Vulnerabilites related to netapp - snapdrive
Vulnerability from fkie_nvd
Published
2018-10-29 13:29
Modified
2024-11-21 03:38
Severity ?
Summary
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", matchCriteriaId: "5953EAB1-D0E8-48EA-B07D-3B828E6BB326", versionEndIncluding: "1.1.0i", versionStartIncluding: "1.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "F69F3542-173D-4E0D-99BB-42FDD206D996", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", matchCriteriaId: "B5A6F2F3-4894-4392-8296-3B8DD2679084", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", matchCriteriaId: "07C312A0-CD2C-4B9C-B064-6409B25C278F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", matchCriteriaId: "5725F854-27B7-4BC1-8DCA-FAC0B4E41139", versionEndExcluding: "10.12.0", versionStartIncluding: "10.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", matchCriteriaId: "4E62EA78-C705-4AC9-9C0B-3C9114087C37", versionEndExcluding: "11.3.0", versionStartIncluding: "11.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:10.13.0:*:*:*:lts:*:*:*", matchCriteriaId: "541EAE2B-5446-46CE-BC91-13188EAD6092", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "EB30733E-68FC-49C4-86C0-7FEE75C366BF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:cn1610:-:*:*:*:*:*:*:*", matchCriteriaId: "6361DAC6-600F-4B15-8797-D67F298F46FB", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", matchCriteriaId: "85DF4B3F-4BBC-42B7-B729-096934523D63", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "CBF1DFDA-FB66-4CEA-A658-B167326D1D96", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*", matchCriteriaId: "7E49ACFC-FD48-4ED7-86E8-68B5B753852C", versionStartIncluding: "9.4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "361B791A-D336-4431-8F68-8135BEFFAEA2", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*", matchCriteriaId: "0DF5449D-22D2-48B4-8F50-57B43DCB15B9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A5553591-073B-45E3-999F-21B8BA2EEE22", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_server:0.9.8:*:*:*:*:*:*:*", matchCriteriaId: "BD941CDF-8486-43F7-9D98-2B8785B1B139", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_server:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "EDE18990-1FC9-4624-971B-2E87BF0871AF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_server:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "17C29F2D-CBE6-4E22-98AE-787E939ED161", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "98F3E643-4B65-4668-BB11-C61ED54D5A53", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "459B4A5F-A6BD-4A1C-B6B7-C979F005EB70", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CDCE0E90-495E-4437-8529-3C36441FB69D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", matchCriteriaId: "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "65B4E766-8D75-48A9-8267-6EE1407B949D", versionEndIncluding: "5.6.42", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "F17AD8D0-6D79-4E7D-9CD6-9B130A529C5D", versionEndIncluding: "5.7.24", versionStartIncluding: "5.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "C743C44C-2E97-4E5E-8C76-FC0E666BA115", versionEndIncluding: "8.0.13", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", matchCriteriaId: "45CB30A1-B2C9-4BF5-B510-1F2F18B60C64", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", matchCriteriaId: "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "7A1E1023-2EB9-4334-9B74-CA71480F71C2", versionEndIncluding: "17.12", versionStartIncluding: "17.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:*:*:*:*:*:*:*", matchCriteriaId: "84BF6794-2CE6-407F-B8E0-81871AB7B40B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*", matchCriteriaId: "93A4E178-0082-45C5-BBC0-0A4E51C8B1DE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*", matchCriteriaId: "3F021C23-AB9B-4877-833F-D01359A98762", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*", matchCriteriaId: "2F8ED016-32A1-42EE-844E-3E6B2C116B74", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*", matchCriteriaId: "A046CC2C-445F-4336-8810-930570B4FEC6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*", matchCriteriaId: "0745445C-EC43-4091-BA7C-5105AFCC6F1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*", matchCriteriaId: "B5265C91-FF5C-4451-A7C2-D388A65ACFA2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "92A6A7BA-CCE6-426F-8434-7A578A245180", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*", matchCriteriaId: "B52550D1-38F6-4AAC-BE68-487F7D6DB2D8", versionEndExcluding: "6.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*", matchCriteriaId: "F3F69D90-6F4D-4D09-8F60-E36072303E32", versionEndExcluding: "5.2.24", versionStartIncluding: "5.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", }, { lang: "es", value: "Se ha demostrado que el algoritmo de firmas ECDSA en OpenSSL es vulnerable a un ataque de sincronización de canal lateral. Un atacante podría emplear variaciones en el algoritmo de firma para recuperar la clave privada. Se ha solucionado en OpenSSL 1.1.0j (afecta a 1.1.0-1.1.0i). Se ha solucionado en OpenSSL 1.1.1a (afecta a 1.1.1).", }, ], id: "CVE-2018-0735", lastModified: "2024-11-21T03:38:50.413", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-10-29T13:29:00.263", references: [ { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/105750", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041986", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3700", }, { source: "openssl-security@openssl.org", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1", }, { source: "openssl-security@openssl.org", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3840-1/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4348", }, { source: "openssl-security@openssl.org", tags: [ "Vendor Advisory", ], url: "https://www.openssl.org/news/secadv/20181029.txt", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/105750", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041986", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3700", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3840-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4348", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.openssl.org/news/secadv/20181029.txt", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], sourceIdentifier: "openssl-security@openssl.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-327", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-03 03:15
Modified
2024-11-21 06:59
Severity ?
Summary
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "89C29E70-5CC5-43AF-8373-9E7AD6F2F700", versionEndExcluding: "2.9.14", vulnerable: true, }, { criteria: "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", matchCriteriaId: "7C8E0B72-62EC-47B5-9957-4DC840F5E968", versionEndIncluding: "1.1.35", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", matchCriteriaId: "E8F29E19-3A64-4426-A2AA-F169440267CC", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:hyper-v:*:*", matchCriteriaId: "80774A35-B0B8-4F9C-99CA-23849978D158", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*", matchCriteriaId: "D6D700C5-F67F-4FFB-BE69-D524592A3D2E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", matchCriteriaId: "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6770B6C3-732E-4E22-BF1C-2D2FD610061C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", matchCriteriaId: "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "7FFF7106-ED78-49BA-9EC5-B889E3685D53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", matchCriteriaId: "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "56409CEC-5A1E-4450-AA42-641E459CC2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", matchCriteriaId: "B06F4839-D16A-4A61-9BB5-55B13F41E47F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", matchCriteriaId: "8497A4C9-8474-4A62-8331-3FE862ED4098", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "CDDF61B7-EC5C-467C-B710-B89F502CD04F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.", }, { lang: "es", value: "En libxml2 versiones anteriores a 2.9.14, varias funciones de manejo de búferes en buf.c (xmlBuf*) y tree.c (xmlBuffer*) no comprueban los desbordamientos de enteros. Esto puede resultar en escrituras de memoria fuera de límites. La explotación requiere que la víctima abra un archivo XML diseñado de varios gigabytes. Otro software usando las funciones de búfer de libxml2, por ejemplo libxslt versiones hasta 1.1.35, también está afectado", }, ], id: "CVE-2022-29824", lastModified: "2024-11-21T06:59:45.417", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-03T03:15:06.687", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167345/libxml2-xmlBufAdd-Heap-Buffer-Overflow.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/169825/libxml2-xmlParseNameComplex-Integer-Overflow.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.14", }, { source: "cve@mitre.org", tags: [ "Product", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxslt/-/tags", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00023.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3NVZVWFRBXBI3AKZZWUWY6INQQPQVSF/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P5363EDV5VHZ5C77ODA43RYDCPMA7ARM/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220715-0006/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5142", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/167345/libxml2-xmlBufAdd-Heap-Buffer-Overflow.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/169825/libxml2-xmlParseNameComplex-Integer-Overflow.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxslt/-/tags", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00023.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3NVZVWFRBXBI3AKZZWUWY6INQQPQVSF/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P5363EDV5VHZ5C77ODA43RYDCPMA7ARM/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220715-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5142", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-190", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-19 14:15
Modified
2024-11-21 06:21
Severity ?
Summary
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "208AF535-5D38-45B4-B227-2892611C5A20", versionEndExcluding: "2.9.11", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*", matchCriteriaId: "9B453CF7-9AA6-4B94-A003-BF7AE0B82F53", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "FF971916-C526-43A9-BD80-985BCC476569", versionEndIncluding: "11.70.1", versionStartIncluding: "11.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "0D9CC59D-6182-4B5E-96B5-226FCD343916", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*", matchCriteriaId: "1AEFF829-A8F2-4041-8DDF-E705DB3ADED2", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", matchCriteriaId: "A3C19813-E823-456A-B1CE-EC0684CE1953", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "A372B177-F740-4655-865C-31777A6E140B", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*", matchCriteriaId: "26A2B713-7D6D-420A-93A4-E0D983C983DF", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*", matchCriteriaId: "64DE38C8-94F1-4860-B045-F33928F676A8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", matchCriteriaId: "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "08C564D8-E21F-403C-B4BB-7B14B7FB5DAE", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "8532F5F0-00A1-4FA9-A80B-09E46D03F74F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*", matchCriteriaId: "56F2883B-6A1B-4081-8877-07AF3A73F6CD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", matchCriteriaId: "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", }, { lang: "es", value: "Se presenta un fallo en la funcionalidad xml entity encoding de libxml2 en versiones anteriores a 2.9.11. Un atacante que sea capaz de proporcionar un archivo diseñado para que sea procesado por una aplicación vinculada con la funcionalidad afectada de libxml2 podría desencadenar una lectura fuera de los límites. El impacto más probable de este fallo es la disponibilidad de la aplicación, con algún impacto potencial en la confidencialidad e integridad si un atacante puede usar la información de la memoria para explotar aún más la aplicación", }, ], id: "CVE-2021-3517", lastModified: "2024-11-21T06:21:44.107", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-19T14:15:07.553", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20211022-0004/", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "secalert@redhat.com", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20211022-0004/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-787", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2020-01-21 23:15
Modified
2024-11-21 05:37
Severity ?
Summary
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*", matchCriteriaId: "F5046B03-34DE-4574-AFDB-E0B2A8022E72", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", matchCriteriaId: "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", matchCriteriaId: "815D70A8-47D3-459C-A32C-9FEACA0659D1", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", matchCriteriaId: "A31C8344-3E02-4EB8-8BD8-4C84B7959624", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*", matchCriteriaId: "F65F9901-F4BD-4484-9749-D5022245D686", versionEndExcluding: "3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", matchCriteriaId: "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:symantec_netbackup:-:*:*:*:*:*:*:*", matchCriteriaId: "1F48ACED-5496-4AF1-86AF-63AA4D7C3C86", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6770B6C3-732E-4E22-BF1C-2D2FD610061C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", matchCriteriaId: "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "7FFF7106-ED78-49BA-9EC5-B889E3685D53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", matchCriteriaId: "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "56409CEC-5A1E-4450-AA42-641E459CC2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", matchCriteriaId: "B06F4839-D16A-4A61-9BB5-55B13F41E47F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "108A2215-50FB-4074-94CF-C130FA14566D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*", matchCriteriaId: "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "32F0B6C0-F930-480D-962B-3F4EFDCC13C7", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*", matchCriteriaId: "803BC414-B250-4E3A-A478-A3881340D6B8", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "0FEB3337-BFDE-462A-908B-176F92053CEC", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*", matchCriteriaId: "736AEAE9-782B-4F71-9893-DED53367E102", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", matchCriteriaId: "8497A4C9-8474-4A62-8331-3FE862ED4098", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "CDDF61B7-EC5C-467C-B710-B89F502CD04F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "B534B112-9BA4-467B-A58B-D89C0A6EFA9C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", }, { lang: "es", value: "La función xmlStringLenDecodeEntities en el archivo parser.c en libxml2 versión 2.9.10, presenta un bucle infinito en una determinada situación de fin del archivo.", }, ], id: "CVE-2020-7595", lastModified: "2024-11-21T05:37:26.453", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-01-21T23:15:13.867", references: [ { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202010-04", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4274-1/", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202010-04", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4274-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-835", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-06-07 13:29
Modified
2024-11-21 03:44
Severity ?
Summary
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 17.10 | |
| canonical | ubuntu_linux | 18.04 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| perl | perl | * | |
| archive\ | \ | tar_project | |
| apple | mac_os_x | * | |
| netapp | data_ontap_edge | - | |
| netapp | oncommand_workflow_automation | - | |
| netapp | snap_creator_framework | - | |
| netapp | snapdrive | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", matchCriteriaId: "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", matchCriteriaId: "B5A6F2F3-4894-4392-8296-3B8DD2679084", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", matchCriteriaId: "9070C9D8-A14A-467F-8253-33B966C16886", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", matchCriteriaId: "FA33F373-89C1-4FAD-9B80-7B2BD4388162", versionEndIncluding: "5.26.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*", matchCriteriaId: "52784FCD-EC91-4EF7-998B-E28F95B99B7D", versionEndIncluding: "2.28", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", matchCriteriaId: "09CDBB72-2A0D-4321-BA1F-4FB326A5646A", versionEndExcluding: "10.14.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*", matchCriteriaId: "E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", matchCriteriaId: "9F4754FB-E3EB-454A-AB1A-AE3835C5350C", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.", }, { lang: "es", value: "En Perl hasta la versión 5.26.2, el módulo Archive::Tar permite que atacantes remotos omitan un mecanismo de protección de salto de directorio y sobrescriban archivos arbitrarios mediante un archivo comprimido que contiene un symlink y un archivo normal con el mismo nombre.", }, ], id: "CVE-2018-12015", lastModified: "2024-11-21T03:44:24.850", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-06-07T13:29:00.240", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/104423", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041048", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2019:2097", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT209600", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3684-1/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3684-2/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4226", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/104423", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041048", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2019:2097", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT209600", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3684-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3684-2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4226", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-59", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-09-04 00:15
Modified
2024-11-21 05:16
Severity ?
Summary
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| xmlsoft | libxml2 | 2.9.10 | |
| debian | debian_linux | 9.0 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| opensuse | leap | 15.1 | |
| opensuse | leap | 15.2 | |
| netapp | active_iq_unified_manager | * | |
| netapp | active_iq_unified_manager | * | |
| netapp | clustered_data_ontap | - | |
| netapp | clustered_data_ontap_antivirus_connector | - | |
| netapp | inventory_collect_tool | - | |
| netapp | manageability_software_development_kit | - | |
| netapp | snapdrive | - | |
| netapp | snapdrive | - | |
| netapp | hci_h410c_firmware | - | |
| netapp | hci_h410c | - | |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | 1.10.0 | |
| oracle | enterprise_manager_base_platform | 13.4.0.0 | |
| oracle | enterprise_manager_base_platform | 13.5.0.0 | |
| oracle | enterprise_manager_ops_center | 12.4.0.0 | |
| oracle | http_server | 12.2.1.3.0 | |
| oracle | http_server | 12.2.1.4.0 | |
| oracle | mysql_workbench | * | |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | |
| oracle | real_user_experience_insight | 13.4.1.0 | |
| oracle | real_user_experience_insight | 13.5.1.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*", matchCriteriaId: "F5046B03-34DE-4574-AFDB-E0B2A8022E72", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", matchCriteriaId: "B620311B-34A3-48A6-82DF-6F078D7A4493", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", matchCriteriaId: "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*", matchCriteriaId: "BD075607-09B7-493E-8611-66D041FFDA62", versionStartIncluding: "7.3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB", versionStartIncluding: "9.5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*", matchCriteriaId: "A2C13438-3C64-40A6-AA0D-327CB722888D", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "08C564D8-E21F-403C-B4BB-7B14B7FB5DAE", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "8532F5F0-00A1-4FA9-A80B-09E46D03F74F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "DFC79B17-E9D2-44D5-93ED-2F959E7A3D43", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "AD04BEE5-E9A8-4584-A68C-0195CE9C402C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.", }, { lang: "es", value: "El proyecto de GNOME libxml2 v2.9.10 tiene una vulnerabilidad de sobre lectura del buffer global en xmlEncodeEntitiesInternal en libxml2/entities.c. El problema ha sido corregido en el commit 50f06b3e", }, ], id: "CVE-2020-24977", lastModified: "2024-11-21T05:16:15.740", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-09-04T00:15:10.693", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-125", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-09 17:15
Modified
2024-11-21 06:21
Severity ?
Summary
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1950515 | Issue Tracking, Patch, Third Party Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20210805-0007/ | Third Party Advisory | |
| secalert@redhat.com | https://www.oracle.com/security-alerts/cpujan2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1950515 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210805-0007/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujan2022.html | Patch, Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "208AF535-5D38-45B4-B227-2892611C5A20", versionEndExcluding: "2.9.11", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*", matchCriteriaId: "9B453CF7-9AA6-4B94-A003-BF7AE0B82F53", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", matchCriteriaId: "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "CDDF61B7-EC5C-467C-B710-B89F502CD04F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6770B6C3-732E-4E22-BF1C-2D2FD610061C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", matchCriteriaId: "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "7FFF7106-ED78-49BA-9EC5-B889E3685D53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", matchCriteriaId: "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "56409CEC-5A1E-4450-AA42-641E459CC2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", matchCriteriaId: "B06F4839-D16A-4A61-9BB5-55B13F41E47F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "108A2215-50FB-4074-94CF-C130FA14566D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*", matchCriteriaId: "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "32F0B6C0-F930-480D-962B-3F4EFDCC13C7", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*", matchCriteriaId: "803BC414-B250-4E3A-A478-A3881340D6B8", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "0FEB3337-BFDE-462A-908B-176F92053CEC", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*", matchCriteriaId: "736AEAE9-782B-4F71-9893-DED53367E102", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", matchCriteriaId: "8497A4C9-8474-4A62-8331-3FE862ED4098", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.", }, { lang: "es", value: "Se ha encontrado un fallo en libxml2. Es posible un ataque de expansión exponencial de entidades omitiendo todos los mecanismos de protección existentes y conllevando a una denegación de servicio", }, ], id: "CVE-2021-3541", lastModified: "2024-11-21T06:21:48.007", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-09T17:15:07.973", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210805-0007/", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210805-0007/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-776", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-11-13 22:29
Modified
2025-04-20 01:37
Severity ?
