Original release date: May 18, 2016

Cisco has released security updates to address vulnerabilities in its Web Security Appliance software. Exploitation of these vulnerabilities could cause a denial-of-service-condition on an affected system.

Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates.

• Cisco Web Security Appliance HTTP POST Denial of Service Vulnerability
• Cisco Web Security Appliance Cached Range Request Denial of Service Vulnerability
• Cisco Web Security Appliance HTTP Length Denial of Service Vulnerability
• Cisco Web Security Appliance Connection Denial of Service Vulnerability

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 16, 2016

Symantec has released Anti-Virus Engine 20151.1.1.4 to address a vulnerability in Symantec Antivirus products. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Symantec Security Advisory for more information and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 16, 2016

Apple has released security updates for tvOS, iOS, watchOS, OS X El Capitan, Safari, and iTunes. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

• tvOS 9.2.1 for Apple TV (4th generation)
• iOS 9.3.2 for iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later
• watchOS 2.2.1 for Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
• OS X El Capitan v10.11.5 and Security Update 2016-003 for OS X El Capitan v10.11and later
• Safari 9.1.1 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.5
• iTunes 12.4 for Windows 7 and later

Users and administrators are encouraged to review Apple security updates for tvOS, iOS, watchOS, OS X El Capitan, Safari, and iTunes and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 16, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 12, 2016

Adobe has released security updates to address vulnerabilities in Flash Player. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletins APSB16-15  and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 11, 2016

Google has released Chrome version 50.0.2661.102 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Chrome Releases page and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 11, 2016

Systems Affected

Outdated or misconfigured SAP systems

Overview

At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered indicators of exploitation against these organizations’ SAP business applications.

The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.

Description

SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.

The Invoker Servlet vulnerability affects business applications running on SAP Java platforms.

SAP Java platforms are the base technology stack for many SAP business applications and technical components, including:

• SAP Enterprise Resource Planning (ERP),
• SAP Product Lifecycle Management (PLM),
• SAP Customer Relationship Management (CRM),
• SAP Supply Chain Management (SCM),
• SAP Supplier Relationship Management (SRM),
• SAP NetWeaver Business Warehouse (BW),
• SAP Business Intelligence (BI),
• SAP NetWeaver Mobile Infrastructure (MI),
• SAP Enterprise Portal (EP),
• SAP Process Integration (PI),
• SAP Exchange Infrastructure (XI),
• SAP Solution Manager (SolMan),
• SAP NetWeaver Development Infrastructure (NWDI),
• SAP Central Process Scheduling (CPS),
• SAP NetWeaver Composition Environment (CE),
• SAP NetWeaver Enterprise Search,
• SAP NetWeaver Identity Management (IdM), and
• SAP Governance, Risk & Control 5.x (GRC).

The vulnerability resides on the SAP application layer, so it is independent of the operating system and database application that support the SAP system.

Impact

Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.

Solution

In order to mitigate this vulnerability, US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet. For more mitigation details, please review the Onapsis threat report [1].

In addition, US-CERT encourages that users and administrators:

• Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
• Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
• Analyze systems for malicious or excessive user authorizations.
• Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
• Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
• Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
• Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud environments.

Note: The U.S. Government does not endorse or support any particular product or vendor.

References

• [1] Onapsis Threat Report: Wild Exploitation & Cyber-Attacks on SAP Business Applications
• [2] SAP: Invoker Servlet

Revision History

• May 11, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 10, 2016

Adobe has released security updates to address vulnerabilities in Flash Player, ColdFusion, Acrobat, and Reader. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletins APSA16-02, APSB16-14, and APSB16-16 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 10, 2016

Microsoft has released 16 updates to address vulnerabilities in Microsoft software. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the following Microsoft Security Bulletins MS16-051 through MS16-067 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 09, 2016

WordPress 4.5.1 and prior versions are affected by two vulnerabilities.  Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 4.5.2.

This product is provided subject to this Notification and this Privacy & Use policy.