Alerts

Bulletin ID Date Published Priority
APSB18-02 February 13, 2018 2

Affected Versions

Product Affected Versions Platform
 Acrobat DC (Continuous Track)  2018.009.20050 and earlier versions  Windows and Macintosh
 Acrobat Reader DC (Continuous Track)  2018.009.20050 and earlier versions  Windows and Macintosh
 Acrobat 2017  2017.011.30070 and earlier versions  Windows and Macintosh
 Acrobat Reader 2017  2017.011.30070 and earlier versions  Windows and Macintosh
 Acrobat DC (Classic Track)  2015.006.30394 and earlier versions  Windows and Macintosh
 Acrobat Reader DC (Classic Track)  2015.006.30394 and earlier versions  Windows and Macintosh

For more information on Acrobat DC, please visit the Acrobat DC FAQ page.

For more information on Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.

 

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.
  • The products will update automatically, without requiring user intervention, when updates are
    detected.
  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM
    (Windows), or on Macintosh, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Updated Versions Platform Priority Rating Availability
 Acrobat DC (Continuous Track)  2018.011.20035  Windows and Macintosh 2  Windows
 Macintosh
 Acrobat Reader DC (Continuous Track)  2018.011.20035  Windows and Macintosh 2  Download Center
 Acrobat 2017  2017.011.30078  Windows and Macintosh 2  Windows
 Macintosh
 Acrobat Reader 2017  2017.011.30078  Windows and Macintosh 2  Windows
 Macintosh
 Acrobat DC (Classic Track)  2015.006.30413  Windows 2  Windows
 Acrobat DC (Classic Track)  2015.006.30416  Macintosh 2  Macintosh
 Acrobat Reader DC (Classic Track)  2015.006.30413  Windows 2  Download Center
 Acrobat Reader DC (Classic Track)  2015.006.30416  Macintosh 2  Download Center

Note: As noted in this previous announcement, support for Adobe Acrobat 11.x and Adobe Reader 11.x ended on October 15, 2017.  Version 11.0.23 is the final release for Adobe Acrobat 11.x and Adobe Reader 11.x.  Adobe strongly recommends that you update to the latest versions of Adobe Acrobat DC and Adobe Acrobat Reader DC. By updating installations to the latest versions, you benefit from the latest functional enhancements and improved security measures.

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
 Security  Mitigation  Bypass  Privilege  Escalation Critical  CVE-2018-4872
 Heap Overflow  Arbitrary Code  Execution Critical  CVE-2018-4890, CVE-2018-4904, CVE-2018-4910, CVE-2018-4917
 Use-after-free  Arbitrary Code  Execution Critical  CVE-2018-4888, CVE-2018-4892, CVE-2018-4902, CVE-2018-4911, CVE-2018-4913
 Out-of-bounds  write  Arbitrary Code  Execution Critical  CVE-2018-4879, CVE-2018-4895, CVE-2018-4898, CVE-2018-4901, CVE-2018-4915, CVE-2018-4916,

 CVE-2018-4918

 Out-of-bounds  read  Remote Code  Execution  Important   CVE-2018-4880, CVE-2018-4881, CVE-2018-4882, CVE-2018-4883, CVE-2018-4884, CVE-2018-4885,

 CVE-2018-4886, CVE-2018-4887, CVE-2018-4889, CVE-2018-4891, CVE-2018-4893, CVE-2018-4894,

 CVE-2018-4896, CVE-2018-4897, CVE-2018-4899, CVE-2018-4900,CVE-2018-4903, CVE-2018-4905,

 CVE-2018-4906, CVE-2018-4907, CVE-2018-4908, CVE-2018-4909, CVE-2018-4912, CVE-2018-4914

 

The information contained in this website is for general information purposes only. The information is provided by Adobe Security Bulletin and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Apple released iOS 11.2.6 to address a bug that causes apps like Messages to crash on the iPhone and iPad due to an inability to render a specific character in the Indian language Telugu. When sent, received, or input into Messages, Safari, WhatsApp, Facebook Messenger, and more, the Telugu character can cause the app to freeze up and become unresponsive.

In Messages, for example, receiving the character can freeze up the entire Messages app on all of a person’s Mac and iOS devices. The Messages app then refuses to function properly until the offending character is removed by deleting the conversation with the person who sent it. Apple’s release notes are below:

 

“iOS 11.2.6 includes bug fixes for your iPhone or iPad. This update: 

Fixes an issue where using certain character sequences could cause apps to crash 

Fixes an issue where some third-party apps could fail to connect to external accessories”

 

Apple fixed the bug in iOS 11.3 and macOS 10.13.4, but those updates are still in beta testing and won’t be released until the spring.

Apple last week promised a minor update to fix the bug in the meantime.

 

The information contained in this website is for general information purposes only. The information is provided by Macrumors and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

RUNESEC, a Cypriot independent offensive security team, on 15 of February 2018 released a security advisory regarding Oracle Primavera Project Portfolio Management application which is vulnerable to HTTP Response Splitting. An attacker can use this vulnerability to perform Cross-Site Scripting attacks (XSS), redirecting victims to malicious websites, and poison web and browser caches.

Exploit Author: Marios Nicolaides
Reviewers: Simon Loizides, Nicolas Markitanis
Vendor Homepage: Oracle
Affected: Oracle Primavera P6 Enterprise Project Portfolio Management 8.3, 8.4, 15.1, 15.2, 16.1
Tested on: Oracle Primavera P6 Enterprise Project Portfolio Management (Build: 15.1.0.0 (B0163) 14.03.2015.1305)
CVE-ID: CVE-2017-10046
Category: Web Application

OVERVIEW

The Oracle Primavera Project Portfolio Management application is vulnerable to HTTP Response Splitting.

The application takes the user’s input from the languageCode parameter and includes it in the ORA-PWEB_LANGUAGE_1111 cookie value within the “Set-Cookie” HTTP Response header. The application allows an attacker to inject LF (line feed) characters and break out of the headers into the message body and write arbitrary content into the application’s response.

As a result, this could enable an attacker to perform Cross-Site Scripting attacks (XSS), redirect victims to malicious websites, and poison web and browser caches.

DETAILS

The exploit can be demonstrated as follows:

  1. A malicious attacker crafts the following URL:
    /p6/LoginHandler?languageCode=runesec%0a%0a%0a<script>alert(document.cookie)</script>%0a
  2. The attacker sends the above URL to an Oracle Primavera Project Portfolio Management application user.
  3. The “malicious” JavaScript payload will execute in the victim’s browser and display a popup box showing the cookies.

Please note that the payload used above is for demonstration purposes only. A real attacker would try to steal the user’s cookies or perform other malicious actions.

IMPACT

An attacker might be able to steal the user’s session cookie/credentials and gain unauthorized access to the application. Further, an attacker might be able to poison web and/or browser caches in an attempt to perform a persistent attack.

MITIGATION

Apply Critical Patch Update (CPU) of July 2017 – Oracle CPU July 2017

REFERENCES

TIMELINE

24 April 2017 – Oracle informed about the issue
July 2017 – Oracle released a patch
15 February 2018 – Exploit publicly disclosed

 

The information contained in this website is for general information purposes only. The information is provided by RUNESEC and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.