Summary
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", matchCriteriaId: "0BD3F477-4078-42BC-AF81-A68487FCDBEC", versionEndIncluding: "1.0.2h", versionStartIncluding: "1.0.2", vulnerable: true, }, { criteria: "cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*", matchCriteriaId: "8A4E446D-B9D3-45F2-9722-B41FA14A6C31", vulnerable: true, }, { criteria: "cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "2D1C00C0-C77E-4255-9ECA-20F2673C7366", vulnerable: true, }, { criteria: "cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "73104834-5810-48DD-9B97-549D223853F1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", matchCriteriaId: "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", matchCriteriaId: "33C068A4-3780-4EAB-A937-6082DF847564", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", matchCriteriaId: "9BBCD86A-E6C7-4444-9D74-F861084090F0", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", matchCriteriaId: "98381E61-F082-4302-B51F-5648884F998B", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D99A687E-EAE6-417E-A88E-D0082BC194CD", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B353CE99-D57C-465B-AAB0-73EF581127D1", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", matchCriteriaId: "A8442C20-41F9-47FD-9A12-E724D3A31FD7", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", matchCriteriaId: "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", matchCriteriaId: "24C0F4E1-C52C-41E0-9F14-F83ADD5CC7ED", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", matchCriteriaId: "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "825ECE2D-E232-46E0-A047-074B34DB1E97", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*", matchCriteriaId: "B1ABA871-3271-48E2-A69C-5AD70AF94E53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "EB30733E-68FC-49C4-86C0-7FEE75C366BF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:cn1610:-:*:*:*:*:*:*:*", matchCriteriaId: "6361DAC6-600F-4B15-8797-D67F298F46FB", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:data_ontap:-:*:*:*:*:7-mode:*:*", matchCriteriaId: "6C2ACC32-5147-4EA5-95BE-B6B4EAB3D82B", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*", matchCriteriaId: "E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "9C82200F-A26E-4AD4-82FF-DC5601A28D52", versionEndIncluding: "11.40", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:host_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "546855F3-654C-48F0-B3A0-FF1ABBF04007", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*", matchCriteriaId: "7DCBCC5D-C396-47A8-ADF4-D3A2C4377FB1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:7-mode:*:*", matchCriteriaId: "3FA5E22C-489B-4C5F-A5F3-C03F45CA8811", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*", matchCriteriaId: "7E968916-8CE0-4165-851F-14E37ECEA948", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:service_processor:-:*:*:*:*:*:*:*", matchCriteriaId: "146A767F-DC04-454B-9913-17D3A2B5AAA4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*", matchCriteriaId: "E788440A-02B0-45F5-AFBC-7109F3177033", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", matchCriteriaId: "8ADFF451-740F-4DBA-BD23-3881945D3E40", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storagegrid_webscale:-:*:*:*:*:*:*:*", matchCriteriaId: "813CD8F9-9F05-49A7-BB4D-E9A1D54D6DFD", vulnerable: true, }, { criteria: "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FED6CAE-D97F-49E0-9D00-1642A3A427B4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "460EF266-5397-4FB9-B4C3-BECB2FB12AE4", versionEndIncluding: "6.1.17", vulnerable: true, }, { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "2C837CEA-991C-45BA-8DFF-20F4E98E4639", versionEndIncluding: "7.0.15", versionStartIncluding: "7.0.0", vulnerable: true, }, { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "1558B8D3-B289-4143-A3C2-F8EF29CECDD3", versionEndIncluding: "7.1.10", versionStartIncluding: "7.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:adaptive_access_manager:11.1.2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "530B1012-03DF-4AE2-863E-FB07351FE4A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A125E817-F974-4509-872C-B71933F42AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*", matchCriteriaId: "55D98C27-734F-490B-92D5-251805C841B9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_ip_service_activator:7.3.4:*:*:*:*:*:*:*", matchCriteriaId: "BDB13348-C8CA-4E71-9DC6-091B09D52E96", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*", matchCriteriaId: "DE7A60DB-A287-4E61-8131-B6314007191B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:core_rdbms:11.2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "E1367C5D-8815-41E6-B609-E855CB8B1AA7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:core_rdbms:12.1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "7E150F02-5B34-4496-A024-335DF64D7F8F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:core_rdbms:12.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "4059F859-A7D8-4ADD-93EE-74AF082ED34A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:core_rdbms:18c:*:*:*:*:*:*:*", matchCriteriaId: "C9FFAF8E-4023-4599-9F0D-274E6517CB1B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:core_rdbms:19c:*:*:*:*:*:*:*", matchCriteriaId: "9B639209-A651-43FB-8F0C-B25F605521EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", matchCriteriaId: "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*", matchCriteriaId: "37209C6F-EF99-4D21-9608-B3A06D283D24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_application_adapters:12.3.2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "F6F259E6-10A8-4207-8FC2-85ABD70B04C0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", matchCriteriaId: "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", matchCriteriaId: "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*", matchCriteriaId: "24A3C819-5151-4543-A5C6-998C9387C8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "4FB98961-8C99-4490-A6B8-9A5158784F5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*", matchCriteriaId: "A6DA0527-562D-457F-A2BB-3DF5EAABA1AB", versionEndExcluding: "18.1.4.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B40B13B7-68B3-4510-968C-6A730EB46462", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "C93CC705-1F8C-4870-99E6-14BF264C3811", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F14A818F-AA16-4438-A3E4-E64C9287AC66", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "271CACEB-10F5-4CA8-9C99-3274F18EE62D", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "EF82224E-9EED-472E-A038-768E4179B219", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", matchCriteriaId: "983D27DE-BC89-454E-AE47-95A26A3651E2", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "433EEE1B-134C-48F9-8688-23C5F1ABBF0F", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "8B56D4BF-9328-4998-95F3-D23BD1349280", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", matchCriteriaId: "5825AEE1-B668-40BD-86A9-2799430C742C", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "47FFEE5C-5DAE-4FAD-9651-7983DE092120", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "62AAD1D8-D312-452A-80E7-97FA3238C95F", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", matchCriteriaId: "3DA2D526-BDCF-4A65-914A-B3BA3A0CD613", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "2FD8BD3B-C35B-4C44-B5A1-FA4646ACB374", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "F429B6AB-44E3-412F-AAE6-33B6F1150262", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", matchCriteriaId: "EE0CF40B-E5BD-4558-9321-184D58EF621D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "66D6EF49-7094-41D9-BDF5-AE5846E37418", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "78152A31-DB06-4F13-94EA-D3C94B240EE0", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", matchCriteriaId: "0F3C9C09-7B2B-4DB6-8BE0-35302ED35776", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "6593DA00-EE33-4223-BEAE-8DC629E79287", versionEndExcluding: "xcp2361", vulnerable: true, }, { criteria: "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "EB1FF50C-D9D0-4DF0-90F8-9259BD7B315B", versionEndExcluding: "xcp3070", versionStartIncluding: "xcp3000", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", matchCriteriaId: "95503CE5-1D06-4092-A60D-D310AADCAFB1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.", }, { lang: "es", value: "Se ha encontrado un fallo de denegación de servicio en OpenSSL en las versiones 0.9.8, 1.0.1, 1.0.2 hasta la 1.0.2h y la 1.1.0 en la forma en la que el protocolo TLS/SSL definió el procesamiento de paquetes ALERT durante una negociación de conexión. Un atacante remoto podría emplear este fallo para hacer que un servidor TLS/SSL consuma una cantidad excesiva de recursos de CPU y fracase a la hora de aceptar conexiones de otros clientes.", }, ], id: "CVE-2016-8610", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-11-13T22:29:00.203", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0286.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0574.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1415.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1659.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2016/q4/224", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/93841", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1037084", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1413", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1414", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1658", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2493", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2494", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.360.cn/cve/CVE-2016-8610/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20171130-0001/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.paloaltonetworks.com/CVE-2016-8610", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2017/dsa-3773", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0286.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0574.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1415.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1659.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2016/q4/224", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/93841", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1037084", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1413", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1414", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1658", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2493", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2494", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.360.cn/cve/CVE-2016-8610/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20171130-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.paloaltonetworks.com/CVE-2016-8610", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2017/dsa-3773", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-12-07 21:29
Modified
2024-11-21 03:55
Severity ?
Summary
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| perl | perl | * | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| debian | debian_linux | 9.0 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 7.4 | |
| redhat | enterprise_linux | 7.5 | |
| redhat | enterprise_linux | 7.6 | |
| netapp | e-series_santricity_os_controller | * | |
| netapp | snap_creator_framework | - | |
| netapp | snapcenter | - | |
| netapp | snapdrive | - | |
| apple | mac_os_x | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", matchCriteriaId: "C0FEAD21-C9A0-40F3-8F2E-489750B07760", versionEndExcluding: "5.26.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", matchCriteriaId: "8D305F7A-D159-4716-AB26-5E38BB5CD991", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", matchCriteriaId: "B5A6F2F3-4894-4392-8296-3B8DD2679084", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", matchCriteriaId: "07C312A0-CD2C-4B9C-B064-6409B25C278F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", matchCriteriaId: "041F9200-4C01-4187-AE34-240E8277B54D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", matchCriteriaId: "4EB48767-F095-444F-9E05-D9AC345AB803", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", matchCriteriaId: "5F6FA12B-504C-4DBF-A32E-0548557AA2ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "9C82200F-A26E-4AD4-82FF-DC5601A28D52", versionEndIncluding: "11.40", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", matchCriteriaId: "9F4754FB-E3EB-454A-AB1A-AE3835C5350C", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", matchCriteriaId: "09CDBB72-2A0D-4321-BA1F-4FB326A5646A", versionEndExcluding: "10.14.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.", }, { lang: "es", value: "Perl, en versiones anteriores a la 5.26.3, tiene una sobrelectura de búfer mediante una expresión regular manipulada que desencadena la divulgación de información sensible de la memoria del proceso.", }, ], id: "CVE-2018-18313", lastModified: "2024-11-21T03:55:41.177", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-12-07T21:29:00.717", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://rt.perl.org/Ticket/Display.html?id=133192", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { source: "cve@mitre.org", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT209600", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-2/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://rt.perl.org/Ticket/Display.html?id=133192", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT209600", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-125", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-26 05:15
Modified
2024-11-21 06:48
Severity ?
Summary
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "75F3B6C3-9C14-4576-BF39-4A1D774A0979", versionEndExcluding: "2.9.13", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", matchCriteriaId: "5B3F8579-F907-4E15-A4D6-1459A6687594", versionEndExcluding: "15.5", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", matchCriteriaId: "29151647-DA19-4B1B-B1CD-2E05A712F941", versionEndExcluding: "15.5", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", matchCriteriaId: "1632ED85-FDBF-4E46-AF1A-15594CC8E946", versionEndExcluding: "10.15.7", versionStartIncluding: "10.15.0", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:*:*:*:*:*:*:*", matchCriteriaId: "89161D20-EB9C-4EC0-8D82-75B27CE49264", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", matchCriteriaId: "F1F4BF7F-90D4-4668-B4E6-B06F4070F448", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", matchCriteriaId: "0F441A43-1669-478D-9EC8-E96882DE4F9F", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", matchCriteriaId: "D425C653-37A2-448C-BF2F-B684ADB08A26", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", matchCriteriaId: "A54D63B7-B92B-47C3-B1C5-9892E5873A98", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*", matchCriteriaId: "3456176F-9185-4EE2-A8CE-3D989D674AB7", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*", matchCriteriaId: "D337EE21-2F00-484D-9285-F2B0248D7A19", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*", matchCriteriaId: "012052B5-9AA7-4FD3-9C80-5F615330039D", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*", matchCriteriaId: "50F21A3C-0AC3-48C5-A4F8-5A7B478875B4", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*", matchCriteriaId: "8E974DC6-F7D9-4389-9AF9-863F6E419CE6", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*", matchCriteriaId: "156A6382-2BD3-4882-90B2-8E7CF6659E17", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*", matchCriteriaId: "49F537A0-DC42-4176-B22F-C80D179DD99D", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", matchCriteriaId: "787E02EF-92F4-46E6-BB1E-0BF49C50A096", versionEndExcluding: "11.6.6", versionStartIncluding: "11.6.0", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", matchCriteriaId: "35154201-43EA-4C22-B0BA-D1A24C46D320", versionEndExcluding: "12.4", versionStartIncluding: "12.0", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", matchCriteriaId: "4C98BE9E-8463-4CB9-8E42-A68DC0B20BD8", versionEndExcluding: "15.5", vulnerable: true, }, { criteria: "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", matchCriteriaId: "E8BAAD78-60FC-4EC3-B727-55F0C0969D6A", versionEndExcluding: "8.6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*", matchCriteriaId: "26A2B713-7D6D-420A-93A4-E0D983C983DF", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node:-:*:*:*:*:*:*:*", matchCriteriaId: "DAA3919C-B2B1-4CB5-BA76-7A079AAFFC52", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*", matchCriteriaId: "D6D700C5-F67F-4FFB-BE69-D524592A3D2E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*", matchCriteriaId: "95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*", matchCriteriaId: "AD7447BC-F315-4298-A822-549942FC118B", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6770B6C3-732E-4E22-BF1C-2D2FD610061C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", matchCriteriaId: "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "7FFF7106-ED78-49BA-9EC5-B889E3685D53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", matchCriteriaId: "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "56409CEC-5A1E-4450-AA42-641E459CC2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", matchCriteriaId: "B06F4839-D16A-4A61-9BB5-55B13F41E47F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "108A2215-50FB-4074-94CF-C130FA14566D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*", matchCriteriaId: "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "32F0B6C0-F930-480D-962B-3F4EFDCC13C7", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*", matchCriteriaId: "803BC414-B250-4E3A-A478-A3881340D6B8", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "0FEB3337-BFDE-462A-908B-176F92053CEC", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*", matchCriteriaId: "736AEAE9-782B-4F71-9893-DED53367E102", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", matchCriteriaId: "8497A4C9-8474-4A62-8331-3FE862ED4098", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "CDDF61B7-EC5C-467C-B710-B89F502CD04F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.2.0:*:*:*:*:*:*:*", matchCriteriaId: "FEA64107-8025-4DC7-8222-F898ADEC6864", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*", matchCriteriaId: "04E6C8E9-2024-496C-9BFD-4548A5B44E2E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*", matchCriteriaId: "A264E0DE-209D-49B1-8B26-51AB8BBC97F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*", matchCriteriaId: "EBB5FF32-7362-4A1E-AD24-EF6B8770FCAD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:*", matchCriteriaId: "4F4637E5-3324-441D-94E9-C2DBE9A6B502", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*", matchCriteriaId: "74810125-09E6-4F27-B541-AFB61112AC56", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "76CA1C43-5BEC-4ABF-9E0A-E55D6C8311AB", versionEndIncluding: "8.0.29", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", matchCriteriaId: "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.", }, { lang: "es", value: "El archivo valid.c en libxml2 versiones anteriores a 2.9.13, presenta un uso de memoria previamente liberada de los atributos ID e IDREF.\n", }, ], id: "CVE-2022-23308", lastModified: "2024-11-21T06:48:22.940", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-26T05:15:08.280", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/33", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/34", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/35", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/36", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/37", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/38", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220331-0008/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213253", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213254", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213255", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213256", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213257", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213258", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/33", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/34", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/35", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/36", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/37", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2022/May/38", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220331-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213253", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213254", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213255", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213256", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213257", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT213258", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-416", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-12-07 21:29
Modified
2024-11-21 03:55
Severity ?
Summary
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| perl | perl | * | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| debian | debian_linux | 9.0 | |
| netapp | e-series_santricity_os_controller | * | |
| netapp | snap_creator_framework | - | |
| netapp | snapcenter | - | |
| netapp | snapdrive | - | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 7.4 | |
| redhat | enterprise_linux | 7.5 | |
| redhat | enterprise_linux | 7.6 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", matchCriteriaId: "C0FEAD21-C9A0-40F3-8F2E-489750B07760", versionEndExcluding: "5.26.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", matchCriteriaId: "B5A6F2F3-4894-4392-8296-3B8DD2679084", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", matchCriteriaId: "07C312A0-CD2C-4B9C-B064-6409B25C278F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "9C82200F-A26E-4AD4-82FF-DC5601A28D52", versionEndIncluding: "11.40", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", matchCriteriaId: "9F4754FB-E3EB-454A-AB1A-AE3835C5350C", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", matchCriteriaId: "041F9200-4C01-4187-AE34-240E8277B54D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", matchCriteriaId: "4EB48767-F095-444F-9E05-D9AC345AB803", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", matchCriteriaId: "5F6FA12B-504C-4DBF-A32E-0548557AA2ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, { lang: "es", value: "Perl, en versiones anteriores a la 5.26.3, tiene un desbordamiento de búfer mediante una expresión regular manipulada que desencadena operaciones inválidas de escritura.", }, ], id: "CVE-2018-18314", lastModified: "2024-11-21T03:55:41.367", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-12-07T21:29:00.920", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106145", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://rt.perl.org/Ticket/Display.html?id=131649", }, { source: "cve@mitre.org", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106145", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://rt.perl.org/Ticket/Display.html?id=131649", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-119", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-02-07 17:59
Modified
2025-04-20 01:37
Severity ?
Summary
NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:snapdrive:*:*:*:*:*:*:*:*", matchCriteriaId: "91AC6C78-FB2C-41AD-B98A-49D5666FFB51", versionEndIncluding: "7.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.", }, { lang: "es", value: "NetApp SnapDrive para Windows en versiones anteriores a 7.0.2P4, 7.0.3 y 7.1 en versiones anteriores a 7.1.3P1 permite a atacantes remotos obtener información sensible a través de vectores no especificados.", }, ], id: "CVE-2015-8544", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-02-07T17:59:00.210", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", }, { source: "cve@mitre.org", url: "https://security.netapp.com/advisory/ntap-20160111-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20160111-0001/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-09-21 02:59
Modified
2025-04-12 10:46
Severity ?
Summary
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ietf:transport_layer_security:*:*:*:*:*:*:*:*", matchCriteriaId: "B20CCEB2-5534-4263-ACEA-C0A928CB6414", versionEndIncluding: "1.2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*", matchCriteriaId: "AFDA34B4-65B4-41A5-AC22-667C8D8FF4B7", vulnerable: false, }, { criteria: "cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*", matchCriteriaId: "39B565E1-C2F1-44FC-A517-E3130332B17C", vulnerable: false, }, { criteria: "cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*", matchCriteriaId: "C37BA825-679F-4257-9F2B-CE2318B75396", vulnerable: false, }, { criteria: "cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*", matchCriteriaId: "97D4FFCF-5309-43B6-9FD5-680C6D535A7F", vulnerable: false, }, { criteria: "cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:*", matchCriteriaId: "4545786D-3129-4D92-B218-F4A92428ED48", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*", matchCriteriaId: "E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:host_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "546855F3-654C-48F0-B3A0-FF1ABBF04007", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*", matchCriteriaId: "3BD81527-A341-42C3-9AB9-880D3DB04B08", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*", matchCriteriaId: "FFE0A9D2-9A49-4BF6-BC6F-8249162D8334", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", matchCriteriaId: "9F4754FB-E3EB-454A-AB1A-AE3835C5350C", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*", matchCriteriaId: "26A2B713-7D6D-420A-93A4-E0D983C983DF", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*", matchCriteriaId: "64DE38C8-94F1-4860-B045-F33928F676A8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapprotect:-:*:*:*:*:*:*:*", matchCriteriaId: "F74F467A-0C81-40D9-BA06-40FB8EF02C04", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*", matchCriteriaId: "D6D700C5-F67F-4FFB-BE69-D524592A3D2E", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:system_setup:-:*:*:*:*:*:*:*", matchCriteriaId: "459CF8B6-B815-42EA-A286-6E737529D9AC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the \"Key Compromise Impersonation (KCI)\" issue.", }, { lang: "es", value: "El protocolo TLS 1.2 y versiones anteriores soporta los valores rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh y ecdsa_fixed_ecdh para ClientCertificateType pero no documenta directamente la habilidad para computar el secreto maestro en determinadas situaciones con una clave de cliente secreta y una clave pública de servidor pero no una clave secreta de servidor, lo que facilita a atacantes man-in-the-middle suplantar servidores TLS aprovechando el conocimiento de la clave secreta para un certificado cliente X.509 arbitrariamente instalado, también conocido como problema \"Key Compromise Impersonation (KCI)\".", }, ], id: "CVE-2015-8960", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-09-21T02:59:00.133", references: [ { source: "secalert@redhat.com", tags: [ "Press/Media Coverage", "Technical Description", "Third Party Advisory", ], url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Technical Description", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/93071", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Technical Description", ], url: "https://kcitls.org", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Mitigation", "Technical Description", ], url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Press/Media Coverage", "Technical Description", "Third Party Advisory", ], url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Technical Description", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/93071", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", ], url: "https://kcitls.org", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mitigation", "Technical Description", ], url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-01-21 23:15
Modified
2024-11-21 04:38
Severity ?
Summary
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*", matchCriteriaId: "F5046B03-34DE-4574-AFDB-E0B2A8022E72", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*", matchCriteriaId: "FFE0A9D2-9A49-4BF6-BC6F-8249162D8334", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", matchCriteriaId: "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6770B6C3-732E-4E22-BF1C-2D2FD610061C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", matchCriteriaId: "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "7FFF7106-ED78-49BA-9EC5-B889E3685D53", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", matchCriteriaId: "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "56409CEC-5A1E-4450-AA42-641E459CC2AF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", matchCriteriaId: "B06F4839-D16A-4A61-9BB5-55B13F41E47F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "108A2215-50FB-4074-94CF-C130FA14566D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*", matchCriteriaId: "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "32F0B6C0-F930-480D-962B-3F4EFDCC13C7", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*", matchCriteriaId: "803BC414-B250-4E3A-A478-A3881340D6B8", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "0FEB3337-BFDE-462A-908B-176F92053CEC", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*", matchCriteriaId: "736AEAE9-782B-4F71-9893-DED53367E102", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", matchCriteriaId: "8497A4C9-8474-4A62-8331-3FE862ED4098", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "B534B112-9BA4-467B-A58B-D89C0A6EFA9C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", matchCriteriaId: "B620311B-34A3-48A6-82DF-6F078D7A4493", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", }, { lang: "es", value: "La función xmlSchemaPreRun en el archivo xmlschemas.c en libxml2 versión 2.9.10, permite una pérdida de memoria de la función xmlSchemaValidateStream.", }, ], id: "CVE-2019-20388", lastModified: "2024-11-21T04:38:21.893", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-01-21T23:15:13.553", references: [ { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202010-04", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202010-04", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-02-27 23:29
Modified
2024-11-21 04:36
Severity ?
