Ειδοποιήσεις

 Home  »  Ειδοποιήσεις » Ειδοποιήσεις

 

CVE Reference:   CVE-2018-2760

Affected Versions: 12.1.3, 12.2.1.2

Affected OS:  Windows (Any)

Vulnerability Type: Network

Security Risk: high

Vendor URL: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

 

Description:

A vulnerability was reported in Oracle HTTP Server. A remote user can access data on the target system.

A remote user can exploit a flaw in the Oracle HTTP Server OSSL Module component to access data.

Impact:

A remote user can obtain data on the target system.

Solution:

The vendor has issued a fix as part of the April 2018 Critical Patch Update.

fix: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

 

The information contained in this website is for general information purposes only. The information is gathered from Security Tracker while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

VMware Security Advisory

Advisory ID: VMSA-2018-0009

Severity: Important

Synopsis: vRealize Automation updates address multiple security issues.

Issue Date: 12/04/2018

Update On: 12/04/2018

CVE No: CVE-2018-6958, CVE-2018-6959

 

1. Summary

vRealize Automation (vRA) updates address multiple security issues.

2. Relevant Products

  • vRealize Automation (vRA)

3. Problem Description

4. DOM-based cross-site scripting (XSS) vulnerability.

 

VMware vRealize Automation contains a vulnerability that may allow for a DOM-based cross-site scripting (XSS) attack. Exploitation of this issue may lead to the compromise of the vRA user’s workstation.

VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6958 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

5. Missing renewal of session tokens vulnerability

 

VMware vRealize Automation contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user’s session.

VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6959 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

 

6. Missing renewal of session tokens vulnerability

VMware vRealize Automation contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user’s session.

VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6959 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

7. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware vRealize Automation 7.3.1

Downloads:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_3

Documentations:

https://docs.vmware.com/en/vRealize-Automation/index.html

 

VMware vRealize Automation 7.4.0

Downloads:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_4

Documentations:

https://docs.vmware.com/en/vRealize-Automation/index.html

 

8. References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6958
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6959

 

 

https://www.vmware.com/security/advisories/VMSA-2018-0009.html

Important Security Updates

Adobe Flash Player: 

Adobe has released version 29.0.0.140. Updates are available from Adobe’s website.

Avast:

Avast has released version 18.3.2333 for Free Antivirus. Updates are available on Avast’s website.

AVG Antivirus:

AVG has released version 18.3.2333 of its free antivirus. Updates are available on AVG’s website. AVG also released updates for its Free Antivirus, Premier Antivirus and Pro Antivirus.

Avira Antivirus:

Avira has released version 15.0.36.139 of its free Antivirus. Updates are available from Avira’s website.

Dropbox:

Dropbox has released version 47.4.74 for its file hosting program. Updates are available at Dropbox’s website.

LastPass for Windows: 

LastPass (freeware) has released version 4.9.1 for its Free Password Manager. Updates are available from LastPass’ website.

Microsoft Patch Tuesday: 

Microsoft’s Patch Tuesday released updates to address dozens of vulnerabilities, some of which are highly critical within Windows operating systems, Internet Explorer, Edge, Office, Sharepoint and Exchange Server, and other Microsoft products. Additional details are available at Microsoft’s website.

Opera:

Opera has released version 52.0.2871.64. Updates are available from within the browser or from Opera’s website.

 

Current Software Versions

Adobe Flash Player 29.0.0.140

Adobe Reader DC 18.011.20035

Dropbox 47.4.74

  • We recommend files containing sensitive information be independently encrypted; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.

Firefox 59.0.2 [Windows]

Internet Explorer 11.0.56

Java SE 8 Update 161

  • We recommend to remove or disable Java from your browser. Java is a major source of cybercriminal exploits. It is not needed for most internet browsing.

Microsoft Edge 41.16299.248.0

QuickTime 7.7.9

  • We recommend to remove QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.

Safari 11.0.3

  • Mac OS X Mavericks, Yosemite, El Capitan

Skype 8.18.0.6

 

For Your IT Department

Cisco Multiple Products: 

  • Cisco has released updates for IOS and IOS XE Software, CPU Side-Channel and more. Apply updates. Additional details are available on Cisco’s website.

Juniper Networks: 

  • Juniper Networks has released updates for multiple products. Apply updates. Additional details are available on US-CERT’s website.

VMware: 

  • VMware has released updates to address multiple security issues in vRealize Automation. Apply updates. Additional details are available on VMware’s website.

 

The information contained in this website is for general information purposes only. The information is gathered from CITADEL Information while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

CVE No: CVE-2018-0016.

MODIFICATION HISTORY: 11/04/2018 – Initial Publication

CVSS SCORE: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL: Critical

RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

PRODUCT AFFECTED: This issue affects Junos OS 15.1, 15.1X49, 15.1X53.

 

PROBLEM:

Receipt of a specially crafted Connectionless Network Protocol (CLNP) packet destined to an interface IP address of a Junos OS device may result in a kernel crash or lead to remote code execution.

Devices are only vulnerable to the specially crafted CLNP packet if ‘clns-routing’ or ESIS is explicitly configured. Devices without CLNS enabled are not vulnerable to this issue.

This issue only affects devices running Junos OS 15.1. Affected releases are Juniper Networks Junos OS:

  • 1 versions prior to 15.1F5-S3, 15.1F6-S8, 15.1F7, 15.1R5;
  • 1X49 versions prior to 15.1X49-D60;
  • 1X53 versions prior to 15.1X53-D66, 15.1X53-D233, 15.1X53-D471.

Earlier releases are unaffected by this vulnerability, and the issue has been resolved in Junos OS 16.1R1 and all subsequent releases.

The following configuration is required:

  • set protocols isis clns-routing

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

SOLUTION:

The following software releases have been updated to resolve this specific issue: 15.1F5-S3, 15.1F6-S8, 15.1F7, 15.1R5, 15.1X49-D60, 15.1X53-D66, 15.1X53-D233, 15.1X53-D471, 16.1R1, and all subsequent releases.

Note: Juniper SIRT’s policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

WORKAROUND:

Use access lists or firewall filters to limit access to the device via CLNP only from trusted hosts.

IMPLEMENTATION:

Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.

 

RELATED LINKS:

 

The information contained in this website is for general information purposes only. The information is gathered from KB Juniper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Adobe and Microsoft each released critical fixes for their products today, a.k.a “Patch Tuesday,” the second Tuesday of every month..

The Microsoft updates impact many core Windows components, including the built-in browsers Internet Explorer and Edge, as well as Office, the Microsoft Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure.

That flaw, discovered and reported by Google’s Project Zero program, is reportedly quite easy to exploit and impacts the malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.

Microsoft really wants users to install these updates as qucikly as possible, but it might not be the worst idea to wait a few days before doing so: Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release. However, depending on which version of Windows you’re using it may be difficult to put off installing these patches.

Windows 10 receives updates automatically, “and for customers running previous versions, is recommended to turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. In any case, don’t put off installing these updates too long.

Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this buggy program.

Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Google Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.

For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.

The latest standalone version of Flash that addresses these bugs is 29.0.0.140  for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Boulevard while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.