Apache Qpid Java Broker versions 6.0.0, 6.0.1, and 6.0.2 suffer from a denial of service vulnerability.
Monthly Archives: May 2016
Apache Qpid Java Broker 6.0.2 Authentication Bypass
Apache Qpid Java Broker versions 6.0.2 and below suffer from an authentication bypass vulnerability.
UPDATE: VMSA-2016-0005.2 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0005.2 Synopsis: VMware product updates address critical and important security issues Issue date: 2016-05-17 Updated on: 2016-05-27 CVE number: CVE-2016-3427, CVE-2016-2077 - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical and important security issues. 2. Relevant Releases vCenter Server 6.0 on Windows without workaround of KB 2145343 vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA) vCenter Server 5.1 prior to 5.1 U3b vCenter Server 5.0 prior to 5.0 U3e vCloud Director prior to 8.0.1.1 vCloud Director prior to 5.6.5.1 vCloud Director prior to 5.5.6.1 vSphere Replication prior to 6.1.1 vSphere Replication prior to 6.0.0.3 vSphere Replication prior to 5.8.1.2 vSphere Replication prior to 5.6.0.6 vRealize Operations Manager 6.x (non-appliance version) VMware Workstation prior to 11.1.3 VMware Player prior to 7.1.3 3. Problem Description a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Server Apply the steps of VMware Knowledge Base article 2145343 to vCenter Server 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to. vCloud Director No workaround identified vSphere Replication No workaround identified vRealize Operations Manager (non-appliance) The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed: - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008 - vROps 6.1.x: port 9004, 9005, 9007, 9008 - vROps 6.0.x: port 9004, 9005 Note: These ports are already blocked by default in the appliance version of vROps. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ========= ======= ============= vCenter Server 6.0 Windows 6.0.0b + KB 2145343 * vCenter Server 6.0 Linux 6.0.0b vCenter Server 5.5 Windows (5.5 U3b + KB 2144428 **) or 5.5 U3d vCenter Server 5.5 Linux 5.5 U3 vCenter Server 5.1 Windows (5.1 U3b + KB 2144428 **) or 5.1U3d vCenter Server 5.1 Linux 5.1 U3b vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 ** vCenter Server 5.0 Linux 5.0 U3e vCloud Director 8.0.x Linux 8.0.1.1 vCloud Director 5.6.x Linux 5.6.5.1 vCloud Director 5.5.x Linux 5.5.6.1 vSphere Replication 6.1.x Linux 6.1.1 *** vSphere Replication 6.0.x Linux 6.0.0.3 *** vSphere Replication 5.8.x Linux 5.8.1.2 *** vSphere Replication 5.6.x Linux 5.6.0.6 *** vROps (non-appliance) 6.x All Apply workaround vROps (appliance) 6.x Linux Not affected * Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows. ** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007. *** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter. b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability. VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges. VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ================== ======= ======= ================= VMware Workstation 12.x any not affected VMware Workstation 11.x Windows 11.1.3 VMware Workstation 11.x Linux not affected VMware Player 8.x any not affected VMware Player 7.x Windows 7.1.3 VMware Player 7.x Linux not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vSphere Replication ------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606 https://www.vmware.com/support/pubs/vsphere-replication-pubs.html VMware Workstation ------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player ------------- Downloads and Documentation: https://www.vmware.com/go/downloadplayer 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077 VMware Security Advisory VMSA-2015-0007 http://www.vmware.com/security/advisories/VMSA-2015-0007.html VMware Knowledge Base article 2145343 kb.vmware.com/kb/2145343 VMware Knowledge Base article 2144428 kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2016-05-17 VMSA-2016-0005 Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17. 2016-05-24 VMSA-2016-0005.1 Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch. 2016-05-27 VMSA-2016-0005.2 Updated security advisory in conjunction with the release of vSphere Replication 6.1.1 on 2016-05-26. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXSJIHDEcm8Vbi9kMRAt8oAJ9cSrgfC5OlS+lgV8O+6uxcGt5CdQCggsNB iQZm8gTv4gEEKxa2Af9YbSQ= =8szQ -----END PGP SIGNATURE-----
Slackware Security Advisory – php Updates
Slackware Security Advisory – New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
Slackware Security Advisory – libxslt Updates
Slackware Security Advisory – New libxslt packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
Slackware Security Advisory – libxml2 Updates
Slackware Security Advisory – New libxml2 packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
PHP Real Estate Script 4.9.0 SQL Injection
PHP Real Estate Script version 4.9.0 suffers from a remote SQL injection vulnerability.
Google Wins Epic Java Copyright Case Against Oracle
Google has finally won six-year long $9-billion legal battle with Oracle over the use of Java APIs in Android.
Oracle filed its lawsuit against Google in 2010, claiming that the company illegally used 11,500 lines of Java code in its Android operating system, violating copyrights owned by Oracle.
However, a federal jury of ten people concluded Thursday that Google’s use of Java constituted “
Joomla Simple Calendar 0.7.6b SQL Injection
Joomla Simple Calendar component version 0.7.6b suffers from a remote SQL injection vulnerability.