Summary
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", matchCriteriaId: "1FB0EC34-4625-4B2A-8AB9-0764D9D9E6BC", versionEndExcluding: "1.0.2r", versionStartIncluding: "1.0.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", matchCriteriaId: "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", matchCriteriaId: "07C312A0-CD2C-4B9C-B064-6409B25C278F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*", matchCriteriaId: "BD075607-09B7-493E-8611-66D041FFDA62", versionStartIncluding: "7.3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB", versionStartIncluding: "9.5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:altavault:-:*:*:*:*:*:*:*", matchCriteriaId: "4E878102-1EA0-4D83-9F36-955DCF902211", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", matchCriteriaId: "85DF4B3F-4BBC-42B7-B729-096934523D63", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", matchCriteriaId: "A3C19813-E823-456A-B1CE-EC0684CE1953", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:hyper_converged_infrastructure:-:*:*:*:*:*:*:*", matchCriteriaId: "893C0367-DD1A-4754-B9E0-4944344108EC", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "C18CA4B5-28FD-4199-B1F0-B1E59E920370", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:vsphere:*:*", matchCriteriaId: "EB2FB857-5F1F-46E5-A90C-AFB990BF1660", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*", matchCriteriaId: "0A4D418D-B526-46B9-B439-E1963BF88C0A", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy:-:*:*:*:*:*:*:*", matchCriteriaId: "7E968916-8CE0-4165-851F-14E37ECEA948", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "361B791A-D336-4431-8F68-8135BEFFAEA2", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:service_processor:-:*:*:*:*:*:*:*", matchCriteriaId: "146A767F-DC04-454B-9913-17D3A2B5AAA4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*", matchCriteriaId: "4BB0FDCF-3750-44C6-AC5C-0CC2AAD14093", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapprotect:-:*:*:*:*:*:*:*", matchCriteriaId: "F74F467A-0C81-40D9-BA06-40FB8EF02C04", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", matchCriteriaId: "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", matchCriteriaId: "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", matchCriteriaId: "7B7A6697-98CC-4E36-93DB-B7160F8399F9", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*", matchCriteriaId: "D239B58A-9386-443D-B579-B56AE2A500BC", versionEndIncluding: "9.0.4", versionStartIncluding: "9.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", matchCriteriaId: "8ADFF451-740F-4DBA-BD23-3881945D3E40", vulnerable: true, }, { criteria: "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*", matchCriteriaId: "AD7447BC-F315-4298-A822-549942FC118B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "6C3B5688-0235-4D4F-A26C-440FF24A1B43", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "706316DC-8C24-4D9E-B7B4-F62CB52106B8", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "FCBAF5C1-3761-47BB-AD8E-A55A64D33AF3", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "EFBB9E7C-08D1-4B30-AD3B-CADBF30D756B", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "151ED6D1-AA85-4213-8F3A-8167CBEC4721", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "BFA83D61-1A50-47F5-B9BE-15D672A6DDAD", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "925049D0-082E-4CED-9996-A55620A220CF", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "830028B5-9BAF-439C-8166-1053C0CB9836", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "5D5AA99B-08E7-4959-A3B4-41AA527B4B22", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "22C64069-68D1-445F-B20D-FD1FF8DB0F71", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "6D87C038-B96D-4EA8-AB03-0401B2C9BB24", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "01BC2A57-030F-4A13-B584-BE2627EA3FE7", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "9DC86A5F-C793-4848-901F-04BFB57A07F6", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "9CE03A8F-DAE1-4923-9741-DC89FA8A6FD8", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "037C035C-9CFC-4224-8264-6132252D11FD", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "FD91F1A1-67F5-4547-848B-21664A9CC685", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "2E5552A3-91CD-4B97-AD33-4F1FB4C8827A", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "A7E616EB-F2F9-43BF-A23D-8FD0650DA85B", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "AE66A673-75EF-4AB3-AD4D-A1E70C7EFB08", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "10367A28-787A-4FAB-80AD-ADD67A751732", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", matchCriteriaId: "55C2EC23-E78F-4447-BACF-21FC36ABF155", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", matchCriteriaId: "180D2770-61F3-4CFB-B5FA-1CF1796D4B3E", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", matchCriteriaId: "46712630-407A-4E61-B62F-3AB156353A1D", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", matchCriteriaId: "21E18EA5-2210-41B1-87B0-55AB16514FE2", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "EFFCCCFF-8B66-4C8B-A99A-32964855EF98", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "5D0BD10F-735D-4442-828B-0B90207ABEAD", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "448BB033-AE0F-46A0-8E98-3A6AE36EADAE", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "CC06609D-C362-4214-8487-2278161B5EAD", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", matchCriteriaId: "945A19E8-51EB-42FE-9BF1-12DAC78B5286", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", matchCriteriaId: "2008DD47-CC1D-430F-8478-E90617F5F998", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", matchCriteriaId: "DC39F6EE-478A-4638-B97D-3C25FD318F3D", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", matchCriteriaId: "317C50A2-FE92-4C78-A94A-062274E6A6A8", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "EB5007D0-BBDB-4D74-9C88-98FBA74757D1", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "389B6330-3041-4892-97D5-B5A6D9CE1487", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "5C556587-6963-49CF-8A2B-00431B386D78", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D748001D-340C-45C4-A2D0-0575538C5CEC", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "B7725810-66D2-4460-A174-9F3BFAD966F2", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "D7854954-A9A4-487B-B6C7-8DC1F83F4BD7", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "572B1078-60C4-4A71-A0F4-2E2F4FBC4102", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "0371EB7C-3D41-4B8C-8FA9-DC6F42442448", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "EFD760FE-4347-4D36-B5C6-4009398060F2", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "FB7588DA-75D3-4374-8871-D92E95509C91", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "C95403E8-A078-47E8-9B2F-F572D24C79EF", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "9C1BC0A8-5868-4FCA-80A5-661C3870EB7D", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "65B76F53-7D8B-477E-8B6E-91AC0A9009FF", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "E824BD72-428F-4A8D-ABE6-2A45EB9A4E3A", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "57A92EE2-FFC9-45C9-9454-7DFAB1F7EE11", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "0585424E-3F74-400E-8199-ED964317F89F", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", matchCriteriaId: "69338CB1-B6E2-44E7-BEC1-6B9EAD560C8B", versionEndIncluding: "12.1.5", versionStartIncluding: "12.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", matchCriteriaId: "7A6CF6F4-D68A-45C3-A36E-A8B3AF61367F", versionEndIncluding: "13.1.3", versionStartIncluding: "13.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", matchCriteriaId: "F2ADF37B-FCEB-4735-82D9-4241E3A4DE64", versionEndIncluding: "14.1.2", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", matchCriteriaId: "D7722F39-9B7E-4267-B757-B9570B039323", versionEndIncluding: "15.1.0", versionStartIncluding: "15.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*", matchCriteriaId: "F37D18F2-8C6A-4557-85DC-2A751595423C", versionEndIncluding: "6.1.0", versionStartIncluding: "6.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*", matchCriteriaId: "C88B0206-093A-4A18-8322-A1CD1D4ACF2A", versionEndIncluding: "7.1.0", versionStartIncluding: "7.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "4E52F91D-3F39-4D89-8069-EC422FB1F700", versionEndIncluding: "5.1.0", versionStartIncluding: "5.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:f5:traffix_signaling_delivery_controller:4.4.0:*:*:*:*:*:*:*", matchCriteriaId: "3D71A781-FBD8-4084-8D9C-00D7B6ECB9A1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*", matchCriteriaId: "427DA624-2397-4A61-A2ED-23F5C22C174E", versionEndIncluding: "8.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", matchCriteriaId: "F1E78106-58E6-4D59-990F-75DA575BFAD9", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", matchCriteriaId: "B620311B-34A3-48A6-82DF-6F078D7A4493", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", matchCriteriaId: "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "EB30733E-68FC-49C4-86C0-7FEE75C366BF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:cn1610:-:*:*:*:*:*:*:*", matchCriteriaId: "6361DAC6-600F-4B15-8797-D67F298F46FB", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:a320_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6ADE5E80-06D3-4A1B-A655-FBB6CCA03939", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:a320:-:*:*:*:*:*:*:*", matchCriteriaId: "E8FD5E05-3C58-465F-9D4F-ECC2CD78DCFF", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:c190_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "75A43965-CB2E-4C28-AFC3-1ADE7A6B845C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:c190:-:*:*:*:*:*:*:*", matchCriteriaId: "0D421A96-E6E9-4B27-ADE0-D8E87A82EEDE", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:a220_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "4F2D2745-242C-4603-899E-70C9025BDDD2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:a220:-:*:*:*:*:*:*:*", matchCriteriaId: "EFB4541D-5EF7-4266-BFF3-2DDEC95E8012", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:fas2720_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "B7FD1DA9-7980-4643-B378-7095892DA176", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:fas2720:-:*:*:*:*:*:*:*", matchCriteriaId: "347E9E3E-941C-4109-B59F-B9BB05486B34", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:fas2750_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "AD661062-0D5B-4671-9D92-FEF8D7395C1E", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:fas2750:-:*:*:*:*:*:*:*", matchCriteriaId: "8155BF5F-DD1B-4AB4-81F8-9BCE6A8821AE", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:a800_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "B36CECA5-4545-49C2-92EB-B739407B207F", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:a800:-:*:*:*:*:*:*:*", matchCriteriaId: "D8E7549A-DE35-4274-B3F6-22D51C7A6613", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", matchCriteriaId: "D100F7CE-FC64-4CC6-852A-6136D72DA419", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mcafee:agent:*:*:*:*:*:*:*:*", matchCriteriaId: "CBD9362E-F36F-4820-A29E-5BDDF6AC3ACE", versionEndIncluding: "5.6.4", versionStartIncluding: "5.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mcafee:data_exchange_layer:*:*:*:*:*:*:*:*", matchCriteriaId: "02630E85-191E-4C58-B81B-4DAF93A26856", versionEndExcluding: "6.0.0", versionStartIncluding: "4.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:*:*:*:*:*:*:*:*", matchCriteriaId: "65D5476E-FBF9-474B-87E1-B6459E52736C", versionEndExcluding: "3.0.0", versionStartIncluding: "2.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "DDD5E877-978C-4A16-B6C5-41A30D020B54", versionEndExcluding: "9.0.0", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_web_server:5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E0F04157-FB34-4F22-B328-6BE1F2373DEE", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", matchCriteriaId: "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", matchCriteriaId: "BB28F9AF-3D06-4532-B397-96D7E4792503", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", matchCriteriaId: "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", matchCriteriaId: "33C068A4-3780-4EAB-A937-6082DF847564", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", matchCriteriaId: "9BBCD86A-E6C7-4444-9D74-F861084090F0", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", matchCriteriaId: "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "825ECE2D-E232-46E0-A047-074B34DB1E97", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A5553591-073B-45E3-999F-21B8BA2EEE22", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:11.1.1.9.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "523CD57C-43D4-4C79-BA00-A9A65C6588E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "77C3DD16-1D81-40E1-B312-50FBD275507C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "81DAC8C0-D342-44B5-9432-6B88D389584F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*", matchCriteriaId: "A9317C01-22AA-452B-BBBF-5FAFFFB8BEA4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*", matchCriteriaId: "C4534CF9-D9FD-4936-9D8C-077387028A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*", matchCriteriaId: "D60384BD-284C-4A68-9EEF-0FAFDF0C21F3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3:*:*:*:*:*:*:*", matchCriteriaId: "CDA8DD5B-8A34-4CB3-B0FB-F82C73B25007", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4:*:*:*:*:*:*:*", matchCriteriaId: "F6E5E8B0-EDE5-4FE4-880C-766FAE1EA42C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.2:*:*:*:*:*:*:*", matchCriteriaId: "D8EDA23C-7F75-4712-AF3F-B0E3597810B3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:7.4:*:*:*:*:*:*:*", matchCriteriaId: "5D139E52-0528-4D05-8502-1AB9AB10CA9A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.0.0:*:*:*:*:*:*:*", matchCriteriaId: "1F59AE20-7B9D-47A5-9E0D-A73F4A0E7D34", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.1.0:*:*:*:*:*:*:*", matchCriteriaId: "1D4AF039-F3B6-45EB-A87E-8BCCF822AE23", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.2:*:*:*:*:*:*:*", matchCriteriaId: "2B9F6415-2950-49FE-9CAF-8BCA4DB6DF4B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.3:*:*:*:*:*:*:*", matchCriteriaId: "C05190B9-237F-4E2E-91EA-DB1B738864AD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_router:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D5D0F0C0-75EB-4685-A4CD-E58D1F2C6FDC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_router:8.0:*:*:*:*:*:*:*", matchCriteriaId: "B59717B5-34D5-4C83-904A-884ED30DFC19", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_router:8.1:*:*:*:*:*:*:*", matchCriteriaId: "19BA6F25-B88A-42A1-A9E3-2DCF4E8F51A4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_router:8.2:*:*:*:*:*:*:*", matchCriteriaId: "4E28B437-64A8-456C-98A1-4ADF5B6A2F60", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_router:8.3:*:*:*:*:*:*:*", matchCriteriaId: "2D705705-0D0D-468B-A140-C9A1B7A6CE6F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_session_manager:7.3.5:*:*:*:*:*:*:*", matchCriteriaId: "07BB35D4-9CCD-43D3-B482-E0BEB3BF2351", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:*:*:*:*:*:*:*", matchCriteriaId: "FB468FEE-A0F4-49A0-BBEE-10D0733C87D4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_server:7.7.0:*:*:*:*:*:*:*", matchCriteriaId: "DB290045-2140-47EE-9BB4-35BAE8F1599C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "98F3E643-4B65-4668-BB11-C61ED54D5A53", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "459B4A5F-A6BD-4A1C-B6B7-C979F005EB70", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CDCE0E90-495E-4437-8529-3C36441FB69D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", matchCriteriaId: "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*", matchCriteriaId: "37209C6F-EF99-4D21-9608-B3A06D283D24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", matchCriteriaId: "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_world_security:a9.3:*:*:*:*:*:*:*", matchCriteriaId: "83800E2F-804C-485D-A8FA-F4B32CDB4548", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_world_security:a9.3.1:*:*:*:*:*:*:*", matchCriteriaId: "60BEB1C6-C279-4BB0-972C-BE28A6605C09", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", matchCriteriaId: "0B1CAD50-749F-4ADB-A046-BF3585677A58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "C637AC8A-F5F7-447E-A7F6-D6BA7AB45DF9", versionEndIncluding: "5.6.43", versionStartIncluding: "5.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "CA988288-7D0C-4ADE-BE61-484D2D555A8A", versionEndIncluding: "5.7.25", versionStartIncluding: "5.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "0E106D13-CBF8-4A2C-8E89-A66C6EF5D408", versionEndIncluding: "8.0.15", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "DFBC7A65-3C0B-4B17-B087-250E69EE5B12", versionEndIncluding: "4.0.8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "A443D73A-63BE-4D1F-B605-0F7D20915518", versionEndIncluding: "8.0.14", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "71CD99E7-3FE7-42E2-B480-7AA0E543340E", versionEndIncluding: "8.0.16", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", matchCriteriaId: "45CB30A1-B2C9-4BF5-B510-1F2F18B60C64", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", matchCriteriaId: "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*", matchCriteriaId: "B5265C91-FF5C-4451-A7C2-D388A65ACFA2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:services_tools_bundle:19.2:*:*:*:*:*:*:*", matchCriteriaId: "62DAD71E-A6D5-4CA9-A016-100F2D5114A6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "F457852F-D998-4BCF-99FE-09C6DFC8851A", versionEndExcluding: "7.1.15", versionStartIncluding: "7.1.0", vulnerable: true, }, { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "ACA311D7-0ADC-497A-8A47-5AB864F201DE", versionEndExcluding: "8.0.20", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "0F57DBD8-DCA7-43FB-AC9E-6BDBB3EBE500", versionEndExcluding: "8.1.8", versionStartIncluding: "8.1.0", vulnerable: true, }, { criteria: "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", matchCriteriaId: "AD1987BB-8F42-48F0-8FE2-70ABD689F434", versionEndExcluding: "9.0.2", versionStartIncluding: "9.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", matchCriteriaId: "D107EC29-67E7-40C3-8E5A-324C9105C5E4", versionEndIncluding: "6.8.1", versionStartIncluding: "6.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", matchCriteriaId: "FD2FB20C-EC88-4CD3-BC6E-1E65FAFADC36", versionEndExcluding: "6.17.0", versionStartIncluding: "6.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", matchCriteriaId: "74FB695D-2C76-47AB-988E-5629D2E695E5", versionEndIncluding: "8.8.1", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", matchCriteriaId: "A94F4836-1873-43F4-916E-9D9B302A053A", versionEndExcluding: "8.15.1", versionStartIncluding: "8.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", }, { lang: "es", value: "Si una aplicación encuentra un error de protocolo \"fatal\" y llama a SSL_shutdown() dos veces (una vez para enviar un close_notify y otra vez para recibir uno de éstos), posteriormente OpenSLL puede responder de manera diferente a la aplicación llamante si un registro de 0 byte se recibe con un relleno inválido, comparado con si un registro de 0 bytes se recibe con un MAC inválido.", }, ], id: "CVE-2019-1559", lastModified: "2024-11-21T04:36:48.960", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-02-27T23:29:00.277", references: [ { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/107174", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2304", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2437", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2439", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2471", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3929", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3931", }, { source: "openssl-security@openssl.org", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", }, { source: "openssl-security@openssl.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { source: "openssl-security@openssl.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", }, { source: "openssl-security@openssl.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", }, { source: "openssl-security@openssl.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/201903-10", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { source: "openssl-security@openssl.org", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://support.f5.com/csp/article/K18549143", }, { source: "openssl-security@openssl.org", url: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&%3Butm_medium=RSS", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3899-1/", }, { source: "openssl-security@openssl.org", tags: [ "Broken Link", ], url: "https://usn.ubuntu.com/4376-2/", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4400", }, { source: "openssl-security@openssl.org", tags: [ "Vendor Advisory", ], url: "https://www.openssl.org/news/secadv/20190226.txt", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { source: "openssl-security@openssl.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.tenable.com/security/tns-2019-02", }, { source: "openssl-security@openssl.org", tags: [ "Third Party Advisory", ], url: "https://www.tenable.com/security/tns-2019-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/107174", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2304", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2437", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2439", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2471", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3929", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3931", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/201903-10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.f5.com/csp/article/K18549143", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&%3Butm_medium=RSS", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3899-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "https://usn.ubuntu.com/4376-2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4400", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.openssl.org/news/secadv/20190226.txt", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.tenable.com/security/tns-2019-02", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.tenable.com/security/tns-2019-03", }, ], sourceIdentifier: "openssl-security@openssl.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-203", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-18 12:15
Modified
2024-11-21 06:21
Severity ?
Summary
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "208AF535-5D38-45B4-B227-2892611C5A20", versionEndExcluding: "2.9.11", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*", matchCriteriaId: "9B453CF7-9AA6-4B94-A003-BF7AE0B82F53", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "08C564D8-E21F-403C-B4BB-7B14B7FB5DAE", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "8532F5F0-00A1-4FA9-A80B-09E46D03F74F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.", }, { lang: "es", value: "Se presenta un fallo en libxml2 en versiones anteriores a 2.9.11. Un atacante que pueda enviar un archivo diseñado para que sea procesado por una aplicación vinculada con libxml2 podría desencadenar un uso de la memoria previamente liberada. El mayor impacto de este fallo es a la confidencialidad, integridad y disponibilidad", }, ], id: "CVE-2021-3518", lastModified: "2024-11-21T06:21:44.453", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-18T12:15:08.043", references: [ { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/54", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/55", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/58", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/59", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212601", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212602", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212604", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212605", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert@redhat.com", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/54", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/55", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/58", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2021/Jul/59", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212601", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212602", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212604", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.apple.com/kb/HT212605", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-416", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-416", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-14 20:15
Modified
2024-11-21 06:21
Severity ?
Summary
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", matchCriteriaId: "208AF535-5D38-45B4-B227-2892611C5A20", versionEndExcluding: "2.9.11", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*", matchCriteriaId: "9B453CF7-9AA6-4B94-A003-BF7AE0B82F53", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", matchCriteriaId: "1FE996B1-6951-4F85-AA58-B99A379D2163", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", matchCriteriaId: "62347994-1353-497C-9C4A-D5D8D95F67E8", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", matchCriteriaId: "D39DCAE7-494F-40B2-867F-6C6A077939DD", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", matchCriteriaId: "E7CF3019-975D-40BB-A8A4-894E62BD3797", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*", matchCriteriaId: "BEDE62C6-D571-4AF8-B85E-CBBCE4AF98B5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "08C564D8-E21F-403C-B4BB-7B14B7FB5DAE", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*", matchCriteriaId: "8532F5F0-00A1-4FA9-A80B-09E46D03F74F", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "C2A5B24D-BDF2-423C-98EA-A40778C01A05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "EED6C8C2-F986-4CFD-A343-AD2340F850F2", versionEndIncluding: "8.0.26", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*", matchCriteriaId: "56F2883B-6A1B-4081-8877-07AF3A73F6CD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.", }, { lang: "es", value: "Una vulnerabilidad encontrada en libxml2 en versiones anteriores a 2.9.11 muestra que no propagó errores al analizar el contenido mixto XML, causando una desreferencia de NULL. Si un documento XML que no es confiable fue analizado en modo de recuperación y pos-comprobado, el fallo podría usarse para bloquear la aplicación. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema", }, ], id: "CVE-2021-3537", lastModified: "2024-11-21T06:21:47.317", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-14T20:15:16.553", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert@redhat.com", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202107-05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-476", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-476", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-12-05 22:29
Modified
2024-11-21 03:55
Severity ?
