.1.el8eap.src.rpm
eap7-weld-cdi-2.0-api-2.0.0-4.SP1_redhat_00004.1.el8eap.src.rpm
eap7-wildfly-7.2.8-3.GA_redhat_00002.1.el8eap.src.rpm
eap7-wildfly-elytron-1.6.6-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-naming-client-1.0.12-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-transaction-client-1.1.10-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1.el8eap.src.rpm
eap7-wss4j-2.2.5-1.redhat_00001.1.el8eap.src.rpm
noarch:
eap7-activemq-artemis-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-cli-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-commons-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-core-client-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-dto-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-journal-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-ra-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-selector-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-server-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-activemq-artemis-tools-2.9.0-4.redhat_00010.1.el8eap.noarch.rpm
eap7-apache-cxf-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm
eap7-apache-cxf-rt-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm
eap7-apache-cxf-services-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm
eap7-apache-cxf-tools-3.2.12-1.redhat_00001.1.el8eap.noarch.rpm
eap7-bouncycastle-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm
eap7-bouncycastle-mail-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm
eap7-bouncycastle-pkix-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm
eap7-bouncycastle-prov-1.60.0-2.redhat_00002.1.el8eap.noarch.rpm
eap7-codehaus-jackson-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm
eap7-codehaus-jackson-core-asl-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm
eap7-codehaus-jackson-jaxrs-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm
eap7-codehaus-jackson-mapper-asl-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm
eap7-codehaus-jackson-xc-1.9.13-10.redhat_00007.1.el8eap.noarch.rpm
eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.noarch.rpm
eap7-glassfish-el-3.0.1-5.b08_redhat_00004.1.el8eap.noarch.rpm
eap7-glassfish-el-impl-3.0.1-5.b08_redhat_00004.1.el8eap.noarch.rpm
eap7-glassfish-javamail-1.6.2-2.redhat_00001.1.el8eap.noarch.rpm
eap7-glassfish-jsf-2.3.5-10.SP3_redhat_00008.1.el8eap.noarch.rpm
eap7-hal-console-3.0.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-commons-annotations-5.0.5-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-hibernate-search-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-search-backend-jgroups-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-search-backend-jms-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-search-engine-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-search-orm-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-search-serialization-avro-5.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-httpcomponents-client-4.5.4-1.redhat_00001.1.el8eap.noarch.rpm
eap7-httpcomponents-core-4.4.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-jackson-databind-2.9.10.2-2.redhat_00002.1.el8eap.noarch.rpm
eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.noarch.rpm
eap7-javaee-security-soteria-1.0.0-3.redhat_00002.1.el8eap.noarch.rpm
eap7-javaee-security-soteria-enterprise-1.0.0-3.redhat_00002.1.el8eap.noarch.rpm
eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-batch-api_1.0_spec-1.0.2-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-common-beans-2.0.1-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-ejb-api_3.2_spec-1.0.2-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-ejb-client-4.0.31-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-invocation-1.5.2-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-jsf-api_2.3_spec-2.3.5-5.SP2_redhat_00003.1.el8eap.noarch.rpm
eap7-jboss-modules-1.8.9-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-jboss-remoting-5.0.18-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-security-negotiation-3.0.6-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-server-migration-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-cli-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-core-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly13.0-server-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly14.0-server-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-10.Final_redhat_00011.1.el8eap.noarch.rpm
eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-websocket-api_1.1_spec-1.1.4-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jgroups-4.0.20-2.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-compensations-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-jbosstxbridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-jbossxts-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-jts-idlj-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-jts-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-restat-api-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-restat-bridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-restat-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-restat-util-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-narayana-txframework-5.9.8-1.Final_redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-core-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-profile-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-security-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-security-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-soap-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xacml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xacml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xacml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xacml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xmlsec-api-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-opensaml-xmlsec-impl-3.3.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-picketbox-infinispan-5.0.3-7.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-resteasy-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-atom-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-cdi-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-client-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-client-microprofile-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-crypto-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jackson-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jackson2-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jaxb-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jaxrs-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jettison-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jose-jwt-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-jsapi-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-json-binding-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-json-p-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-multipart-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-rxjava2-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-spring-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-validator-provider-11-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-resteasy-yaml-provider-3.6.1-9.SP8_redhat_00001.1.el8eap.noarch.rpm
eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00001.1.el8eap.noarch.rpm
eap7-smallrye-config-1.3.6-1.SP01_redhat_00001.1.el8eap.noarch.rpm
eap7-smallrye-health-1.0.2-2.redhat_00002.1.el8eap.noarch.rpm
eap7-undertow-2.0.30-2.SP2_redhat_00001.1.el8eap.noarch.rpm
eap7-weld-cdi-2.0-api-2.0.0-4.SP1_redhat_00004.1.el8eap.noarch.rpm
eap7-wildfly-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-elytron-1.6.6-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-javadocs-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-modules-7.2.8-3.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-naming-client-1.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-transaction-client-1.1.10-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-bindings-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-policy-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-ws-security-common-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-ws-security-dom-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-ws-security-policy-stax-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wss4j-ws-security-stax-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2019-10172
https://access.redhat.com/security/cve/CVE-2019-12423
https://access.redhat.com/security/cve/CVE-2019-17573
https://access.redhat.com/security/cve/CVE-2020-1719
https://access.redhat.com/security/cve/CVE-2020-1729
https://access.redhat.com/security/cve/CVE-2020-1732
https://access.redhat.com/security/cve/CVE-2020-1745
https://access.redhat.com/security/cve/CVE-2020-1757
https://access.redhat.com/security/cve/CVE-2020-7226
https://access.redhat.com/security/cve/CVE-2020-10705
https://access.redhat.com/security/cve/CVE-2020-10719
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrmzftzjgjWX9erEAQglcA//Ul/o5e7Mh00T3ifNtXxk1EzSfiBf1Jqd
xsCTDD3V59LFnDA2OoZsgNKtldqmuzer4xvpZqttDXCIXfOIPah1I7/0CDwVqkFL
WmUl/pVixbszSVsVn900GNuN2GdIUDK3Dz9VV7Jv85lQ8XxjNG7iXc1K3hlygMPw
BTurUxgVXej/diQh8tzqVrBRYZy8juym8+VBHOro0FX7Rg64yxsWVQXYCAj9wctG
I5LOWpAjpeMkbnTI5L/BtWOOL6+Hq/yoJmWn78pI39xlB+m8d1kJ2gKpd4jC5ElP
mr9Idpnj6auhcKEcoBdbCJvYf+s5oibisHi343splQxFgyuYh92ppN4eo4BeXutc
NdJ4hU9vabbMSI+UQtPO8DIhfRlcEmK4syjcOM/swol5NcZF1GUySxVwtjqXybYV
x4wjWrZybuQAqhRQU5H78c4xaUpkS4a3ndmyMffhNonZSEuX303gbFSi6FvUqWKg
9LfRORGhPipk7VZ/hory/w+HHpsWO4zBS6I9lpABZAU0Tz4eEtj5P+x4ij5dSHlI
R+tbl+jMQHuncvRbm7uLiVdh83HRMN+dvuYv9WRROcziukx78t/yMoh7RDEgXmvn
pq+UWOPCh/5Q5iKkAIcyY8pESYaMwA1qdtCvlaxIyV2rT2B+x8DLuSy+uVzbHVoV
zWfxpJtlx0M=+71R
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-202005-0694 | CVE-2020-3255 | Cisco Firepower Threat Defense Software exhaustion vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a high rate of IPv4 or IPv6 traffic through an affected device. This traffic would need to match a configured block action in an access control policy. An exploit could allow the attacker to cause a memory exhaustion condition on the affected device, which would result in a DoS for traffic transiting the device, as well as sluggish performance of the management interface. Once the flood is stopped, performance should return to previous states
| VAR-202005-0688 | CVE-2020-3191 | Cisco Adaptive Security Appliance software and Firepower Threat Defense Input verification vulnerabilities in software |
CVSS V2: 5.0 CVSS V3: 8.6 Severity: HIGH |
A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper length validation of a field in an IPv6 DNS packet. An attacker could exploit this vulnerability by sending a crafted DNS query over IPv6, which traverses the affected device. An exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. This vulnerability is specific to DNS over IPv6 traffic only. The platform provides features such as highly secure access to data and network resources
| VAR-202005-0704 | CVE-2020-3303 | Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software exhaustion vulnerabilities |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of system memory. An attacker could exploit this vulnerability by sending malicious IKEv1 traffic to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device. The platform provides features such as highly secure access to data and network resources. The IKEv1 function in Cisco ASA and FTD has a resource management error vulnerability, which is caused by the program not properly managing system memory. The following products and versions are affected: Cisco ASA 9.5 and earlier, 9.6, 9.7, 9.8, 9.9, 9.10, 9.12; FTD 6.1.0 and earlier, 6.2.0, 6.2.1, Version 6.2.2, Version 6.2.3, Version 6.3.0, Version 6.4.0
| VAR-202005-0693 | CVE-2020-3254 | Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software exhaustion vulnerabilities |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP) inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerabilities are due to inefficient memory management. An attacker could exploit these vulnerabilities by sending crafted MGCP packets through an affected device. An exploit could allow the attacker to cause memory exhaustion resulting in a restart of an affected device, causing a DoS condition for traffic traversing the device. The platform provides features such as highly secure access to data and network resources
| VAR-202005-0686 | CVE-2020-3188 | Cisco Firepower Threat Defense Input verification vulnerabilities in software |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only. Cisco Firepower Threat Defense (FTD) The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state
| VAR-202005-0689 | CVE-2020-3195 | Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software exhaustion vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the Open Shortest Path First (OSPF) implementation in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. The vulnerability is due to incorrect processing of certain OSPF packets. An attacker could exploit this vulnerability by sending a series of crafted OSPF packets to be processed by an affected device. A successful exploit could allow the attacker to continuously consume memory on an affected device and eventually cause it to reload, resulting in a denial of service (DoS) condition. The platform provides features such as highly secure access to data and network resources