Cisco Security Advisory:Cisco Application Policy Infrastructure Controller Enterprise Module Remote Code Execution Vulnerability
Monthly Archives: August 2016
RHBA-2016:1620-1: openstack-nova bug fix advisory
Red Hat Enterprise Linux: Updated OpenStack Compute packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for
RHEL 7.
RHBA-2016:1618-1: openstack-cinder bug fix advisory
Red Hat Enterprise Linux: Updated OpenStack Block Storage packages that resolve various issues are
now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno)
for RHEL 7.
USN-3062-1: OpenJDK 7 vulnerabilities
Ubuntu Security Notice USN-3062-1
16th August, 2016
openjdk-7 vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in OpenJDK 7.
Software description
- openjdk-7
– Open Source Java implementation
Details
Multiple vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity, and availability. An attacker
could exploit these to cause a denial of service, expose sensitive data
over the network, or possibly execute arbitrary code. (CVE-2016-3598,
CVE-2016-3606, CVE-2016-3610)
A vulnerability was discovered in the OpenJDK JRE related to data
integrity. An attacker could exploit this to expose sensitive data
over the network or possibly execute arbitrary code. (CVE-2016-3458)
Multiple vulnerabilities were discovered in the OpenJDK JRE related
to availability. An attacker could exploit these to cause a denial
of service. (CVE-2016-3500, CVE-2016-3508)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2016-3550)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
openjdk-7-jre-lib
7u111-2.6.7-0ubuntu0.14.04.3
-
openjdk-7-jre-zero
7u111-2.6.7-0ubuntu0.14.04.3
-
icedtea-7-jre-jamvm
7u111-2.6.7-0ubuntu0.14.04.3
-
openjdk-7-jre-headless
7u111-2.6.7-0ubuntu0.14.04.3
-
openjdk-7-jre
7u111-2.6.7-0ubuntu0.14.04.3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References
USN-3063-1: Fontconfig vulnerability
Ubuntu Security Notice USN-3063-1
17th August, 2016
fontconfig vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Fontconfig be made to crash or run programs if it opened a specially
crafted file.
Software description
- fontconfig
– generic font configuration library
Details
Tobias Stoeckmann discovered that Fontconfig incorrectly handled cache
files. A local attacker could possibly use this issue with a specially
crafted cache file to elevate privileges.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
fontconfig
2.11.94-0ubuntu1.1
-
libfontconfig1
2.11.94-0ubuntu1.1
- Ubuntu 14.04 LTS:
-
fontconfig
2.11.0-0ubuntu4.2
-
libfontconfig1
2.11.0-0ubuntu4.2
- Ubuntu 12.04 LTS:
-
fontconfig
2.8.0-3ubuntu9.2
-
libfontconfig1
2.8.0-3ubuntu9.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart your session to make
all the necessary changes.
References
Linux flaw puts 80% of Android devices at risk
Linux flaw affects about 1.4 billion Android devices
The newly discovered Linux flaw allows hackers to carry out attacks on Android users using a Man-in-the-Middle (MITM) Transport Layer Security (TLS) Protocol Downgrade Attack. In layman’s terms – a hacker could spy on you and your data. In more technical terms, a cybercrook can potentially degrade, or negotiate a lower version of TLS, between the client and server.
Ubuntu Security Notice USN-3063-1
Ubuntu Security Notice 3063-1 – Tobias Stoeckmann discovered that Fontconfig incorrectly handled cache files. A local attacker could possibly use this issue with a specially crafted cache file to elevate privileges.
NetIQ Access Manager iManager 2.7.7.6 / 2.7.7.5 Cross Site Scripting
NetIQ Access Manager iManager versions 2.7.7.5 and 2.7.7.6 suffer from a cross site scripting vulnerability.
Cisco Security Advisory 20160817-firepower
Cisco Security Advisory – A vulnerability in the web-based GUI of Cisco Firepower Management Center and Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services could allow an authenticated, remote attacker to elevate the privileges of user accounts on the affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected device. Successful exploitation could allow an authenticated attacker to elevate the privileges of user accounts configured on the device. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
Cisco Security Advisory 20160817-apic
Cisco Security Advisory – A vulnerability in the Grapevine update process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user. The vulnerability is due to insufficient input sanitization during the Grapevine update process. An attacker could exploit this vulnerability by authenticating to the affected system with administrative privileges and inserting arbitrary commands into an upgrade parameter. An exploit could allow the attacker to execute arbitrary commands on the affected system with root-level privileges. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.