Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 18, 2012

by: Carol~ April 18, 2012 8:47 AM PDT

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - April 18, 2012

by Carol~ Moderator - 4/18/12 8:47 AM

Apache HTTP Server LD_LIBRARY_PATH Security Issue

Release Date : 2012-04-18

Criticality level : Not critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch

Software: Apache 2.4.x

Description:
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges by e.g. tricking a user into running certain scripts in a directory containing a malicious library.

The security issue is reported in versions prior to 2.4.2.

Solution:
Update to version 2.4.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.apache.org/dist/httpd/CHANGES_2.4.2

http://secunia.com/advisories/48849/


Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise Supply Chain Management (SCM)

by Carol~ Moderator - 4/18/12 9:44 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle PeopleSoft Enterprise Supply Chain Management (SCM) Unspecified Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Enterprise Supply Chain Management (SCM) 9.x

Description:
Two vulnerabilities have been reported in Oracle PeopleSoft Enterprise Supply Chain Management, which can be exploited by malicious users to disclose sensitive information and manipulate certain data.

1) An unspecified error in the eProcurement sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

2) An unspecified error in the Billing sub-component can be exploited to disclose certain data via specially crafted HTTP requests.

The vulnerabilities are reported in versions 9.0 and 9.1.

Solution:
Apply patch (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

http://secunia.com/advisories/48884/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Siebel Clinical Two Unspecified Vulnerabilities

by Carol~ Moderator - 4/18/12 9:47 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Siebel Clinical Trial Management System (CTMS) 7.x
Oracle Siebel Clinical Trial Management System (CTMS) 8.x

Description:
Two vulnerabilities have been reported in Oracle Siebel Clinical, which can be exploited by malicious users to manipulate certain data.

1) An unspecified error in the Web UI component can be exploited to update, insert, or delete certain Siebel Clinical accessible data.

2) An unspecified error in the Web UI component can be exploited to update, insert, or delete certain Siebel Clinical accessible data.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixGBU

http://secunia.com/advisories/48885/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle FLEXCUBE Universal Banking Unspecified

by Carol~ Moderator - 4/18/12 9:47 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle FLEXCUBE Universal Banking Unspecified Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
Where : From remote
Solution Status : Vendor Patch

Software: Oracle FLEXCUBE Universal Banking 10.x
Oracle FLEXCUBE Universal Banking 11.x

Description:
Multiple vulnerabilities have been reported in Oracle FLEXCUBE Universal Banking, which can be exploited by malicious users and malicious people to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

1) An unspecified error in the Core sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

2) Another unspecified error in the Core sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

3) An unspecified error in the Core sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

4) An unspecified error in the Core sub-component can be exploited to disclose and manipulate certain data and cause a DoS via specially crafted HTTP requests.

5) An unspecified error in the Core sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

6) An unspecified error in the Core sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

7) An unspecified error in the Core sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

8) An unspecified error in the Core sub-component can be exploited to cause a DoS via specially crafted HTTP requests.

9) An unspecified error in the Core sub-component can be exploited to disclose certain application data via specially crafted HTTP requests.

The vulnerabilities are reported in versions 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0.

Solution:
Apply patch (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

http://secunia.com/advisories/48831/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Agile PLM for Process Unspecified Vulnerability

by Carol~ Moderator - 4/18/12 9:47 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Agile PLM (Product Lifecycle Management) for Process 6.x

Description:
A vulnerability has been reported in Oracle Agile PLM for Process, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an unspecified error in the Supplier Portal component and can be exploited to update, insert, or delete certain Oracle Agile PLM for Process accessible data.

The vulnerability is reported in version 6.0.0.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSCP

http://secunia.com/advisories/48853/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Agile PLM Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 10:11 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Agile PLM (Product Lifecycle Management) 6.x

Description:
Multiple vulnerabilities have been reported in Oracle Agile PLM, which can be exploited by malicious users to disclose potentially sensitive information and manipulate certain data and by malicious people to manipulate certain data.

1) An unspecified error in the Install component can be exploited by authenticated users to read, update, insert, or delete certain Oracle Agile accessible data.

2) An unspecified error in the Supplier Portal component can be exploited to update, insert, or delete certain Oracle Agile accessible data.

3) An unspecified error in the SCRM - Company Profiles component can be exploited to update, insert, or delete certain Oracle Agile accessible data.

The vulnerabilities are reported in version 6.0.0.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSCP

http://secunia.com/advisories/48874/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle AutoVue Office Unspecified Vulnerability

by Carol~ Moderator - 4/18/12 11:34 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
Where : From remote
Solution Status : Vendor Patch

Software: Oracle AutoVue 20.x

Description:
A vulnerability has been reported in Oracle AutoVue Office, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the Desktop API component and can be exploited to read, update, insert, or delete certain Oracle AutoVue Office accessible data or cause a crash.

The vulnerability is reported in version 20.0.2.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSCP

http://secunia.com/advisories/48875/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for kernel

by Carol~ Moderator - 4/18/12 11:36 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status : Vendor Patch

Operating System: Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:0481-01:
https://rhn.redhat.com/errata/RHSA-2012-0481.html

http://secunia.com/advisories/48842/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Sitecom WLM-2501 Wireless Modem Router 300N Cross-Site

by Carol~ Moderator - 4/18/12 3:25 PM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Sitecom WLM-2501 Wireless Modem Router 300N Cross-Site Request Forgery Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System: Sitecom WLM-2501 Wireless Modem Router 300N

Description:
Ivano Binetti has reported a vulnerability in Sitecom WLM-2501 Wireless Modem Router 300N, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change administrative settings by tricking a logged in administrator into visiting a malicious web site.

The vulnerability is reported in versions prior to 1.03.

Solution:
Update to firmware version 1.03.

Provided and/or discovered by:
Ivano Binetti.

Original Advisory:
Ivano Binetti:
http://www.webapp-security.com/wp-content/uploads/2012/03/Sitecom-WLM-2501-new-Multiple-CSRF-Vulnerabilities-1.txt

Sitecom:
http://www.sitecom.com/support-product/productid/859

http://secunia.com/advisories/48840/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle iPlanet Web Server Multiple Cross-Site Scripting

by Carol~ Moderator - 4/18/12 3:25 PM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle iPlanet Web Server Multiple Cross-Site Scripting Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Oracle iPlanet Web Server 7.x

Description:
Sow Ching Shiong has reported multiple vulnerabilities in Oracle iPlanet Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain input passed to the administration console is not properly sanitised before being returned to the user. This can can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 7.0.9 B07/04/2010 02:06. Other versions may also be affected.

Solution:
Patches are scheduled to be released on 30th April 2012.

Provided and/or discovered by:
Sow Ching Shiong via Secunia.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS

http://secunia.com/advisories/43942/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Xoops "to_userid" and "current_file" Cross-Site Scripting

by Carol~ Moderator - 4/18/12 3:25 PM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Xoops "to_userid" and "current_file" Cross-Site Scripting Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Xoops 2.x

Description:
High-Tech Bridge SA has discovered two vulnerabilities in Xoops, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed via the "to_userid" parameter to modules/pm/pmlite.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "current_file" parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are confirmed in version 2.5.4. Prior versions may also be affected.

Solution:
Update to version 2.5.5.

Provided and/or discovered by:
High-Tech Bridge SA.

Original Advisory:
HTB23062:
https://www.htbridge.com/advisory/multiple_vulnerabilities_in_xoops.html

Xoops:
http://xoops.org/modules/news/article.php?storyid=6284

http://secunia.com/advisories/48887/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close