Summary
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| perl | perl | * | |
| perl | perl | * | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| debian | debian_linux | 9.0 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 7.4 | |
| redhat | enterprise_linux | 7.5 | |
| redhat | enterprise_linux | 7.6 | |
| netapp | e-series_santricity_os_controller | * | |
| netapp | snap_creator_framework | - | |
| netapp | snapcenter | - | |
| netapp | snapdrive | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", matchCriteriaId: "C0FEAD21-C9A0-40F3-8F2E-489750B07760", versionEndExcluding: "5.26.3", vulnerable: true, }, { criteria: "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", matchCriteriaId: "054E1C6A-1EC3-4877-839C-1C28FCEC501A", versionEndExcluding: "5.28.1", versionStartIncluding: "5.28.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", matchCriteriaId: "B5A6F2F3-4894-4392-8296-3B8DD2679084", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", matchCriteriaId: "07C312A0-CD2C-4B9C-B064-6409B25C278F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", matchCriteriaId: "041F9200-4C01-4187-AE34-240E8277B54D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", matchCriteriaId: "4EB48767-F095-444F-9E05-D9AC345AB803", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", matchCriteriaId: "5F6FA12B-504C-4DBF-A32E-0548557AA2ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "9C82200F-A26E-4AD4-82FF-DC5601A28D52", versionEndIncluding: "11.40", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", matchCriteriaId: "9F4754FB-E3EB-454A-AB1A-AE3835C5350C", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*", matchCriteriaId: "61D7EF01-F618-497F-9375-8003CEA3D380", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, { lang: "es", value: "Perl, en versiones anteriores a la 5.26.3 y versiones 5.28.0 anteriores a la 5.28.1, tiene un desbordamiento de búfer mediante una expresión regular manipulada que desencadena operaciones inválidas de escritura.", }, ], id: "CVE-2018-18312", lastModified: "2024-11-21T03:55:40.990", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-12-05T22:29:00.303", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106179", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://rt.perl.org/Public/Bug/Display.html?id=133423", }, { source: "cve@mitre.org", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/106179", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1042181", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://rt.perl.org/Public/Bug/Display.html?id=133423", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/201909-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3834-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-119", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2018-12015
Vulnerability from cvelistv5
Published
2018-06-07 13:00
Modified
2024-08-05 08:24
Severity ?
EPSS score ?
Summary
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104423 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1041048 | vdb-entry, x_refsource_SECTRACK | |
| https://www.debian.org/security/2018/dsa-4226 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/3684-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://usn.ubuntu.com/3684-2/ | vendor-advisory, x_refsource_UBUNTU | |
| https://seclists.org/bugtraq/2019/Mar/42 | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2019/Mar/49 | mailing-list, x_refsource_FULLDISC | |
| https://access.redhat.com/errata/RHSA-2019:2097 | vendor-advisory, x_refsource_REDHAT | |
| https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834 | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20180927-0001/ | x_refsource_CONFIRM | |
| https://support.apple.com/kb/HT209600 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T08:24:03.584Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "104423", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/104423", }, { name: "1041048", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041048", }, { name: "DSA-4226", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4226", }, { name: "USN-3684-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3684-1/", }, { name: "USN-3684-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3684-2/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "RHSA-2019:2097", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2097", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT209600", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-06-07T00:00:00", descriptions: [ { lang: "en", value: "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-15T02:22:57", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "104423", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/104423", }, { name: "1041048", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041048", }, { name: "DSA-4226", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4226", }, { name: "USN-3684-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3684-1/", }, { name: "USN-3684-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3684-2/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "RHSA-2019:2097", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2097", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT209600", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-12015", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "104423", refsource: "BID", url: "http://www.securityfocus.com/bid/104423", }, { name: "1041048", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041048", }, { name: "DSA-4226", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4226", }, { name: "USN-3684-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3684-1/", }, { name: "USN-3684-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3684-2/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "RHSA-2019:2097", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2097", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", refsource: "CONFIRM", url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { name: "https://security.netapp.com/advisory/ntap-20180927-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { name: "https://support.apple.com/kb/HT209600", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT209600", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-12015", datePublished: "2018-06-07T13:00:00", dateReserved: "2018-06-07T00:00:00", dateUpdated: "2024-08-05T08:24:03.584Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-23308
Vulnerability from cvelistv5
Published
2022-02-26 00:00
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:36:20.420Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2022-050c712ed7", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/", }, { name: "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", }, { name: "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/33", }, { name: "20220516 APPLE-SA-2022-05-16-6 tvOS 15.5", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/37", }, { name: "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/35", }, { name: "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/38", }, { name: "20220516 APPLE-SA-2022-05-16-5 watchOS 8.6", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/36", }, { name: "20220516 APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2022/May/34", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213257", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213256", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213255", }, { tags: [ "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS", }, { tags: [ "x_transferred", ], url: "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220331-0008/", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213253", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213258", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/kb/HT213254", }, { name: "GLSA-202210-03", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-16T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "FEDORA-2022-050c712ed7", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/", }, { name: "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", }, { name: "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/33", }, { name: "20220516 APPLE-SA-2022-05-16-6 tvOS 15.5", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/37", }, { name: "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/35", }, { name: "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/38", }, { name: "20220516 APPLE-SA-2022-05-16-5 watchOS 8.6", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/36", }, { name: "20220516 APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2022/May/34", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { url: "https://support.apple.com/kb/HT213257", }, { url: "https://support.apple.com/kb/HT213256", }, { url: "https://support.apple.com/kb/HT213255", }, { url: "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS", }, { url: "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", }, { url: "https://security.netapp.com/advisory/ntap-20220331-0008/", }, { url: "https://support.apple.com/kb/HT213253", }, { url: "https://support.apple.com/kb/HT213258", }, { url: "https://support.apple.com/kb/HT213254", }, { name: "GLSA-202210-03", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-23308", datePublished: "2022-02-26T00:00:00", dateReserved: "2022-01-17T00:00:00", dateUpdated: "2024-08-03T03:36:20.420Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-1559
Vulnerability from cvelistv5
Published
2019-02-27 23:00
Modified
2024-09-17 04:20
Severity ?
EPSS score ?
Summary
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T18:20:27.982Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "107174", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/107174", }, { name: "GLSA-201903-10", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201903-10", }, { name: "USN-3899-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3899-1/", }, { name: "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { name: "DSA-4400", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4400", }, { name: "openSUSE-SU-2019:1076", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { name: "openSUSE-SU-2019:1105", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { name: "openSUSE-SU-2019:1173", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { name: "openSUSE-SU-2019:1175", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { name: "openSUSE-SU-2019:1432", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { name: "openSUSE-SU-2019:1637", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { name: "RHSA-2019:2304", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2304", }, { name: "RHSA-2019:2439", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2439", }, { name: "RHSA-2019:2437", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2437", }, { name: "RHSA-2019:2471", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2471", }, { name: "FEDORA-2019-db06efdea1", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", }, { name: "FEDORA-2019-00c25b9379", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", }, { name: "FEDORA-2019-9a0a7c0986", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", }, { name: "RHSA-2019:3929", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3929", }, { name: "RHSA-2019:3931", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3931", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "USN-4376-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4376-2/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.openssl.org/news/secadv/20190226.txt", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K18549143", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.tenable.com/security/tns-2019-02", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.tenable.com/security/tns-2019-03", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&%3Butm_medium=RSS", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OpenSSL", vendor: "OpenSSL", versions: [ { status: "affected", version: "Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)", }, ], }, ], credits: [ { lang: "en", value: "Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt", }, ], datePublic: "2019-02-26T00:00:00", descriptions: [ { lang: "en", value: "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", }, ], metrics: [ { other: { content: { lang: "eng", url: "https://www.openssl.org/policies/secpolicy.html#Moderate", value: "Moderate", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { description: "Padding Oracle", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-01-20T14:42:01", orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", shortName: "openssl", }, references: [ { name: "107174", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/107174", }, { name: "GLSA-201903-10", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201903-10", }, { name: "USN-3899-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3899-1/", }, { name: "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { name: "DSA-4400", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4400", }, { name: "openSUSE-SU-2019:1076", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { name: "openSUSE-SU-2019:1105", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { name: "openSUSE-SU-2019:1173", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { name: "openSUSE-SU-2019:1175", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { name: "openSUSE-SU-2019:1432", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { name: "openSUSE-SU-2019:1637", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { name: "RHSA-2019:2304", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2304", }, { name: "RHSA-2019:2439", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2439", }, { name: "RHSA-2019:2437", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2437", }, { name: "RHSA-2019:2471", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2471", }, { name: "FEDORA-2019-db06efdea1", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", }, { name: "FEDORA-2019-00c25b9379", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", }, { name: "FEDORA-2019-9a0a7c0986", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", }, { name: "RHSA-2019:3929", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3929", }, { name: "RHSA-2019:3931", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3931", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "USN-4376-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4376-2/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.openssl.org/news/secadv/20190226.txt", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K18549143", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.tenable.com/security/tns-2019-02", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.tenable.com/security/tns-2019-03", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&%3Butm_medium=RSS", }, ], title: "0-byte record padding oracle", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "openssl-security@openssl.org", DATE_PUBLIC: "2019-02-26", ID: "CVE-2019-1559", STATE: "PUBLIC", TITLE: "0-byte record padding oracle", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "OpenSSL", version: { version_data: [ { version_value: "Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)", }, ], }, }, ], }, vendor_name: "OpenSSL", }, ], }, }, credit: [ { lang: "eng", value: "Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", }, ], }, impact: [ { lang: "eng", url: "https://www.openssl.org/policies/secpolicy.html#Moderate", value: "Moderate", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Padding Oracle", }, ], }, ], }, references: { reference_data: [ { name: "107174", refsource: "BID", url: "http://www.securityfocus.com/bid/107174", }, { name: "GLSA-201903-10", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201903-10", }, { name: "USN-3899-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3899-1/", }, { name: "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { name: "DSA-4400", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4400", }, { name: "openSUSE-SU-2019:1076", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { name: "openSUSE-SU-2019:1105", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { name: "openSUSE-SU-2019:1173", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { name: "openSUSE-SU-2019:1175", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { name: "openSUSE-SU-2019:1432", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { name: "openSUSE-SU-2019:1637", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { name: "RHSA-2019:2304", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2304", }, { name: "RHSA-2019:2439", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2439", }, { name: "RHSA-2019:2437", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2437", }, { name: "RHSA-2019:2471", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2471", }, { name: "FEDORA-2019-db06efdea1", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", }, { name: "FEDORA-2019-00c25b9379", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", }, { name: "FEDORA-2019-9a0a7c0986", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", }, { name: "RHSA-2019:3929", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3929", }, { name: "RHSA-2019:3931", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3931", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "USN-4376-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4376-2/", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "https://security.netapp.com/advisory/ntap-20190301-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { name: "https://security.netapp.com/advisory/ntap-20190301-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", refsource: "CONFIRM", url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { name: "https://www.openssl.org/news/secadv/20190226.txt", refsource: "CONFIRM", url: "https://www.openssl.org/news/secadv/20190226.txt", }, { name: "https://support.f5.com/csp/article/K18549143", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K18549143", }, { name: "https://www.tenable.com/security/tns-2019-02", refsource: "CONFIRM", url: "https://www.tenable.com/security/tns-2019-02", }, { name: "https://security.netapp.com/advisory/ntap-20190423-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { name: "https://www.tenable.com/security/tns-2019-03", refsource: "CONFIRM", url: "https://www.tenable.com/security/tns-2019-03", }, { name: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", refsource: "CONFIRM", url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10282", }, { name: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", assignerShortName: "openssl", cveId: "CVE-2019-1559", datePublished: "2019-02-27T23:00:00Z", dateReserved: "2018-11-28T00:00:00", dateUpdated: "2024-09-17T04:20:35.057Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-8544
Vulnerability from cvelistv5
Published
2017-02-07 17:00
Modified
2024-08-06 08:20
Severity ?
EPSS score ?
Summary
NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20160111-0001/ | x_refsource_CONFIRM | |
| https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T08:20:43.501Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20160111-0001/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-01-11T00:00:00", descriptions: [ { lang: "en", value: "NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-11-15T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20160111-0001/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-8544", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://security.netapp.com/advisory/ntap-20160111-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20160111-0001/", }, { name: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", refsource: "CONFIRM", url: "https://kb.netapp.com/support/s/article/cve-2015-8544-sensitive-information-disclosure-in-snapdrive-for-windows", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-8544", datePublished: "2017-02-07T17:00:00", dateReserved: "2015-12-11T00:00:00", dateUpdated: "2024-08-06T08:20:43.501Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3537
Vulnerability from cvelistv5
Published
2021-05-14 19:50
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html | mailing-list, x_refsource_MLIST | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1956522 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/202107-05 | vendor-advisory, x_refsource_GENTOO | |
| https://security.netapp.com/advisory/ntap-20210625-0002/ | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:08.318Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "libxml2", vendor: "n/a", versions: [ { status: "affected", version: "libxml2 2.9.11", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-476", description: "CWE-476", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:35:39", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3537", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "libxml2", version: { version_data: [ { version_value: "libxml2 2.9.11", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-476", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2021-e3ed1ba38b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1956522", }, { name: "FEDORA-2021-b950000d2b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "GLSA-202107-05", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202107-05", }, { name: "https://security.netapp.com/advisory/ntap-20210625-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3537", datePublished: "2021-05-14T19:50:10", dateReserved: "2021-05-05T00:00:00", dateUpdated: "2024-08-03T17:01:08.318Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3541
Vulnerability from cvelistv5
Published
2021-07-09 16:02
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1950515 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20210805-0007/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:07.290Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210805-0007/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "libxml2", vendor: "n/a", versions: [ { status: "affected", version: "2.9.11", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.", }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:43:03", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210805-0007/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3541", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "libxml2", version: { version_data: [ { version_value: "2.9.11", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1950515", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20210805-0007/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210805-0007/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3541", datePublished: "2021-07-09T16:02:21", dateReserved: "2021-05-10T00:00:00", dateUpdated: "2024-08-03T17:01:07.290Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3517
Vulnerability from cvelistv5
Published
2021-05-19 13:45
Modified
2024-08-03 16:53
Severity ?
EPSS score ?
Summary
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T16:53:17.731Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20211022-0004/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "libxml2", vendor: "n/a", versions: [ { status: "affected", version: "libxml2 2.9.11", }, ], }, ], descriptions: [ { lang: "en", value: "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "CWE-787", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:35:17", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20211022-0004/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3517", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "libxml2", version: { version_data: [ { version_value: "libxml2 2.9.11", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-787", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2021-e3ed1ba38b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954232", }, { name: "FEDORA-2021-b950000d2b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202107-05", }, { name: "https://security.netapp.com/advisory/ntap-20210625-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20211022-0004/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20211022-0004/", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3517", datePublished: "2021-05-19T13:45:00", dateReserved: "2021-04-27T00:00:00", dateUpdated: "2024-08-03T16:53:17.731Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-20388
Vulnerability from cvelistv5
Published
2020-01-21 22:53
Modified
2024-08-05 02:39
Severity ?
EPSS score ?
Summary
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T02:39:09.814Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2020-41fe1680f6", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "FEDORA-2020-0c71c00af4", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202010-04", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:12:42", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "FEDORA-2020-41fe1680f6", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "FEDORA-2020-0c71c00af4", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202010-04", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-20388", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2020-41fe1680f6", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "FEDORA-2020-0c71c00af4", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", refsource: "MISC", url: "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", }, { name: "https://security.netapp.com/advisory/ntap-20200702-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202010-04", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-20388", datePublished: "2020-01-21T22:53:50", dateReserved: "2020-01-21T00:00:00", dateUpdated: "2024-08-05T02:39:09.814Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-0735
Vulnerability from cvelistv5
Published
2018-10-29 13:00
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:35:49.247Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "105750", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105750", }, { name: "USN-3840-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3840-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "1041986", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041986", }, { name: "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { name: "DSA-4348", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4348", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.openssl.org/news/secadv/20181029.txt", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "RHSA-2019:3700", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3700", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OpenSSL", vendor: "OpenSSL", versions: [ { status: "affected", version: "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)", }, { status: "affected", version: "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)", }, ], }, ], credits: [ { lang: "en", value: "Samuel Weiser", }, ], datePublic: "2018-10-29T00:00:00", descriptions: [ { lang: "en", value: "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", }, ], metrics: [ { other: { content: { lang: "eng", url: "https://www.openssl.org/policies/secpolicy.html#Low", value: "Low", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { description: "Constant time issue", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-15T19:15:21", orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", shortName: "openssl", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "105750", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105750", }, { name: "USN-3840-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3840-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "1041986", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041986", }, { name: "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { name: "DSA-4348", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4348", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.openssl.org/news/secadv/20181029.txt", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "RHSA-2019:3700", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3700", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, ], title: "Timing attack against ECDSA signature generation", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "openssl-security@openssl.org", DATE_PUBLIC: "2018-10-29", ID: "CVE-2018-0735", STATE: "PUBLIC", TITLE: "Timing attack against ECDSA signature generation", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "OpenSSL", version: { version_data: [ { version_value: "Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i)", }, { version_value: "Fixed in OpenSSL 1.1.1a (Affected 1.1.1)", }, ], }, }, ], }, vendor_name: "OpenSSL", }, ], }, }, credit: [ { lang: "eng", value: "Samuel Weiser", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", }, ], }, impact: [ { lang: "eng", url: "https://www.openssl.org/policies/secpolicy.html#Low", value: "Low", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Constant time issue", }, ], }, ], }, references: { reference_data: [ { name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", refsource: "CONFIRM", url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "105750", refsource: "BID", url: "http://www.securityfocus.com/bid/105750", }, { name: "USN-3840-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3840-1/", }, { name: "https://security.netapp.com/advisory/ntap-20181105-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { name: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", refsource: "CONFIRM", url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { name: "1041986", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041986", }, { name: "[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { name: "DSA-4348", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4348", }, { name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", refsource: "CONFIRM", url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { name: "https://www.openssl.org/news/secadv/20181029.txt", refsource: "CONFIRM", url: "https://www.openssl.org/news/secadv/20181029.txt", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "RHSA-2019:3700", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3700", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", assignerShortName: "openssl", cveId: "CVE-2018-0735", datePublished: "2018-10-29T13:00:00Z", dateReserved: "2017-11-30T00:00:00", dateUpdated: "2024-09-16T19:10:32.005Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-8960
Vulnerability from cvelistv5
Published
2016-09-21 01:00
Modified
2024-08-06 08:36
Severity ?
EPSS score ?
