Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - December 21, 2012

by: Carol~ December 21, 2012 9:10 AM PST

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - December 21, 2012

by Carol~ Moderator - 12/21/12 9:10 AM

Siemens SIMATIC S7-1200 Two Denial of Service Vulnerabilities

Release Date : 2012-12-21

Criticality level : Less critical
Impact: DoS
Where : From local network
Solution Status : Unpatched

Operating System : Siemens SIMATIC S7-1200 2.x
Siemens SIMATIC S7-1200 3.x

Description:
Two vulnerabilities have been reported in SIMATIC S7-1200, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An error when handling SNMP status information can be exploited to cause the device to enter defect mode via specially crafted packets sent to UDP port 161.

2) An error when handling TCP packets (ISO-TSAP) for device management can be exploited to cause the device to enter defect mode via specially crafted packets sent to TCP port 102.

The vulnerabilities are reported in all 2.x and 3.x versions.

Solution:
The vendor is currently working on a fix. No official solution is currently available.

Provided and/or discovered by:
The vendor credits:
1) Prof. Dr. Hartmut Pohl, softScheck GmbH
2) Arne Vidstrom, Swedish Defence Research Agency (FOI)

Original Advisory:
SSA-724606:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-724606.pdf

http://secunia.com/advisories/51628/


Reply
Report offensive post
Email to friend

Joomla! Virtuemart 2 Multiple Customfields Filter Module

by Carol~ Moderator - 12/21/12 9:15 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Joomla! Virtuemart 2 Multiple Customfields Filter Module Unspecified Vulnerability

Release Date : 2012-12-21

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status Vendor Patch

Software: Virtuemart 2 Multiple Customfields Filter 1.x (module for Joomla!)

Description:
A vulnerability with an unknown impact has been reported in the Virtuemart 2 Multiple Customfields Filter module for Joomla!

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in versions prior to 1.6.6.

Solution:
Update to version 1.6.6.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://myext.eu/en/update/47-v1-66

http://secunia.com/advisories/51635/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

CA IdentityMinder Two Vulnerabilities

by Carol~ Moderator - 12/21/12 9:16 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level : Moderately critical
Impact Security Bypass
Manipulation of data
System access
Where : From local network
Solution Status Vendor Patch

Software: CA Identity Manager 12.x

Description:
Two vulnerabilities have been reported in CA IdentityMinder, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data or compromise a vulnerable system.

1) An unspecified error can be exploited to manipulate certain data or execute arbitrary commands. No further information is currently available.

2) An unspecified error can be exploited to gain elevated access. No further information is currently available.

The vulnerabilities are reported in versions r12.0, r12.5 prior to SP15, and r12.6 GA.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
CA20121220-01:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B61-3A68-4506-9876-F845F6DD8A93}

http://secunia.com/advisories/51320/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for Fuse MQ Enterprise

by Carol~ Moderator - 12/21/12 9:16 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level : Less critical
Impact: Dos
Where : From remote
Solution Status :Vendor Patch

Software: Fuse MQ Enterprise 7.x

Description:
Red Hat has issued an update for Fuse MQ Enterprise. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Update to version 7.1.0.

Original Advisory:
RHSA-2012:1605-1:
https://rhn.redhat.com/errata/RHSA-2012-1605.html

http://secunia.com/advisories/51653/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for Fuse ESB Enterprise

by Carol~ Moderator - 12/21/12 9:16 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level : Less critical
Impact: Dos
Where : From remote
Solution Status :Vendor Patch

Software: Fuse ESB Enterprise 7.x

Description:
Red Hat has issued an update for Fuse ESB Enterprise. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Update to version 7.1.0.

Original Advisory:
RHSA-2012:1604-01:
https://rhn.redhat.com/errata/RHSA-2012-1604.html

http://secunia.com/advisories/51659/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for Fuse Management Console

by Carol~ Moderator - 12/21/12 9:16 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level : Less critical
Impact: Dos
Where : From remote
Solution Status : Unpatched

Software: Fuse Management Console 1.x

Description:
Red Hat has issued an update for Fuse Management Console. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Upgrade to version 7.1.0.

Original Advisory:
RHSA-2012:1606-1:
https://rhn.redhat.com/errata/RHSA-2012-1606.html

http://secunia.com/advisories/51658/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

VMware vCenter Server Appliance Two Information Disclosure

by Carol~ Moderator - 12/21/12 9:16 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

VMware vCenter Server Appliance Two Information Disclosure Vulnerabilities

Release Date : 2012-12-21

Criticality level : Less critical
Impact: Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: VMware vCenter Server Appliance 5.x

Description:
Two vulnerabilities have been reported in VMware vCenter Server Appliance, which can be exploited by malicious users to disclose certain sensitive information.

1) Certain unspecified input is not properly verified before being used to access files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.

This vulnerability is reported in versions 5.1 and 5.0.

2) Certain unspecified input passed via XML files is not properly verified before being used to download files. This can be exploited to download arbitrary files.

This vulnerability is reported in version 5.0.

Solution:
Apply patches.

Provided and/or discovered by:
The vendor credits Alexander Minozhenko, ERPScan.