Summary
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/09/20/4 | mailing-list, x_refsource_MLIST | |
| http://twitter.com/matthew_d_green/statuses/630908726950674433 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/93071 | vdb-entry, x_refsource_BID | |
| https://security.netapp.com/advisory/ntap-20180626-0002/ | x_refsource_CONFIRM | |
| https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf | x_refsource_MISC | |
| https://kcitls.org | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T08:36:30.681Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20160920 Re: Possible CVE for TLS protocol issue", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { name: "93071", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/93071", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://kcitls.org", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-11-08T00:00:00", descriptions: [ { lang: "en", value: "The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the \"Key Compromise Impersonation (KCI)\" issue.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-06-27T09:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[oss-security] 20160920 Re: Possible CVE for TLS protocol issue", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { tags: [ "x_refsource_MISC", ], url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { name: "93071", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/93071", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, { tags: [ "x_refsource_MISC", ], url: "https://kcitls.org", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-8960", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the \"Key Compromise Impersonation (KCI)\" issue.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20160920 Re: Possible CVE for TLS protocol issue", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { name: "http://twitter.com/matthew_d_green/statuses/630908726950674433", refsource: "MISC", url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { name: "93071", refsource: "BID", url: "http://www.securityfocus.com/bid/93071", }, { name: "https://security.netapp.com/advisory/ntap-20180626-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { name: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", refsource: "MISC", url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, { name: "https://kcitls.org", refsource: "MISC", url: "https://kcitls.org", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-8960", datePublished: "2016-09-21T01:00:00", dateReserved: "2016-09-20T00:00:00", dateUpdated: "2024-08-06T08:36:30.681Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3518
Vulnerability from cvelistv5
Published
2021-05-18 11:20
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:07.460Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { name: "20210723 APPLE-SA-2021-07-21-5 watchOS 7.6", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2021/Jul/58", }, { name: "20210723 APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2021/Jul/54", }, { name: "20210723 APPLE-SA-2021-07-21-2 macOS Big Sur 11.5", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2021/Jul/55", }, { name: "20210723 APPLE-SA-2021-07-21-6 tvOS 14.7", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2021/Jul/59", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT212605", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT212602", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT212601", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT212604", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "libxml2", vendor: "n/a", versions: [ { status: "affected", version: "libxml2 2.9.11", }, ], }, ], descriptions: [ { lang: "en", value: "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:35:29", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "FEDORA-2021-e3ed1ba38b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", }, { name: "FEDORA-2021-b950000d2b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { name: "20210723 APPLE-SA-2021-07-21-5 watchOS 7.6", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2021/Jul/58", }, { name: "20210723 APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2021/Jul/54", }, { name: "20210723 APPLE-SA-2021-07-21-2 macOS Big Sur 11.5", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2021/Jul/55", }, { name: "20210723 APPLE-SA-2021-07-21-6 tvOS 14.7", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2021/Jul/59", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT212605", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT212602", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT212601", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT212604", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3518", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "libxml2", version: { version_data: [ { version_value: "libxml2 2.9.11", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-416", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2021-e3ed1ba38b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/", }, { name: "[debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954242", }, { name: "FEDORA-2021-b950000d2b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/", }, { name: "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E", }, { name: "GLSA-202107-05", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202107-05", }, { name: "https://security.netapp.com/advisory/ntap-20210625-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210625-0002/", }, { name: "20210723 APPLE-SA-2021-07-21-5 watchOS 7.6", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2021/Jul/58", }, { name: "20210723 APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2021/Jul/54", }, { name: "20210723 APPLE-SA-2021-07-21-2 macOS Big Sur 11.5", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2021/Jul/55", }, { name: "20210723 APPLE-SA-2021-07-21-6 tvOS 14.7", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2021/Jul/59", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://support.apple.com/kb/HT212605", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT212605", }, { name: "https://support.apple.com/kb/HT212602", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT212602", }, { name: "https://support.apple.com/kb/HT212601", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT212601", }, { name: "https://support.apple.com/kb/HT212604", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT212604", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3518", datePublished: "2021-05-18T11:20:24", dateReserved: "2021-04-27T00:00:00", dateUpdated: "2024-08-03T17:01:07.460Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-8610
Vulnerability from cvelistv5
Published
2017-11-13 22:00
Modified
2024-08-06 02:27
Severity ?
EPSS score ?
Summary
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T02:27:40.949Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "93841", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/93841", }, { name: "RHSA-2017:1659", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1659.html", }, { name: "RHSA-2017:1658", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1658", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:0286", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0286.html", }, { name: "RHSA-2017:1413", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1413", }, { name: "RHSA-2017:2494", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2494", }, { name: "FreeBSD-SA-16:35", tags: [ "vendor-advisory", "x_refsource_FREEBSD", "x_transferred", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc", }, { name: "RHSA-2017:1414", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1414", }, { name: "[oss-security] 20161024 CVE-2016-8610: SSL Death Alert: OpenSSL SSL/TLS SSL3_AL_WARNING undefined alert Remote DoS", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://seclists.org/oss-sec/2016/q4/224", }, { name: "RHSA-2017:0574", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0574.html", }, { name: "DSA-3773", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2017/dsa-3773", }, { name: "RHSA-2017:1415", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1415.html", }, { name: "1037084", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037084", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2017:2493", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2493", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20171130-0001/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security.360.cn/cve/CVE-2016-8610/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.paloaltonetworks.com/CVE-2016-8610", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OpenSSL", vendor: "OpenSSL", versions: [ { status: "affected", version: "All 0.9.8", }, { status: "affected", version: "All 1.0.1", }, { status: "affected", version: "1.0.2 through 1.0.2h", }, { status: "affected", version: "1.1.0", }, ], }, ], datePublic: "2016-10-24T00:00:00", descriptions: [ { lang: "en", value: "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-10-20T21:14:51", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "93841", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/93841", }, { name: "RHSA-2017:1659", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1659.html", }, { name: "RHSA-2017:1658", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1658", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:0286", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0286.html", }, { name: "RHSA-2017:1413", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1413", }, { name: "RHSA-2017:2494", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2494", }, { name: "FreeBSD-SA-16:35", tags: [ "vendor-advisory", "x_refsource_FREEBSD", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc", }, { name: "RHSA-2017:1414", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1414", }, { name: "[oss-security] 20161024 CVE-2016-8610: SSL Death Alert: OpenSSL SSL/TLS SSL3_AL_WARNING undefined alert Remote DoS", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://seclists.org/oss-sec/2016/q4/224", }, { name: "RHSA-2017:0574", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0574.html", }, { name: "DSA-3773", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2017/dsa-3773", }, { name: "RHSA-2017:1415", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2017-1415.html", }, { name: "1037084", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037084", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2017:2493", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2493", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20171130-0001/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { tags: [ "x_refsource_MISC", ], url: "https://security.360.cn/cve/CVE-2016-8610/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.paloaltonetworks.com/CVE-2016-8610", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-8610", datePublished: "2017-11-13T22:00:00Z", dateReserved: "2016-10-12T00:00:00", dateUpdated: "2024-08-06T02:27:40.949Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-7595
Vulnerability from cvelistv5
Published
2020-01-21 22:54
Modified
2024-08-04 09:33
Severity ?
EPSS score ?
Summary
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T09:33:19.963Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2020-41fe1680f6", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "USN-4274-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4274-1/", }, { name: "FEDORA-2020-0c71c00af4", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202010-04", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:23:35", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "FEDORA-2020-41fe1680f6", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "USN-4274-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4274-1/", }, { name: "FEDORA-2020-0c71c00af4", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { tags: [ "x_refsource_MISC", ], url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202010-04", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-7595", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "FEDORA-2020-41fe1680f6", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", }, { name: "USN-4274-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4274-1/", }, { name: "FEDORA-2020-0c71c00af4", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/", }, { name: "FEDORA-2020-7694e8be73", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/", }, { name: "openSUSE-SU-2020:0681", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20200702-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { name: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", refsource: "MISC", url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "GLSA-202010-04", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202010-04", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", refsource: "CONFIRM", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { name: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-7595", datePublished: "2020-01-21T22:54:14", dateReserved: "2020-01-21T00:00:00", dateUpdated: "2024-08-04T09:33:19.963Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-18313
Vulnerability from cvelistv5
Published
2018-12-07 21:00
Modified
2024-08-05 11:08
Severity ?
EPSS score ?
Summary
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:08:21.173Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "USN-3834-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3834-2/", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.apple.com/kb/HT209600", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://rt.perl.org/Ticket/Display.html?id=133192", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-11-29T00:00:00", descriptions: [ { lang: "en", value: "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-15T02:22:57", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "USN-3834-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3834-2/", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.apple.com/kb/HT209600", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://rt.perl.org/Ticket/Display.html?id=133192", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-18313", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "DSA-4347", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "1042181", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "USN-3834-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3834-2/", }, { name: "FEDORA-2018-9dbe983805", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3834-1/", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Mar/42", }, { name: "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2019/Mar/49", }, { name: "GLSA-201909-01", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201909-01", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://support.apple.com/kb/HT209600", refsource: "CONFIRM", url: "https://support.apple.com/kb/HT209600", }, { name: "https://security.netapp.com/advisory/ntap-20190221-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { name: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", refsource: "CONFIRM", url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { name: "https://rt.perl.org/Ticket/Display.html?id=133192", refsource: "CONFIRM", url: "https://rt.perl.org/Ticket/Display.html?id=133192", }, { name: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", refsource: "CONFIRM", url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-18313", datePublished: "2018-12-07T21:00:00", dateReserved: "2018-10-14T00:00:00", dateUpdated: "2024-08-05T11:08:21.173Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-18314
Vulnerability from cvelistv5
Published
2018-12-07 21:00
Modified
2024-08-05 11:08
Severity ?
EPSS score ?
Summary
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:08:21.410Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106145", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/106145", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://rt.perl.org/Ticket/Display.html?id=131649", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-11-29T00:00:00", descriptions: [ { lang: "en", value: "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-15T02:22:57", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106145", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/106145", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://rt.perl.org/Ticket/Display.html?id=131649", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-18314", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "DSA-4347", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106145", refsource: "BID", url: "http://www.securityfocus.com/bid/106145", }, { name: "1042181", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201909-01", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20190221-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { name: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", refsource: "CONFIRM", url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { name: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", refsource: "CONFIRM", url: "https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646751", }, { name: "https://rt.perl.org/Ticket/Display.html?id=131649", refsource: "CONFIRM", url: "https://rt.perl.org/Ticket/Display.html?id=131649", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-18314", datePublished: "2018-12-07T21:00:00", dateReserved: "2018-10-14T00:00:00", dateUpdated: "2024-08-05T11:08:21.410Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-29824
Vulnerability from cvelistv5
Published
2022-05-03 00:00
Modified
2024-08-03 06:33
Severity ?
EPSS score ?
Summary
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T06:33:42.645Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxslt/-/tags", }, { name: "FEDORA-2022-9136d646e4", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/", }, { name: "FEDORA-2022-be6d83642a", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P5363EDV5VHZ5C77ODA43RYDCPMA7ARM/", }, { name: "[debian-lts-announce] 20220516 [SECURITY] [DLA 3012-1] libxml2 security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00023.html", }, { name: "FEDORA-2022-f624aad735", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3NVZVWFRBXBI3AKZZWUWY6INQQPQVSF/", }, { name: "DSA-5142", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5142", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.14", }, { tags: [ "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab", }, { tags: [ "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/167345/libxml2-xmlBufAdd-Heap-Buffer-Overflow.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220715-0006/", }, { name: "GLSA-202210-03", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-03", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/169825/libxml2-xmlParseNameComplex-Integer-Overflow.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-14T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://gitlab.gnome.org/GNOME/libxslt/-/tags", }, { name: "FEDORA-2022-9136d646e4", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/", }, { name: "FEDORA-2022-be6d83642a", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P5363EDV5VHZ5C77ODA43RYDCPMA7ARM/", }, { name: "[debian-lts-announce] 20220516 [SECURITY] [DLA 3012-1] libxml2 security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00023.html", }, { name: "FEDORA-2022-f624aad735", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3NVZVWFRBXBI3AKZZWUWY6INQQPQVSF/", }, { name: "DSA-5142", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5142", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { url: "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.14", }, { url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab", }, { url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd", }, { url: "http://packetstormsecurity.com/files/167345/libxml2-xmlBufAdd-Heap-Buffer-Overflow.html", }, { url: "https://security.netapp.com/advisory/ntap-20220715-0006/", }, { name: "GLSA-202210-03", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-03", }, { url: "http://packetstormsecurity.com/files/169825/libxml2-xmlParseNameComplex-Integer-Overflow.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-29824", datePublished: "2022-05-03T00:00:00", dateReserved: "2022-04-27T00:00:00", dateUpdated: "2024-08-03T06:33:42.645Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-24977
Vulnerability from cvelistv5
Published
2020-09-03 23:20
Modified
2024-08-04 15:26
Severity ?
EPSS score ?
Summary
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:26:08.992Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "openSUSE-SU-2020:1430", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html", }, { name: "FEDORA-2020-35087800be", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/", }, { name: "openSUSE-SU-2020:1465", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html", }, { name: "FEDORA-2020-7dd29dacad", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/", }, { name: "FEDORA-2020-b60dbdd538", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/", }, { name: "FEDORA-2020-be489044df", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/", }, { name: "FEDORA-2020-dd2fc19b78", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/", }, { name: "FEDORA-2020-20ab468a33", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/", }, { name: "FEDORA-2020-935f62c3d9", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/", }, { name: "FEDORA-2020-7773c53bc8", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/", }, { name: "FEDORA-2020-ff317550e4", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/", }, { name: "FEDORA-2020-b6aaf25741", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/", }, { name: "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:15:07", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "openSUSE-SU-2020:1430", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html", }, { name: "FEDORA-2020-35087800be", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/", }, { name: "openSUSE-SU-2020:1465", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html", }, { name: "FEDORA-2020-7dd29dacad", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/", }, { name: "FEDORA-2020-b60dbdd538", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/", }, { name: "FEDORA-2020-be489044df", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/", }, { name: "FEDORA-2020-dd2fc19b78", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/", }, { name: "FEDORA-2020-20ab468a33", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/", }, { name: "FEDORA-2020-935f62c3d9", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/", }, { name: "FEDORA-2020-7773c53bc8", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/", }, { name: "FEDORA-2020-ff317550e4", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/", }, { name: "FEDORA-2020-b6aaf25741", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/", }, { name: "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", }, { name: "GLSA-202107-05", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202107-05", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { tags: [ "x_refsource_MISC", ], url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { tags: [ "x_refsource_MISC", ], url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-24977", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", refsource: "MISC", url: "https://gitlab.gnome.org/GNOME/libxml2/-/issues/178", }, { name: "[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { name: "openSUSE-SU-2020:1430", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html", }, { name: "FEDORA-2020-35087800be", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/", }, { name: "openSUSE-SU-2020:1465", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html", }, { name: "FEDORA-2020-7dd29dacad", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/", }, { name: "FEDORA-2020-b60dbdd538", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/", }, { name: "FEDORA-2020-be489044df", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/", }, { name: "FEDORA-2020-dd2fc19b78", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/", }, { name: "FEDORA-2020-20ab468a33", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/", }, { name: "FEDORA-2020-935f62c3d9", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/", }, { name: "FEDORA-2020-7773c53bc8", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/", }, { name: "FEDORA-2020-ff317550e4", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/", }, { name: "FEDORA-2020-b6aaf25741", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/", }, { name: "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E", }, { name: "GLSA-202107-05", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202107-05", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://security.netapp.com/advisory/ntap-20200924-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { name: "https://security.netapp.com/advisory/ntap-20200924-0001/", refsource: "MISC", url: "https://security.netapp.com/advisory/ntap-20200924-0001/", }, { name: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", refsource: "MISC", url: "https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-24977", datePublished: "2020-09-03T23:20:35", dateReserved: "2020-08-28T00:00:00", dateUpdated: "2024-08-04T15:26:08.992Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-18312
Vulnerability from cvelistv5
Published
2018-12-05 22:00
Modified
2024-08-05 11:08
Severity ?
EPSS score ?
Summary
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:08:21.746Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106179", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/106179", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://rt.perl.org/Public/Bug/Display.html?id=133423", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-11-29T00:00:00", descriptions: [ { lang: "en", value: "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-15T02:22:57", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "DSA-4347", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106179", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/106179", }, { name: "1042181", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201909-01", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://rt.perl.org/Public/Bug/Display.html?id=133423", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-18312", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "DSA-4347", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4347", }, { name: "106179", refsource: "BID", url: "http://www.securityfocus.com/bid/106179", }, { name: "1042181", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1042181", }, { name: "RHSA-2019:0010", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0010", }, { name: "FEDORA-2018-9dbe983805", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/", }, { name: "RHSA-2019:0001", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:0001", }, { name: "USN-3834-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3834-1/", }, { name: "GLSA-201909-01", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201909-01", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20190221-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { name: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", refsource: "CONFIRM", url: "https://metacpan.org/changes/release/SHAY/perl-5.26.3", }, { name: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", refsource: "CONFIRM", url: "https://metacpan.org/changes/release/SHAY/perl-5.28.1", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646734", }, { name: "https://rt.perl.org/Public/Bug/Display.html?id=133423", refsource: "CONFIRM", url: "https://rt.perl.org/Public/Bug/Display.html?id=133423", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-18312", datePublished: "2018-12-05T22:00:00", dateReserved: "2018-10-14T00:00:00", dateUpdated: "2024-08-05T11:08:21.746Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
var-201810-0933
Vulnerability from variot
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). OpenSSL is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text.
For the stable distribution (stretch), these problems have been fixed in version 1.1.0j-1~deb9u1. Going forward, openssl security updates for stretch will be based on the 1.1.0x upstream releases.
For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBuAcACgkQEMKTtsN8 TjZbBw/+MOB5+pZbCHHXyH3IeD+yj+tSPvmNc3SCwdEtUxGXr0ZX7TKHfaLs/8s6 Udto0K8a1FvjrcUQCfhnFpNcSAv9pxX13Fr6Pd560miIfAu9/5jAqiCufCoiz+xj 45LNJGlaxxaFjgBGCitZSJA0Fc4SM6v5XFyJfR3kChdQ/3kGQbbMNAp16Fy3ZsxJ VXwviomUxmmmdvjxyhifTIpuwr9OiJSQ+13etQjTDQ3pzSbLBPSOxmpV0vPIC7I2 Dwa4zuQXA/DF4G6l8T4rXCwCN4e4pwbTc8bbCjXeZK+iVAhnRD6wXlS3cc5IVAzx /qTa89LZU8B6ylcB6nodeAHLuZTC3Le8ndoxYz5S2/jHZMM/jCQNHYJemHWNbOqn q+e5W0D1fIVLiLoL/iHW5XhN6yJY2Ma7zjXMRBnkzJA9CTNIKgUjrSFz0Ud+wIM/ u8QhNPwZ0hPd5IfSgIyWqmuQ5XzFYqAQvwT1gUJiK7tIvuT0VsSyKVaSZVbi4yrM 9sxkZaP1UNLcTVCFw6A0KFwhb9z6kQtyH1MRkFPphmnb8jlHA3cTdPJkFUBi3VaT 7izThm5/mVLbAjZ8X7nkqnzWzmc885j0ml3slDd/MOVWB5CD3vFAcI8k3VZr3A61 P2gNSN6UbAbLMGsxgs3hYUHgazi7MdXJ/aNavjGSbYBNL780Iaw=3Qji -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Low: openssl security, bug fix, and enhancement update Advisory ID: RHSA-2019:3700-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3700 Issue date: 2019-11-05 CVE Names: CVE-2018-0734 CVE-2018-0735 CVE-2019-1543 =====================================================================
- Summary:
An update for openssl is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
The following packages have been upgraded to a later upstream version: openssl (1.1.1c).
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1644356 - CVE-2018-0735 openssl: timing side channel attack in the ECDSA signature generation 1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 1668880 - ec man page lists -modulus but the tool doesn't support it 1686058 - specifying digest for signing time-stamping responses is mandatory 1686548 - Incorrect handling of fragmented KeyUpdate messages 1695954 - CVE-2019-1543 openssl: ChaCha20-Poly1305 with long nonces 1697915 - Race/segmentation fault on process shutdown in OpenSSL 1706104 - openssl asn1parse crashes with double free or corruption (!prev) 1706915 - OpenSSL should implement continuous random test or use the kernel AF_ALG interface for random 1712023 - openssl pkcs12 uses certpbe algorithm not compliant with FIPS by default 1714245 - DSA ciphers in TLS don't work with SHA-1 signatures even in LEGACY level
- Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source: openssl-1.1.1c-2.el8.src.rpm
aarch64: openssl-1.1.1c-2.el8.aarch64.rpm openssl-debuginfo-1.1.1c-2.el8.aarch64.rpm openssl-debugsource-1.1.1c-2.el8.aarch64.rpm openssl-devel-1.1.1c-2.el8.aarch64.rpm openssl-libs-1.1.1c-2.el8.aarch64.rpm openssl-libs-debuginfo-1.1.1c-2.el8.aarch64.rpm openssl-perl-1.1.1c-2.el8.aarch64.rpm
ppc64le: openssl-1.1.1c-2.el8.ppc64le.rpm openssl-debuginfo-1.1.1c-2.el8.ppc64le.rpm openssl-debugsource-1.1.1c-2.el8.ppc64le.rpm openssl-devel-1.1.1c-2.el8.ppc64le.rpm openssl-libs-1.1.1c-2.el8.ppc64le.rpm openssl-libs-debuginfo-1.1.1c-2.el8.ppc64le.rpm openssl-perl-1.1.1c-2.el8.ppc64le.rpm
s390x: openssl-1.1.1c-2.el8.s390x.rpm openssl-debuginfo-1.1.1c-2.el8.s390x.rpm openssl-debugsource-1.1.1c-2.el8.s390x.rpm openssl-devel-1.1.1c-2.el8.s390x.rpm openssl-libs-1.1.1c-2.el8.s390x.rpm openssl-libs-debuginfo-1.1.1c-2.el8.s390x.rpm openssl-perl-1.1.1c-2.el8.s390x.rpm
x86_64: openssl-1.1.1c-2.el8.x86_64.rpm openssl-debuginfo-1.1.1c-2.el8.i686.rpm openssl-debuginfo-1.1.1c-2.el8.x86_64.rpm openssl-debugsource-1.1.1c-2.el8.i686.rpm openssl-debugsource-1.1.1c-2.el8.x86_64.rpm openssl-devel-1.1.1c-2.el8.i686.rpm openssl-devel-1.1.1c-2.el8.x86_64.rpm openssl-libs-1.1.1c-2.el8.i686.rpm openssl-libs-1.1.1c-2.el8.x86_64.rpm openssl-libs-debuginfo-1.1.1c-2.el8.i686.rpm openssl-libs-debuginfo-1.1.1c-2.el8.x86_64.rpm openssl-perl-1.1.1c-2.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-0734 https://access.redhat.com/security/cve/CVE-2018-0735 https://access.redhat.com/security/cve/CVE-2019-1543 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXcHzTdzjgjWX9erEAQjP6w/8D4eIfwgPbpKXdy3Y2kjmKhb9faqBJvHm eqpG5tewJQBtRAPm/R7SesrMVKGUEDAuiSKydQlQn8nuRIWDsKw14+uLRN7AyTQ3 jXy0pnp+C7O1hyJnwNEiXo9ZgUaXMMXLGyTk8v9gnzA/HYpZX1c4g4FXHf0ycBi/ thxllEiJx6CrEO3pszYzu1Lt9GFMOAJPvwbiW0S7mVmsNCI4n+5OfeNzmURXdObs 89/XCFrQO3CDAh3SXCZa08Ie8px7Aq8slmNWOswhlqIYkUWGUbICIpqW1+4XyAqz hVP8iqTY7TRwBPB0zoqmO5cxMY+jqMk/LphG+oTOF+ZA7YZH3bjDxJisCOr+ys+i WnTYAl1KFBqo5uhH4dBzNH2EE5PeiwKNKqu6Wws1qOblTFXb3AYSHsqLv6VB0m1B MXcUXrjSMwelSVAgK1eekJsYqCr3lT1+N8cA8P/sgT/DzGTNJhcoCE/OeJCUVBZL uGhke48CUs3GvXCKP0+PDpINRRllGwVqkkCQ7LtsXoB0hGaaGt+CNCd3aQj8rf02 mPi2Vab7CjBLUn1QGiNigLF4X4rKZlxiBcHDByyHdeCW+zHvGod7ksmJKXmHujvY pdg6toj/our0hhQp2dPTXFPKFtkO7GIIe19i+OZ6Rn0niVxSQbshiXyFFsvgZN0F 82vSbeKouJA= =mdzd -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3840-1 December 06, 2018
openssl, openssl1.0 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenSSL. (CVE-2018-0734)
Samuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-0735)
Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri, and Alejandro Cabrera Aldaya discovered that Simultaneous Multithreading (SMT) architectures are vulnerable to side-channel leakage. This issue is known as "PortSmash". (CVE-2018-5407)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.10: libssl1.0.0 1.0.2n-1ubuntu6.1 libssl1.1 1.1.1-1ubuntu2.1
Ubuntu 18.04 LTS: libssl1.0.0 1.0.2n-1ubuntu5.2 libssl1.1 1.1.0g-2ubuntu4.3
Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.14
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.27
After a standard system update you need to reboot your computer to make all the necessary changes.
Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.1 or 1.1.0 at this time. The fix is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28 (for 1.1.0) in the OpenSSL git repository.
References
URL for this Security Advisory: https://www.openssl.org/news/secadv/20181029.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201810-0933", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "openssl", scope: "eq", trust: 1.8, vendor: "openssl", version: "1.1.1", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "5.7.24", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "15.2", }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "10.0.0", }, { model: "node.js", scope: "lt", trust: 1, vendor: "nodejs", version: "11.3.0", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "8.4", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.0.0.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.56", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.57", }, { model: "vm virtualbox", scope: "lt", trust: 1, vendor: "oracle", version: "6.0.0", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "16.2", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "18.8", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "14.04", }, { model: "application server", scope: "eq", trust: 1, vendor: "oracle", version: "1.0.1", }, { model: "primavera p6 enterprise project portfolio management", scope: "gte", trust: 1, vendor: "oracle", version: "17.7", }, { model: "primavera p6 enterprise project portfolio management", scope: "lte", trust: 1, vendor: "oracle", version: "17.12", }, { model: "vm virtualbox", scope: "lt", trust: 1, vendor: "oracle", version: "5.2.24", }, { model: "steelstore", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "8.0", }, { model: "secure global desktop", scope: "eq", trust: 1, vendor: "oracle", version: "5.4", }, { model: "application server", scope: "eq", trust: 1, vendor: "oracle", version: "0.9.8", }, { model: "cloud backup", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "cn1610", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.55", }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "11.0.0", }, { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "openssl", scope: "lte", trust: 1, vendor: "openssl", version: "1.1.0i", }, { model: "santricity smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.04", }, { model: "node.js", scope: "lt", trust: 1, vendor: "nodejs", version: "10.12.0", }, { model: "mysql", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0", }, { model: "oncommand unified manager", scope: "gte", trust: 1, vendor: "netapp", version: "9.4", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "16.04", }, { model: "mysql", scope: "gte", trust: 1, vendor: "oracle", version: "5.7.0", }, { model: "application server", scope: "eq", trust: 1, vendor: "oracle", version: "1.0.0", }, { model: "element software", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "node.js", scope: "eq", trust: 1, vendor: "nodejs", version: "10.13.0", }, { model: "api gateway", scope: "eq", trust: 1, vendor: "oracle", version: "11.1.2.4.0", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.3", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.10", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "5.6.42", }, { model: "tuxedo", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.1.0.0", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "15.1", }, { model: "primavera p6 enterprise project portfolio management", scope: "eq", trust: 1, vendor: "oracle", version: "16.1", }, { model: "openssl", scope: "gte", trust: 1, vendor: "openssl", version: "1.1.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.5.0", }, { model: "vm virtualbox", scope: "gte", trust: 1, vendor: "oracle", version: "5.0.0", }, { model: "oncommand unified manager", scope: "eq", trust: 1, vendor: "netapp", version: "*", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.0.0.0", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.13", }, { model: "ubuntu", scope: null, trust: 0.8, vendor: "canonical", version: null, }, { model: "gnu/linux", scope: null, trust: 0.8, vendor: "debian", version: null, }, { model: "cn1610", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "cloud backup", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "oncommand unified manager core package", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "santricity smi-s provider", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "steelstore cloud integrated storage", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "node.js", scope: null, trust: 0.8, vendor: "node js", version: null, }, { model: "openssl", scope: "eq", trust: 0.8, vendor: "openssl", version: "1.1.0 to 1.1.0i", }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "1.1", }, { model: "project openssl 1.1.0i", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0h", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0g", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0f", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0e", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0d", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0c", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0b", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.1.0a", scope: null, trust: 0.3, vendor: "openssl", version: null, }, ], sources: [ { db: "BID", id: "105750", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/o:canonical:ubuntu_linux", vulnerable: true, }, { cpe22Uri: "cpe:/o:debian:debian_linux", vulnerable: true, }, { cpe22Uri: "cpe:/o:netapp:cn1610_firmware", vulnerable: true, }, { cpe22Uri: "cpe:/a:netapp:cloud_backup", vulnerable: true, }, { cpe22Uri: "cpe:/a:netapp:oncommand_unified_manager_core_package", vulnerable: true, }, { cpe22Uri: "cpe:/a:netapp:santricity_smi-s_provider", vulnerable: true, }, { cpe22Uri: "cpe:/a:netapp:steelstore_cloud_integrated_storage", vulnerable: true, }, { cpe22Uri: "cpe:/a:nodejs:node.js", vulnerable: true, }, { cpe22Uri: "cpe:/a:openssl:openssl", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2018-014030", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Samuel Weiser.", sources: [ { db: "BID", id: "105750", }, ], trust: 0.3, }, cve: "CVE-2018-0735", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "CVE-2018-0735", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "VHN-118937", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:P/I:N/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "HIGH", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", exploitabilityScore: 2.2, id: "CVE-2018-0735", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, { attackComplexity: "High", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 5.9, baseSeverity: "Medium", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2018-0735", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2018-0735", trust: 1, value: "MEDIUM", }, { author: "NVD", id: "CVE-2018-0735", trust: 0.8, value: "Medium", }, { author: "CNNVD", id: "CNNVD-201810-1395", trust: 0.6, value: "MEDIUM", }, { author: "VULHUB", id: "VHN-118937", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2018-0735", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-118937", }, { db: "VULMON", id: "CVE-2018-0735", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "CNNVD", id: "CNNVD-201810-1395", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). OpenSSL is prone to a local information-disclosure vulnerability. \nLocal attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.1.0j-1~deb9u1. Going forward, openssl security updates for\nstretch will be based on the 1.1.0x upstream releases. \n\nFor the detailed security status of openssl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openssl\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBuAcACgkQEMKTtsN8\nTjZbBw/+MOB5+pZbCHHXyH3IeD+yj+tSPvmNc3SCwdEtUxGXr0ZX7TKHfaLs/8s6\nUdto0K8a1FvjrcUQCfhnFpNcSAv9pxX13Fr6Pd560miIfAu9/5jAqiCufCoiz+xj\n45LNJGlaxxaFjgBGCitZSJA0Fc4SM6v5XFyJfR3kChdQ/3kGQbbMNAp16Fy3ZsxJ\nVXwviomUxmmmdvjxyhifTIpuwr9OiJSQ+13etQjTDQ3pzSbLBPSOxmpV0vPIC7I2\nDwa4zuQXA/DF4G6l8T4rXCwCN4e4pwbTc8bbCjXeZK+iVAhnRD6wXlS3cc5IVAzx\n/qTa89LZU8B6ylcB6nodeAHLuZTC3Le8ndoxYz5S2/jHZMM/jCQNHYJemHWNbOqn\nq+e5W0D1fIVLiLoL/iHW5XhN6yJY2Ma7zjXMRBnkzJA9CTNIKgUjrSFz0Ud+wIM/\nu8QhNPwZ0hPd5IfSgIyWqmuQ5XzFYqAQvwT1gUJiK7tIvuT0VsSyKVaSZVbi4yrM\n9sxkZaP1UNLcTVCFw6A0KFwhb9z6kQtyH1MRkFPphmnb8jlHA3cTdPJkFUBi3VaT\n7izThm5/mVLbAjZ8X7nkqnzWzmc885j0ml3slDd/MOVWB5CD3vFAcI8k3VZr3A61\nP2gNSN6UbAbLMGsxgs3hYUHgazi7MdXJ/aNavjGSbYBNL780Iaw=3Qji\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Low: openssl security, bug fix, and enhancement update\nAdvisory ID: RHSA-2019:3700-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:3700\nIssue date: 2019-11-05\nCVE Names: CVE-2018-0734 CVE-2018-0735 CVE-2019-1543 \n=====================================================================\n\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Low. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nThe following packages have been upgraded to a later upstream version:\nopenssl (1.1.1c). \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.1 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1644356 - CVE-2018-0735 openssl: timing side channel attack in the ECDSA signature generation\n1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm\n1668880 - ec man page lists -modulus but the tool doesn't support it\n1686058 - specifying digest for signing time-stamping responses is mandatory\n1686548 - Incorrect handling of fragmented KeyUpdate messages\n1695954 - CVE-2019-1543 openssl: ChaCha20-Poly1305 with long nonces\n1697915 - Race/segmentation fault on process shutdown in OpenSSL\n1706104 - openssl asn1parse crashes with double free or corruption (!prev)\n1706915 - OpenSSL should implement continuous random test or use the kernel AF_ALG interface for random\n1712023 - openssl pkcs12 uses certpbe algorithm not compliant with FIPS by default\n1714245 - DSA ciphers in TLS don't work with SHA-1 signatures even in LEGACY level\n\n6. Package List:\n\nRed Hat Enterprise Linux BaseOS (v. 8):\n\nSource:\nopenssl-1.1.1c-2.el8.src.rpm\n\naarch64:\nopenssl-1.1.1c-2.el8.aarch64.rpm\nopenssl-debuginfo-1.1.1c-2.el8.aarch64.rpm\nopenssl-debugsource-1.1.1c-2.el8.aarch64.rpm\nopenssl-devel-1.1.1c-2.el8.aarch64.rpm\nopenssl-libs-1.1.1c-2.el8.aarch64.rpm\nopenssl-libs-debuginfo-1.1.1c-2.el8.aarch64.rpm\nopenssl-perl-1.1.1c-2.el8.aarch64.rpm\n\nppc64le:\nopenssl-1.1.1c-2.el8.ppc64le.rpm\nopenssl-debuginfo-1.1.1c-2.el8.ppc64le.rpm\nopenssl-debugsource-1.1.1c-2.el8.ppc64le.rpm\nopenssl-devel-1.1.1c-2.el8.ppc64le.rpm\nopenssl-libs-1.1.1c-2.el8.ppc64le.rpm\nopenssl-libs-debuginfo-1.1.1c-2.el8.ppc64le.rpm\nopenssl-perl-1.1.1c-2.el8.ppc64le.rpm\n\ns390x:\nopenssl-1.1.1c-2.el8.s390x.rpm\nopenssl-debuginfo-1.1.1c-2.el8.s390x.rpm\nopenssl-debugsource-1.1.1c-2.el8.s390x.rpm\nopenssl-devel-1.1.1c-2.el8.s390x.rpm\nopenssl-libs-1.1.1c-2.el8.s390x.rpm\nopenssl-libs-debuginfo-1.1.1c-2.el8.s390x.rpm\nopenssl-perl-1.1.1c-2.el8.s390x.rpm\n\nx86_64:\nopenssl-1.1.1c-2.el8.x86_64.rpm\nopenssl-debuginfo-1.1.1c-2.el8.i686.rpm\nopenssl-debuginfo-1.1.1c-2.el8.x86_64.rpm\nopenssl-debugsource-1.1.1c-2.el8.i686.rpm\nopenssl-debugsource-1.1.1c-2.el8.x86_64.rpm\nopenssl-devel-1.1.1c-2.el8.i686.rpm\nopenssl-devel-1.1.1c-2.el8.x86_64.rpm\nopenssl-libs-1.1.1c-2.el8.i686.rpm\nopenssl-libs-1.1.1c-2.el8.x86_64.rpm\nopenssl-libs-debuginfo-1.1.1c-2.el8.i686.rpm\nopenssl-libs-debuginfo-1.1.1c-2.el8.x86_64.rpm\nopenssl-perl-1.1.1c-2.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-0734\nhttps://access.redhat.com/security/cve/CVE-2018-0735\nhttps://access.redhat.com/security/cve/CVE-2019-1543\nhttps://access.redhat.com/security/updates/classification/#low\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXcHzTdzjgjWX9erEAQjP6w/8D4eIfwgPbpKXdy3Y2kjmKhb9faqBJvHm\neqpG5tewJQBtRAPm/R7SesrMVKGUEDAuiSKydQlQn8nuRIWDsKw14+uLRN7AyTQ3\njXy0pnp+C7O1hyJnwNEiXo9ZgUaXMMXLGyTk8v9gnzA/HYpZX1c4g4FXHf0ycBi/\nthxllEiJx6CrEO3pszYzu1Lt9GFMOAJPvwbiW0S7mVmsNCI4n+5OfeNzmURXdObs\n89/XCFrQO3CDAh3SXCZa08Ie8px7Aq8slmNWOswhlqIYkUWGUbICIpqW1+4XyAqz\nhVP8iqTY7TRwBPB0zoqmO5cxMY+jqMk/LphG+oTOF+ZA7YZH3bjDxJisCOr+ys+i\nWnTYAl1KFBqo5uhH4dBzNH2EE5PeiwKNKqu6Wws1qOblTFXb3AYSHsqLv6VB0m1B\nMXcUXrjSMwelSVAgK1eekJsYqCr3lT1+N8cA8P/sgT/DzGTNJhcoCE/OeJCUVBZL\nuGhke48CUs3GvXCKP0+PDpINRRllGwVqkkCQ7LtsXoB0hGaaGt+CNCd3aQj8rf02\nmPi2Vab7CjBLUn1QGiNigLF4X4rKZlxiBcHDByyHdeCW+zHvGod7ksmJKXmHujvY\npdg6toj/our0hhQp2dPTXFPKFtkO7GIIe19i+OZ6Rn0niVxSQbshiXyFFsvgZN0F\n82vSbeKouJA=\n=mdzd\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. ==========================================================================\nUbuntu Security Notice USN-3840-1\nDecember 06, 2018\n\nopenssl, openssl1.0 vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 18.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n- Ubuntu 14.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenSSL. (CVE-2018-0734)\n\nSamuel Weiser discovered that OpenSSL incorrectly handled ECDSA signing. This issue only affected Ubuntu\n18.04 LTS and Ubuntu 18.10. (CVE-2018-0735)\n\nBilly Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri,\nand Alejandro Cabrera Aldaya discovered that Simultaneous Multithreading\n(SMT) architectures are vulnerable to side-channel leakage. This issue is\nknown as \"PortSmash\". (CVE-2018-5407)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 18.10:\n libssl1.0.0 1.0.2n-1ubuntu6.1\n libssl1.1 1.1.1-1ubuntu2.1\n\nUbuntu 18.04 LTS:\n libssl1.0.0 1.0.2n-1ubuntu5.2\n libssl1.1 1.1.0g-2ubuntu4.3\n\nUbuntu 16.04 LTS:\n libssl1.0.0 1.0.2g-1ubuntu4.14\n\nUbuntu 14.04 LTS:\n libssl1.0.0 1.0.1f-1ubuntu2.27\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes. \n\nDue to the low severity of this issue we are not issuing a new release\nof OpenSSL 1.1.1 or 1.1.0 at this time. The fix\nis also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28\n(for 1.1.0) in the OpenSSL git repository. \n\nReferences\n==========\n\nURL for this Security Advisory:\nhttps://www.openssl.org/news/secadv/20181029.txt\n\nNote: the online version of the advisory may be updated with additional details\nover time. \n\nFor details of OpenSSL severity classifications please see:\nhttps://www.openssl.org/policies/secpolicy.html\n", sources: [ { db: "NVD", id: "CVE-2018-0735", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "BID", id: "105750", }, { db: "VULHUB", id: "VHN-118937", }, { db: "VULMON", id: "CVE-2018-0735", }, { db: "PACKETSTORM", id: "150561", }, { db: "PACKETSTORM", id: "155160", }, { db: "PACKETSTORM", id: "150683", }, { db: "PACKETSTORM", id: "169669", }, ], trust: 2.43, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2018-0735", trust: 3.3, }, { db: "BID", id: "105750", trust: 2.1, }, { db: "SECTRACK", id: "1041986", trust: 1.8, }, { db: "JVNDB", id: "JVNDB-2018-014030", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201810-1395", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.0514", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.1119", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.0473", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0529", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.3390.4", trust: 0.6, }, { db: "VULHUB", id: "VHN-118937", trust: 0.1, }, { db: "VULMON", id: "CVE-2018-0735", trust: 0.1, }, { db: "PACKETSTORM", id: "150561", trust: 0.1, }, { db: "PACKETSTORM", id: "155160", trust: 0.1, }, { db: "PACKETSTORM", id: "150683", trust: 0.1, }, { db: "PACKETSTORM", id: "169669", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-118937", }, { db: "VULMON", id: "CVE-2018-0735", }, { db: "BID", id: "105750", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "PACKETSTORM", id: "150561", }, { db: "PACKETSTORM", id: "155160", }, { db: "PACKETSTORM", id: "150683", }, { db: "PACKETSTORM", id: "169669", }, { db: "CNNVD", id: "CNNVD-201810-1395", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, id: "VAR-201810-0933", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-118937", }, ], trust: 0.01, }, last_update_date: "2024-11-23T20:01:17.641000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "[SECURITY] [DLA 1586-1] openssl security update", trust: 0.8, url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { title: "DSA-4348", trust: 0.8, url: "https://www.debian.org/security/2018/dsa-4348", }, { title: "Timing vulnerability in ECDSA signature generation (CVE-2018-0735)(56fb454)", trust: 0.8, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", }, { title: "Timing vulnerability in ECDSA signature generation (CVE-2018-0735)(b1d6d55)", trust: 0.8, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { title: "NTAP-20181105-0002", trust: 0.8, url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { title: "November 2018 Security Releases", trust: 0.8, url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { title: "Timing vulnerability in ECDSA signature generation (CVE-2018-0735)", trust: 0.8, url: "https://www.openssl.org/news/secadv/20181029.txt", }, { title: "USN-3840-1", trust: 0.8, url: "https://usn.ubuntu.com/3840-1/", }, { title: "OpenSSL Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86394", }, { title: "Red Hat: Low: openssl security, bug fix, and enhancement update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193700 - Security Advisory", }, { title: "Ubuntu Security Notice: openssl, openssl1.0 vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3840-1", }, { title: "Red Hat: CVE-2018-0735", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-0735", }, { title: "Arch Linux Issues: ", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2018-0735", }, { title: "Arch Linux Advisories: [ASA-201812-6] lib32-openssl: private key recovery", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201812-6", }, { title: "Arch Linux Advisories: [ASA-201812-5] openssl: private key recovery", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201812-5", }, { title: "IBM: Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=11a896cf16b3849254ae662b7748b708", }, { title: "Debian Security Advisories: DSA-4348-1 openssl -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=322bd50b7b929759e38c99b73122a852", }, { title: "IBM: IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=efdce9b94f89918f3f2b2dfc69780ccd", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=d04b79d120c8d1de061ffc3f57258fcb", }, { title: "IBM: IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c829d56f5888779e791387897875c4b4", }, { title: "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private – Node.js", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2e571e7bc5566212c3e69e37ecfa5ad4", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2bd72b857f21f300d83d07a791be44cf", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management V2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=dce787e9d669a768893a91801bf5eea4", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=26f585287da19915b94b6cae2d1b864f", }, { title: "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private – fluentd", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=60de0933c28b353f38df30120aa2a908", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b", }, { title: "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=aea3fcafd82c179d3a5dfa015e920864", }, { title: "IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-v", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=413b5f9466c1ebf3ab090a45e189b43e", }, { title: "", trust: 0.1, url: "https://github.com/Live-Hack-CVE/CVE-2018-0735 ", }, { title: "vyger", trust: 0.1, url: "https://github.com/mrodden/vyger ", }, ], sources: [ { db: "VULMON", id: "CVE-2018-0735", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "CNNVD", id: "CNNVD-201810-1395", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-327", trust: 1.1, }, { problemtype: "CWE-320", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-118937", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.4, url: "http://www.securityfocus.com/bid/105750", }, { trust: 2.2, url: "https://www.openssl.org/news/secadv/20181029.txt", }, { trust: 2, url: "https://access.redhat.com/errata/rhsa-2019:3700", }, { trust: 1.9, url: "https://usn.ubuntu.com/3840-1/", }, { trust: 1.8, url: "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20181105-0002/", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { trust: 1.8, url: "https://www.debian.org/security/2018/dsa-4348", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.8, url: "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1041986", }, { trust: 1.