Original Advisory:
http://www.vmware.com/security/advisories/VMSA-2012-0018.html

http://secunia.com/advisories/46859/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

VMware ESXi glibc Multiple Vulnerabilities

by Carol~ Moderator - 12/21/12 10:28 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level Moderately critical
Impact Privilege escalation
DoS
System access
Where: From remote
Solution Status Vendor Patch

Operating System : VMware ESXi 5.x

Description:
VMware has acknowledged multiple vulnerabilities in VMware ESXi, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges, by malicious users to compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service).

The vulnerabilities are reported in versions 5.1 and 5.0.

Solution:
Apply patches.

Original Advisory:
http://www.vmware.com/security/advisories/VMSA-2012-0018.html

http://secunia.com/advisories/51555/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM InfoSphere Streams Java Multiple Vulnerabilities

by Carol~ Moderator - 12/21/12 11:26 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-20

Criticality level : Highly critical
Impact : DoS
System access
Where: From remote
Solution Status : Vendor Patch

Software: IBM InfoSphere Streams 1.x
IBM InfoSphere Streams 2.x
IBM InfoSphere Streams 3.x

Description:
IBM has acknowledged multiple vulnerabilities in IBM InfoSphere Streams, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerabilities are reported in versions 1.2, 2.0, and 3.0.

Solution:
Apply patch.

Original Advisory:
https://www.ibm.com/support/docview.wss?uid=swg21620575
https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_potential_security_exposure_when_using_ibm_infosphere_streams_due_to_vulnerabilities_in_ibm_java_se_version_6_sdk6

http://secunia.com/advisories/51657/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM WebSphere Application Server for z/OS Arbitrary Command

by Carol~ Moderator - 12/21/12 11:27 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

IBM WebSphere Application Server for z/OS Arbitrary Command Execution Vulnerability

Release Date : 2012-12-20

Criticality level : Highly critical
Impact System access
Where From remote
Solution Status : Vendor Patch

Software: IBM WebSphere Application Server 5.x

Description:
A vulnerability has been reported in IBM WebSphere Application Server for z/OS, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error within the HTTP Server and can be exploited to execute arbitrary commands.

The vulnerability is reported in version 5.3 running on z/OS.

Solution:
Apply PTF UK90469 or later.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (UK90469, PM79239):
http://www.ibm.com/support/docview.wss?uid=swg21620945

http://secunia.com/advisories/51656/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for libav

by Carol~ Moderator - 12/21/12 11:55 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-20

Criticality level : Highly critical
Impact Unknown
DoS
System access
Where From remote
Solution Status : Vendor Patch

Operating System : Ubuntu Linux 11.10

Description:
Ubuntu has issued an update for libav. This fixes multiple vulnerabilities, where some have an unknown impact and others can be exploited by malicious people to compromise an application using the library.

Solution:
Apply updated packages.

Original Advisory:
USN-1674-1:
http://www.ubuntu.com/usn/usn-1674-1/

http://secunia.com/advisories/51643/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Foreman Multiple SQL Injection Vulnerabilities

by Carol~ Moderator - 12/21/12 11:55 AM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

Release Date : 2012-12-21

Criticality level : Less critical
Impact: Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Foreman 1.x

Description:
Multiple vulnerabilities have been reported in Foreman, which can be exploited by malicious people to conduct SQL injection attacks.

Certain input passed while searching is not properly sanitised in models/hostext/search.rb and models/puppetclass.rb before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in version 1.0.1. Prior versions may also be affected.

Solution:
Update to version 1.0.2.

Provided and/or discovered by:
Amos Benari

Original Advisory:
http://seclists.org/oss-sec/2012/q4/499

http://secunia.com/advisories/51557/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM Tivoli Remote Control / IBM Tivoli Endpoint Manager

by Carol~ Moderator - 12/21/12 12:30 PM

In Reply to: VULNERABILITIES / FIXES - December 21, 2012 by Carol~ Moderator

IBM Tivoli Remote Control / IBM Tivoli Endpoint Manager for Remote Control Java Multiple Vulnerabilities

Release Date : 2012-12-20

Criticality level : Highly critical
Impact : Security Bypass
System access
Where: From remote
Solution Status : Vendor Patch

Software: IBM Tivoli Endpoint Manager 8.x
IBM Tivoli Remote Control 5.x

Description:
IBM has acknowledged multiple vulnerabilities in IBM Tivoli Remote Control and IBM Tivoli Endpoint Manager for Remote Control, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.

The vulnerabilities are reported in IBM Tivoli Remote Control version 5.1.2 and IBM Tivoli Endpoint Manager for Remote Control version 8.2.

Solution:
Apply fixes.

Original Advisory:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21616594
http://www.ibm.com/support/docview.wss?uid=swg24034117
http://www.ibm.com/support/docview.wss?uid=swg21616584
http://www.ibm.com/support/docview.wss?uid=swg24034115
https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tivoli_remote_control_5_1_2_clients_affected_by_vulnerabilities_in_ibm_jre_cve_2012_4820_cve_2012_4821_cve_2012_4822_cve_2012_48237

http://secunia.com/advisories/51584/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close