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-0735", }, { trust: 1.1, url: "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=56fb454d281a023b3f950d969693553d3f3ceea1", }, { trust: 1.1, url: "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0735", }, { trust: 0.7, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", }, { trust: 0.7, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { trust: 0.6, url: "https://support.symantec.com/us/en/article.symsa1490.html", }, { trust: 0.6, url: "http://www.ibm.com/support/docview.wss", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-cve-2018-5407cve-2020-1967cve-2018-0734cve-2019-1563cve-2019/", }, { trust: 0.6, url: "https://www-01.ibm.com/support/docview.wss?uid=ibm10876540", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0529/", }, { trust: 0.6, url: "https://www.ibm.com/support/docview.wss?uid=ibm10869830", }, { trust: 0.6, url: "http://www.ibm.com/support/docview.wss?uid=ibm10792231", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1143442", }, { trust: 0.6, url: "https://www-01.ibm.com/support/docview.wss?uid=ibm10870936", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/78342", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.3390.4/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1169932", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/75618", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-spectrum-protect-plus-cve-2018-0735-cve-2018-0734-cve-2018-5407/", }, { trust: 0.6, url: "https://www-01.ibm.com/support/docview.wss?uid=ibm10873310", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/75802", }, { trust: 0.3, url: "https://github.com/openssl/openssl/commit/56fb454d281a023b3f950d969693553d3f3ceea1", }, { trust: 0.3, url: "http://openssl.org/", }, { trust: 0.3, url: "https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", }, { trust: 0.3, url: "https://www.openssl.org/news/vulnerabilities.html", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2018-0734", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-5407", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/327.html", }, { trust: 0.1, url: "https://github.com/live-hack-cve/cve-2018-0735", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://tools.cisco.com/security/center/viewalert.x?alertid=59068", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-0737", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-0732", }, { trust: 0.1, url: "https://security-tracker.debian.org/tracker/openssl", }, { trust: 0.1, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#low", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-1543", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-0735", }, { trust: 0.1, url: "https://bugzilla.redhat.com/):", }, { trust: 0.1, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-1543", }, { trust: 0.1, url: "https://access.redhat.com/articles/11258", }, { trust: 0.1, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-0734", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.14", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.27", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.1.0g-2ubuntu4.3", }, { trust: 0.1, url: "https://usn.ubuntu.com/usn/usn-3840-1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu6.1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.2", }, { trust: 0.1, url: "https://www.openssl.org/policies/secpolicy.html", }, ], sources: [ { db: "VULHUB", id: "VHN-118937", }, { db: "VULMON", id: "CVE-2018-0735", }, { db: "BID", id: "105750", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "PACKETSTORM", id: "150561", }, { db: "PACKETSTORM", id: "155160", }, { db: "PACKETSTORM", id: "150683", }, { db: "PACKETSTORM", id: "169669", }, { db: "CNNVD", id: "CNNVD-201810-1395", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-118937", }, { db: "VULMON", id: "CVE-2018-0735", }, { db: "BID", id: "105750", }, { db: "JVNDB", id: "JVNDB-2018-014030", }, { db: "PACKETSTORM", id: "150561", }, { db: "PACKETSTORM", id: "155160", }, { db: "PACKETSTORM", id: "150683", }, { db: "PACKETSTORM", id: "169669", }, { db: "CNNVD", id: "CNNVD-201810-1395", }, { db: "NVD", id: "CVE-2018-0735", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2018-10-29T00:00:00", db: "VULHUB", id: "VHN-118937", }, { date: "2018-10-29T00:00:00", db: "VULMON", id: "CVE-2018-0735", }, { date: "2018-10-29T00:00:00", db: "BID", id: "105750", }, { date: "2019-03-11T00:00:00", db: "JVNDB", id: "JVNDB-2018-014030", }, { date: "2018-12-03T21:06:37", db: "PACKETSTORM", id: "150561", }, { date: "2019-11-06T15:56:37", db: "PACKETSTORM", id: "155160", }, { date: "2018-12-07T01:03:36", db: "PACKETSTORM", id: "150683", }, { date: "2018-10-29T12:12:12", db: "PACKETSTORM", id: "169669", }, { date: "2018-10-30T00:00:00", db: "CNNVD", id: "CNNVD-201810-1395", }, { date: "2018-10-29T13:29:00.263000", db: "NVD", id: "CVE-2018-0735", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-08-24T00:00:00", db: "VULHUB", id: "VHN-118937", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2018-0735", }, { date: "2018-10-29T00:00:00", db: "BID", id: "105750", }, { date: "2019-03-11T00:00:00", db: "JVNDB", id: "JVNDB-2018-014030", }, { date: "2020-12-16T00:00:00", db: "CNNVD", id: "CNNVD-201810-1395", }, { date: "2024-11-21T03:38:50.413000", db: "NVD", id: "CVE-2018-0735", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201810-1395", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "OpenSSL ECDSA Vulnerabilities related to key management errors in signature algorithms", sources: [ { db: "JVNDB", id: "JVNDB-2018-014030", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "encryption problem", sources: [ { db: "CNNVD", id: "CNNVD-201810-1395", }, ], trust: 0.6, }, }
var-201711-0007
Vulnerability from variot
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. OpenSSL is prone to denial-of-service vulnerability. Successful exploitation of the issue will cause excessive memory or CPU resource consumption, resulting in a denial-of-service condition. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: openssl security update Advisory ID: RHSA-2017:0286-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html Issue date: 2017-02-20 CVE Names: CVE-2016-8610 CVE-2017-3731 =====================================================================
- Summary:
An update for openssl is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
-
An integer underflow leading to an out of bounds read flaw was found in OpenSSL. (CVE-2016-8610)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
- Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm
ppc64: openssl-1.0.1e-48.el6_8.4.ppc.rpm openssl-1.0.1e-48.el6_8.4.ppc64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.ppc.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm openssl-devel-1.0.1e-48.el6_8.4.ppc.rpm openssl-devel-1.0.1e-48.el6_8.4.ppc64.rpm
s390x: openssl-1.0.1e-48.el6_8.4.s390.rpm openssl-1.0.1e-48.el6_8.4.s390x.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.s390.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm openssl-devel-1.0.1e-48.el6_8.4.s390.rpm openssl-devel-1.0.1e-48.el6_8.4.s390x.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
ppc64: openssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm openssl-perl-1.0.1e-48.el6_8.4.ppc64.rpm openssl-static-1.0.1e-48.el6_8.4.ppc64.rpm
s390x: openssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm openssl-perl-1.0.1e-48.el6_8.4.s390x.rpm openssl-static-1.0.1e-48.el6_8.4.s390x.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
aarch64: openssl-1.0.1e-60.el7_3.1.aarch64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm openssl-devel-1.0.1e-60.el7_3.1.aarch64.rpm openssl-libs-1.0.1e-60.el7_3.1.aarch64.rpm
ppc64: openssl-1.0.1e-60.el7_3.1.ppc64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc64.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc64.rpm
ppc64le: openssl-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc64le.rpm
s390x: openssl-1.0.1e-60.el7_3.1.s390x.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm openssl-devel-1.0.1e-60.el7_3.1.s390.rpm openssl-devel-1.0.1e-60.el7_3.1.s390x.rpm openssl-libs-1.0.1e-60.el7_3.1.s390.rpm openssl-libs-1.0.1e-60.el7_3.1.s390x.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64: openssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm openssl-perl-1.0.1e-60.el7_3.1.aarch64.rpm openssl-static-1.0.1e-60.el7_3.1.aarch64.rpm
ppc64: openssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm openssl-perl-1.0.1e-60.el7_3.1.ppc64.rpm openssl-static-1.0.1e-60.el7_3.1.ppc.rpm openssl-static-1.0.1e-60.el7_3.1.ppc64.rpm
ppc64le: openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-perl-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-static-1.0.1e-60.el7_3.1.ppc64le.rpm
s390x: openssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm openssl-perl-1.0.1e-60.el7_3.1.s390x.rpm openssl-static-1.0.1e-60.el7_3.1.s390.rpm openssl-static-1.0.1e-60.el7_3.1.s390x.rpm
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2016-8610 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/updates/classification/#moderate https://www.openssl.org/news/secadv/20170126.txt
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFYqs1TXlSAg2UNWIIRAt7bAJ0ZCDFTFcNP3/qrBxA46aRJQAvxkACaA9Ak 1zK4rWazcUYTZw5zQhD4SXA= =I+Z7 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
Security Fix(es):
-
A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)
-
It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. (CVE-2016-0736)
-
It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. (CVE-2016-2161)
-
A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-8610)
-
It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)
-
A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. (CVE-2016-8740)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304. After installing the updated packages, the httpd daemon will be restarted automatically. Bugs fixed (https://bugzilla.redhat.com/):
1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2 1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto 1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest 1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects 1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery
- JIRA issues fixed (https://issues.jboss.org/):
JBCS-319 - Errata for httpd 2.4.23 SP1 RHEL 7
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
- A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. Solution:
Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).
The References section of this erratum contains a download link (you must log in to download the update).
CVE-2016-8610
It was discovered that no limit was imposed on alert packets during
an SSL handshake.
CVE-2017-3731
Robert Swiecki discovered that the RC4-MD5 cipher when running on
32 bit systems could be forced into an out-of-bounds read, resulting
in denial of service.
For the stable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u6.
For the unstable distribution (sid), these problems have been fixed in version 1.1.0d-1 of the openssl source package and in version 1.0.2k-1 of the openssl1.0 source package.
We recommend that you upgrade your openssl packages. 6) - i386, x86_64
The following packages have been upgraded to a later upstream version: gnutls (2.12.23). (CVE-2016-8610)
- Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. Bugs fixed (https://bugzilla.redhat.com/):
1320982 - ASSERT failure in gnutls-cli-debug 1321112 - DHE_DSS ciphers don't work with client certificates and OpenSSL using TLSv1.2 1323215 - gnutls-serv --http crashes with client certificates with NSS client 1326073 - GnuTLS prefers SHA-1 signatures in TLSv1.2 1326389 - GnuTLS server does not accept SHA-384 and SHA-512 Certificate Verify signatures despite advertising support for them 1326886 - GnuTLS server rejects connections that do not advertise support for SHA-1 signature algorithms 1327656 - gnutls-serv: closing connection without sending an Alert message 1328205 - gnutls-cli won't send certificates that don't match hashes in Certificate Request 1333521 - Provide ability to set the expected server name in gnutls-serv utility 1335924 - gnutls: Disable TLS connections with less than 1024-bit DH parameters 1337460 - Disable/remove export ciphersuites in GnuTLS 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1411836 - CVE-2017-5337 gnutls: Heap read overflow in read-packet.c 1412235 - CVE-2017-5335 gnutls: Out of memory while parsing crafted OpenPGP certificate 1412236 - CVE-2017-5336 gnutls: Stack overflow in cdk_pk_get_keyid 1415682 - Changes introduced by rebase to 2.12.23 break API and ABI compatibility for some libraries
Software Description: - gnutls28: GNU TLS library - gnutls26: GNU TLS library
Details:
Stefan Buehler discovered that GnuTLS incorrectly verified the serial length of OCSP responses. (CVE-2016-8610)
It was discovered that GnuTLS incorrectly decoded X.509 certificates with a Proxy Certificate Information extension. =========================================================================== Ubuntu Security Notice USN-3181-1 January 31, 2017
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenSSL. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other releases were fixed in a previous security update. (CVE-2016-2177)
It was discovered that OpenSSL did not properly handle Montgomery multiplication, resulting in incorrect results leading to transient failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7055)
It was discovered that OpenSSL did not properly use constant-time operations when performing ECDSA P-256 signing. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7056)
Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts. (CVE-2016-8610)
Robert =C5=9Awi=C4=99cki discovered that OpenSSL incorrectly handled certain truncated packets. (CVE-2017-3731)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2017-3732)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.10: libssl1.0.0 1.0.2g-1ubuntu9.1
Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.6
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.22
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.39
After a standard system update you need to reboot your computer to make all the necessary changes
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201711-0007", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "openssl", scope: "eq", trust: 1.6, vendor: "openssl", version: "1.0.1", }, { model: "openssl", scope: "eq", trust: 1.6, vendor: "openssl", version: "0.9.8", }, { model: "m10-4", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "core rdbms", scope: "eq", trust: 1, vendor: "oracle", version: "18c", }, { model: "enterprise linux server", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "m12-1", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "7.0.0", }, { model: "service processor", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "e-series santricity os controller", scope: "gte", trust: 1, vendor: "netapp", version: "11.0", }, { model: "enterprise linux desktop", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "m12-1", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "8.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.58", }, { model: "oncommand balance", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "m12-2s", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: "6.0.0", }, { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: "6.4.0", }, { model: "host agent", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.3", }, { model: "clustered data ontap antivirus connector", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux workstation", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "storagegrid webscale", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "oncommand unified manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "7.1.0", }, { model: "communications ip service activator", scope: "eq", trust: 1, vendor: "oracle", version: "7.4.0", }, { model: "m10-4s", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "pan-os", scope: "lte", trust: 1, vendor: "paloaltonetworks", version: "6.1.17", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "enterprise linux server tus", scope: "eq", trust: 1, vendor: "redhat", version: "7.3", }, { model: "m10-4", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "timesten in-memory database", scope: "lt", trust: 1, vendor: "oracle", version: "18.1.4.1.0", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "snapcenter server", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "10.3.6.0.0", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "16.0.3", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.5", }, { model: "enterprise linux server", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "m12-2", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "enterprise linux server tus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "m10-4", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "clustered data ontap", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.3", }, { model: "data ontap edge", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "storagegrid", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "core rdbms", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.0.1", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.56", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.57", }, { model: "core rdbms", scope: "eq", trust: 1, vendor: "oracle", version: "11.2.0.4", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.4.0", }, { model: "m12-1", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "m12-2", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "m12-2", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "core rdbms", scope: "eq", trust: 1, vendor: "oracle", version: "19c", }, { model: "openssl", scope: "eq", trust: 1, vendor: "openssl", version: "1.1.0", }, { model: "data ontap", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux desktop", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "m12-2s", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "m12-2s", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "enterprise linux server aus", scope: "eq", trust: 1, vendor: "redhat", version: "7.3", }, { model: "core rdbms", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.2", }, { model: "cn1610", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux workstation", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "openssl", scope: "gte", trust: 1, vendor: "openssl", version: "1.0.2", }, { model: "m10-1", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "m10-4s", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp2361", }, { model: "m10-4s", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "pan-os", scope: "lte", trust: 1, vendor: "paloaltonetworks", version: "7.0.15", }, { model: "e-series santricity os controller", scope: "lte", trust: 1, vendor: "netapp", version: "11.40", }, { model: "goldengate application adapters", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.2.1.0", }, { model: "adaptive access manager", scope: "eq", trust: 1, vendor: "oracle", version: "11.1.2.3.0", }, { model: "pan-os", scope: "lte", trust: 1, vendor: "paloaltonetworks", version: "7.1.10", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.0.1", }, { model: "m10-1", scope: "lt", trust: 1, vendor: "fujitsu", version: "xcp3070", }, { model: "m10-1", scope: "gte", trust: 1, vendor: "fujitsu", version: "xcp3000", }, { model: "enterprise linux server aus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.3.0.0", }, { model: "openssl", scope: "lte", trust: 1, vendor: "openssl", version: "1.0.2h", }, { model: "enterprise linux server aus", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "jd edwards enterpriseone tools", scope: "eq", trust: 1, vendor: "oracle", version: "9.2", }, { model: "ontap select deploy", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications analytics", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.1", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.3", }, { model: "communications ip service activator", scope: "eq", trust: 1, vendor: "oracle", version: "7.3.4", }, { model: "openssl", scope: "eq", trust: 0.6, vendor: "openssl", version: "1.0.2b", }, { model: "openssl", scope: "eq", trust: 0.6, vendor: "openssl", version: "1.0.2", }, { model: "openssl", scope: "eq", trust: 0.6, vendor: "openssl", version: "1.0.2a", }, { model: "openssl", scope: "eq", trust: 0.6, vendor: "openssl", version: "1.0.2c", }, { model: "openssl", scope: "eq", trust: 0.6, vendor: "openssl", version: "1.0.2d", }, { model: "linux", scope: "eq", trust: 0.3, vendor: "ubuntu", version: "16.10", }, { model: "linux lts", scope: "eq", trust: 0.3, vendor: "ubuntu", version: "16.04", }, { model: "linux lts", scope: "eq", trust: 0.3, vendor: "ubuntu", version: "14.04", }, { model: "linux lts i386", scope: "eq", trust: 0.3, vendor: "ubuntu", version: "12.04", }, { model: "linux lts amd64", scope: "eq", trust: 0.3, vendor: "ubuntu", version: "12.04", }, { model: "jboss web server", scope: "eq", trust: 0.3, vendor: "redhat", version: "0", }, { model: "jboss core services on rhel server", scope: "eq", trust: 0.3, vendor: "redhat", version: "70", }, { model: "jboss core services on rhel server", scope: "eq", trust: 0.3, vendor: "redhat", version: "60", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.1", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.15", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.14", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.13", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.12", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.11", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.10", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.5", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.4", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.1", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.9", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.8", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.7", }, { model: "pan-os", scope: "eq", trust: 0.3, vendor: "paloaltonetworks", version: "6.1", }, { model: "enterprise linux", scope: "eq", trust: 0.3, vendor: "oracle", version: "7", }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "1.1", }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "1.0.2", }, { model: "project openssl k", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl j", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl i", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl h", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl e", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl d", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl c", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl b", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl a", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl 1.0.2h", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2g", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2f", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2e", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2d", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2c", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2b", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2a", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1u", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1t", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1s", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1r", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1q", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1p", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1o", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1n", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1m", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1l", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1k", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1j", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1i", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1h", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1g", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1f", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1e", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1d", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1c", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1b", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.1a", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "1.0.1", }, { model: "project openssl 0.9.8zh", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8zg", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8zf", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8ze", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8zd", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8zc", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8zb", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8za", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8y", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8x", }, { model: "project openssl 0.9.8w", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8u", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8t", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8s", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8r", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8q", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8p", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8o", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8n", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8m", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8l", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8g", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 0.9.8f", scope: null, trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl f", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8", }, { model: "project openssl", scope: "eq", trust: 0.3, vendor: "openssl", version: "0.9.8v", }, { model: "vios", scope: "eq", trust: 0.3, vendor: "ibm", version: "2.2", }, { model: "sterling connect:direct for unix", scope: "eq", trust: 0.3, vendor: "ibm", version: "4.1", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.4.4", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.4.3", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.4.8.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.4.6.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.9.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.8.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.7.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.6.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.3", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.2.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3.10.0", }, { model: "netezza host management", scope: "eq", trust: 0.3, vendor: "ibm", version: "4.2.0.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.2.1", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.2.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.1.3", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.1.2", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.1.1", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.1.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.0.4", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.0.3", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.0.2", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.0.1", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.5.0.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.9", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.8", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.6", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.5", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.4", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.3", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.2", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.10", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.1", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2.0.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.9", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.8", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.7", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.6", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.5", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.13", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.12", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.11", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.10", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1.0.0", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.9", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.8", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.16", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.15", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.14", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.13", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.12", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.11", }, { model: "datapower gateways", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.0.0.10", }, { model: "aix", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.2", }, { model: "aix", scope: "eq", trust: 0.3, vendor: "ibm", version: "7.1", }, { model: "aix", scope: "eq", trust: 0.3, vendor: "ibm", version: "6.1", }, { model: "aix", scope: "eq", trust: 0.3, vendor: "ibm", version: "5.3", }, { model: "linux sparc", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux s/390", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux powerpc", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux mips", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux ia-64", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux ia-32", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux arm", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "linux amd64", scope: "eq", trust: 0.3, vendor: "debian", version: "6.0", }, { model: "centos", scope: "eq", trust: 0.3, vendor: "centos", version: "6", }, { model: "pan-os", scope: "ne", trust: 0.3, vendor: "paloaltonetworks", version: "7.0.16", }, { model: "project openssl 1.1.0b", scope: "ne", trust: 0.3, vendor: "openssl", version: null, }, { model: "project openssl 1.0.2j", scope: "ne", trust: 0.3, vendor: "openssl", version: null, }, { model: "sterling connect:direct for unix 4.1.0.4.ifix085", scope: "ne", trust: 0.3, vendor: "ibm", version: null, }, { model: "netezza host management", scope: "ne", trust: 0.3, vendor: "ibm", version: "5.4.9.0", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.5.2.2", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.5.1.4", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.5.0.5", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.2.0.11", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.1.0.14", }, { model: "datapower gateways", scope: "ne", trust: 0.3, vendor: "ibm", version: "7.0.0.17", }, ], sources: [ { db: "BID", id: "93841", }, { db: "CNNVD", id: "CNNVD-201610-726", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Shi Lei from Gear Team, Qihoo 360 Inc.", sources: [ { db: "BID", id: "93841", }, { db: "CNNVD", id: "CNNVD-201610-726", }, ], trust: 0.9, }, cve: "CVE-2016-8610", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2016-8610", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.1, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-97430", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2016-8610", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2016-8610", trust: 1, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-201610-726", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-97430", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2016-8610", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-97430", }, { db: "VULMON", id: "CVE-2016-8610", }, { db: "CNNVD", id: "CNNVD-201610-726", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. OpenSSL is prone to denial-of-service vulnerability. \nSuccessful exploitation of the issue will cause excessive memory or CPU resource consumption, resulting in a denial-of-service condition. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: openssl security update\nAdvisory ID: RHSA-2017:0286-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html\nIssue date: 2017-02-20\nCVE Names: CVE-2016-8610 CVE-2017-3731 \n=====================================================================\n\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 6 and\nRed Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Desktop (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux HPC Node (v. 6) - x86_64\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nSecurity Fix(es):\n\n* An integer underflow leading to an out of bounds read flaw was found in\nOpenSSL. \n(CVE-2016-8610)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\n\nppc64:\nopenssl-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.ppc64.rpm\n\ns390x:\nopenssl-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.s390x.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nppc64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.ppc64.rpm\n\ns390x:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-static-1.0.1e-48.el6_8.4.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\naarch64:\nopenssl-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.aarch64.rpm\n\nppc64:\nopenssl-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc64.rpm\n\nppc64le:\nopenssl-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc64le.rpm\n\ns390x:\nopenssl-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.s390x.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\naarch64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.aarch64.rpm\n\nppc64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc64.rpm\n\nppc64le:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc64le.rpm\n\ns390x:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-static-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-static-1.0.1e-60.el7_3.1.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-8610\nhttps://access.redhat.com/security/cve/CVE-2017-3731\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://www.openssl.org/news/secadv/20170126.txt\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFYqs1TXlSAg2UNWIIRAt7bAJ0ZCDFTFcNP3/qrBxA46aRJQAvxkACaA9Ak\n1zK4rWazcUYTZw5zQhD4SXA=\n=I+Z7\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount of\nmemory and, possibly, exit unexpectedly after exhausting all available\nmemory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use\nany mechanisms to verify integrity of the encrypted session data stored in\nthe user's browser. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious\nuser with local access to recover ECDSA P-256 private keys. \n(CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in conjunction\nwith a proxy or backend server that interpreted those characters\ndifferently, a remote attacker could possibly use this flaw to inject data\ninto HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields\ndirective in mod_http2, affecting servers with HTTP/2 enabled. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304\nand Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. \nUpstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original\nreporter of CVE-2016-6304. After installing the updated\npackages, the httpd daemon will be restarted automatically. Bugs fixed (https://bugzilla.redhat.com/):\n\n1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2\n1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto\n1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest\n1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects\n1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBCS-319 - Errata for httpd 2.4.23 SP1 RHEL 7\n\n7. \n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies. If sendfile processing completed quickly, it was\npossible for the Processor to be added to the processor cache twice. This\ncould lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's\nDefaultServlet implementation. A crafted HTTP request could cause undesired\nside effects, possibly including the removal or replacement of the custom\nerror page. Solution:\n\nBefore applying the update, back up your existing Red Hat JBoss Web Server\ninstallation (including all applications and configuration files). \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nCVE-2016-8610\n\n It was discovered that no limit was imposed on alert packets during\n an SSL handshake. \n\nCVE-2017-3731\n\n Robert Swiecki discovered that the RC4-MD5 cipher when running on\n 32 bit systems could be forced into an out-of-bounds read, resulting\n in denial of service. \n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.0.1t-1+deb8u6. \n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.0d-1 of the openssl source package and in version 1.0.2k-1\nof the openssl1.0 source package. \n\nWe recommend that you upgrade your openssl packages. 6) - i386, x86_64\n\n3. \n\nThe following packages have been upgraded to a later upstream version:\ngnutls (2.12.23). \n(CVE-2016-8610)\n\n* Multiple flaws were found in the way gnutls processed OpenPGP\ncertificates. An attacker could create specially crafted OpenPGP\ncertificates which, when parsed by gnutls, would cause it to crash. Bugs fixed (https://bugzilla.redhat.com/):\n\n1320982 - ASSERT failure in gnutls-cli-debug\n1321112 - DHE_DSS ciphers don't work with client certificates and OpenSSL using TLSv1.2\n1323215 - gnutls-serv --http crashes with client certificates with NSS client\n1326073 - GnuTLS prefers SHA-1 signatures in TLSv1.2\n1326389 - GnuTLS server does not accept SHA-384 and SHA-512 Certificate Verify signatures despite advertising support for them\n1326886 - GnuTLS server rejects connections that do not advertise support for SHA-1 signature algorithms\n1327656 - gnutls-serv: closing connection without sending an Alert message\n1328205 - gnutls-cli won't send certificates that don't match hashes in Certificate Request\n1333521 - Provide ability to set the expected server name in gnutls-serv utility\n1335924 - gnutls: Disable TLS connections with less than 1024-bit DH parameters\n1337460 - Disable/remove export ciphersuites in GnuTLS\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1411836 - CVE-2017-5337 gnutls: Heap read overflow in read-packet.c\n1412235 - CVE-2017-5335 gnutls: Out of memory while parsing crafted OpenPGP certificate\n1412236 - CVE-2017-5336 gnutls: Stack overflow in cdk_pk_get_keyid\n1415682 - Changes introduced by rebase to 2.12.23 break API and ABI compatibility for some libraries\n\n6. \n\nSoftware Description:\n- gnutls28: GNU TLS library\n- gnutls26: GNU TLS library\n\nDetails:\n\nStefan Buehler discovered that GnuTLS incorrectly verified the serial\nlength of OCSP responses. (CVE-2016-8610)\n\nIt was discovered that GnuTLS incorrectly decoded X.509 certificates with a\nProxy Certificate Information extension. \n===========================================================================\nUbuntu Security Notice USN-3181-1\nJanuary 31, 2017\n\nopenssl vulnerabilities\n===========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 16.10\n- Ubuntu 16.04 LTS\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenSSL. This\nissue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other\nreleases were fixed in a previous security update. (CVE-2016-2177)\n\nIt was discovered that OpenSSL did not properly handle Montgomery\nmultiplication, resulting in incorrect results leading to transient\nfailures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. \n(CVE-2016-7055)\n\nIt was discovered that OpenSSL did not properly use constant-time\noperations when performing ECDSA P-256 signing. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04\nLTS. (CVE-2016-7056)\n\nShi Lei discovered that OpenSSL incorrectly handled certain warning alerts. (CVE-2016-8610)\n\nRobert =C5=9Awi=C4=99cki discovered that OpenSSL incorrectly handled certain\ntruncated packets. (CVE-2017-3731)\n\nIt was discovered that OpenSSL incorrectly performed the x86_64 Montgomery\nsquaring procedure. This issue only applied to Ubuntu 16.04\nLTS, and Ubuntu 16.10. (CVE-2017-3732)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 16.10:\n libssl1.0.0 1.0.2g-1ubuntu9.1\n\nUbuntu 16.04 LTS:\n libssl1.0.0 1.0.2g-1ubuntu4.6\n\nUbuntu 14.04 LTS:\n libssl1.0.0 1.0.1f-1ubuntu2.22\n\nUbuntu 12.04 LTS:\n libssl1.0.0 1.0.1-4ubuntu5.39\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes", sources: [ { db: "NVD", id: "CVE-2016-8610", }, { db: "BID", id: "93841", }, { db: "VULHUB", id: "VHN-97430", }, { db: "VULMON", id: "CVE-2016-8610", }, { db: "PACKETSTORM", id: "141173", }, { db: "PACKETSTORM", id: "142848", }, { db: "PACKETSTORM", id: "142847", }, { db: "PACKETSTORM", id: "143873", }, { db: "PACKETSTORM", id: "140781", }, { db: "PACKETSTORM", id: "141752", }, { db: "PACKETSTORM", id: "140890", }, { db: "PACKETSTORM", id: "140850", }, ], trust: 2.07, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2016-8610", trust: 2.9, }, { db: "BID", id: "93841", trust: 2.1, }, { db: "SECTRACK", id: "1037084", trust: 1.8, }, { db: "CNNVD", id: "CNNVD-201610-726", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.2173", trust: 0.6, }, { db: "PACKETSTORM", id: "141173", trust: 0.2, }, { db: "PACKETSTORM", id: "141752", trust: 0.2, }, { db: "SEEBUG", id: "SSVID-92490", trust: 0.1, }, { db: "VULHUB", id: "VHN-97430", trust: 0.1, }, { db: "VULMON", id: "CVE-2016-8610", trust: 0.1, }, { db: "PACKETSTORM", id: "142848", trust: 0.1, }, { db: "PACKETSTORM", id: "142847", trust: 0.1, }, { db: "PACKETSTORM", id: "143873", trust: 0.1, }, { db: "PACKETSTORM", id: "140781", trust: 0.1, }, { db: "PACKETSTORM", id: "140890", trust: 0.1, }, { db: "PACKETSTORM", id: "140850", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-97430", }, { db: "VULMON", id: "CVE-2016-8610", }, { db: "BID", id: "93841", }, { db: "PACKETSTORM", id: "141173", }, { db: "PACKETSTORM", id: "142848", }, { db: "PACKETSTORM", id: "142847", }, { db: "PACKETSTORM", id: "143873", }, { db: "PACKETSTORM", id: "140781", }, { db: "PACKETSTORM", id: "141752", }, { db: "PACKETSTORM", id: "140890", }, { db: "PACKETSTORM", id: "140850", }, { db: "CNNVD", id: "CNNVD-201610-726", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, id: "VAR-201711-0007", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-97430", }, ], trust: 0.40555555, }, last_update_date: "2024-11-29T21:15:04.795000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "OpenSSL Remediation measures for denial of service vulnerabilities", trust: 0.6, url: "http://123.124.177.30/web/xxk/bdxqById.tag?id=65089", }, { title: "Red Hat: Moderate: openssl security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20170286 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171659 - Security Advisory", }, { title: "Red Hat: Moderate: gnutls security, bug fix, and enhancement update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20170574 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171658 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171414 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171415 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171413 - Security Advisory", }, { title: "Debian Security Advisories: DSA-3773-1 openssl -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=9f660812dd6a423f7e72aa57751d0031", }, { title: "Red Hat: CVE-2016-8610", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2016-8610", }, { title: "Amazon Linux AMI: ALAS-2017-803", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2017-803", }, { title: "Ubuntu Security Notice: gnutls26 vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3183-2", }, { title: "Ubuntu Security Notice: gnutls26, gnutls28 vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3183-1", }, { title: "Ubuntu Security Notice: openssl vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3181-1", }, { title: "Red Hat: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171801 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Web Server Service Pack 1 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20171802 - Security Advisory", }, { title: "Amazon Linux AMI: ALAS-2017-815", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2017-815", }, { title: "Oracle Linux Bulletins: Oracle Linux Bulletin - January 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=ecbe5f193404d1e9c62e8323118ae6cf", }, { title: "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - January 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins&qid=04299a624c15ae57f9f110f484bc5f66", }, { title: "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2016", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=6839c4d3fd328571c675c335d58b5591", }, { title: "Oracle Linux Bulletins: Oracle Linux Bulletin - April 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=d78b3379ca364568964f30138964c7e7", }, { title: "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - April 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins&qid=bf8deceb640f4a0fee008855afe6aa85", }, { title: "CVE-2016-8610-PoC", trust: 0.1, url: "https://github.com/cujanovic/CVE-2016-8610-PoC ", }, ], sources: [ { db: "VULMON", id: "CVE-2016-8610", }, { db: "CNNVD", id: "CNNVD-201610-726", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-400", trust: 1.1, }, { problemtype: "CWE-399", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-97430", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.4, url: "http://www.securityfocus.com/bid/93841", }, { trust: 2.1, url: "http://seclists.org/oss-sec/2016/q4/224", }, { trust: 1.9, url: "http://rhn.redhat.com/errata/rhsa-2017-0286.html", }, { trust: 1.9, url: "http://rhn.redhat.com/errata/rhsa-2017-0574.html", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2017:1413", }, { trust: 1.9, url: "http://rhn.redhat.com/errata/rhsa-2017-1415.html", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2017:2494", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1037084", }, { trust: 1.8, url: "https://www.debian.org/security/2017/dsa-3773", }, { trust: 1.8, url: "https://security.freebsd.org/advisories/freebsd-sa-16:35.openssl.asc", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2017:1414", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2017:1658", }, { trust: 1.8, url: "http://rhn.redhat.com/errata/rhsa-2017-1659.html", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2017:1801", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2017:1802", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2017:2493", }, { trust: 1.8, url: "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2016-8610", }, { trust: 1.8, url: "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commit%3bh=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { trust: 1.8, url: "https://security.360.cn/cve/cve-2016-8610/", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20171130-0001/", }, { trust: 1.8, url: "https://security.paloaltonetworks.com/cve-2016-8610", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { trust: 1.7, url: "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03897en_us", }, { trust: 0.9, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401", }, { trust: 0.9, url: "https://securityadvisories.paloaltonetworks.com/home/detail/87", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2016-8610", }, { trust: 0.6, url: "https://www.suse.com/support/update/announcement/2019/suse-su-20191553-1.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.2173/", }, { trust: 0.5, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2016-8610", }, { trust: 0.5, url: "https://bugzilla.redhat.com/):", }, { trust: 0.5, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.4, url: "https://access.redhat.com/articles/11258", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2016-7056", }, { trust: 0.3, url: "http://openssl.org/", }, { trust: 0.3, url: "http://aix.software.ibm.com/aix/efixes/security/openssl_advisory22.asc", }, { trust: 0.3, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21994867", }, { trust: 0.3, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21996760", }, { trust: 0.3, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21997209", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2017-3731", }, { trust: 0.3, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.3, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2016-6304", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2016-6304", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2016-8740", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2016-0736", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2016-8743", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2016-8743", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2016-2161", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2016-8740", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2016-7056", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2016-0736", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2016-2161", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5337", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5336", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5335", }, { trust: 0.1, url: "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03897en_us", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/400.html", }, { trust: 0.1, url: "https://github.com/cujanovic/cve-2016-8610-poc", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "http://tools.cisco.com/security/center/viewalert.x?alertid=49575", }, { trust: 0.1, url: "https://usn.ubuntu.com/3183-2/", }, { trust: 0.1, url: "https://www.openssl.org/news/secadv/20170126.txt", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-3731", }, { trust: 0.1, url: "https://issues.jboss.org/):", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp&downloadtype=securitypatches&version=2.4.23", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver&downloadtype=securitypatches&version=2.1.2", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5664", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5647", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5647", }, { trust: 0.1, url: "https://access.redhat.com/articles/3155411", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5664", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5337", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5336", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.9_release_notes/index.html", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.9_technical_notes/index.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5335", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5334", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.2", }, { trust: 0.1, url: "http://www.ubuntu.com/usn/usn-3183-1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.6", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-7444", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/gnutls28/3.5.3-5ubuntu1.1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.13", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.6", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu9.1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.22", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-2177", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.39", }, { trust: 0.1, url: "http://www.ubuntu.com/usn/usn-3181-1", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-7055", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-3732", }, ], sources: [ { db: "VULHUB", id: "VHN-97430", }, { db: "VULMON", id: "CVE-2016-8610", }, { db: "BID", id: "93841", }, { db: "PACKETSTORM", id: "141173", }, { db: "PACKETSTORM", id: "142848", }, { db: "PACKETSTORM", id: "142847", }, { db: "PACKETSTORM", id: "143873", }, { db: "PACKETSTORM", id: "140781", }, { db: "PACKETSTORM", id: "141752", }, { db: "PACKETSTORM", id: "140890", }, { db: "PACKETSTORM", id: "140850", }, { db: "CNNVD", id: "CNNVD-201610-726", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-97430", }, { db: "VULMON", id: "CVE-2016-8610", }, { db: "BID", id: "93841", }, { db: "PACKETSTORM", id: "141173", }, { db: "PACKETSTORM", id: "142848", }, { db: "PACKETSTORM", id: "142847", }, { db: "PACKETSTORM", id: "143873", }, { db: "PACKETSTORM", id: "140781", }, { db: "PACKETSTORM", id: "141752", }, { db: "PACKETSTORM", id: "140890", }, { db: "PACKETSTORM", id: "140850", }, { db: "CNNVD", id: "CNNVD-201610-726", }, { db: "NVD", id: "CVE-2016-8610", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2017-11-13T00:00:00", db: "VULHUB", id: "VHN-97430", }, { date: "2017-11-13T00:00:00", db: "VULMON", id: "CVE-2016-8610", }, { date: "2016-10-24T00:00:00", db: "BID", id: "93841", }, { date: "2017-02-20T22:47:10", db: "PACKETSTORM", id: "141173", }, { date: "2017-06-07T22:47:57", db: "PACKETSTORM", id: "142848", }, { date: "2017-06-07T22:47:43", db: "PACKETSTORM", id: "142847", }, { date: "2017-08-22T05:28:16", db: "PACKETSTORM", id: "143873", }, { date: "2017-01-30T16:58:54", db: "PACKETSTORM", id: "140781", }, { date: "2017-03-21T14:50:40", db: "PACKETSTORM", id: "141752", }, { date: "2017-02-02T02:05:34", db: "PACKETSTORM", id: "140890", }, { date: "2017-02-01T00:36:45", db: "PACKETSTORM", id: "140850", }, { date: "2016-10-25T00:00:00", db: "CNNVD", id: "CNNVD-201610-726", }, { date: "2017-11-13T22:29:00.203000", db: "NVD", id: "CVE-2016-8610", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-02-12T00:00:00", db: "VULHUB", id: "VHN-97430", }, { date: "2023-02-12T00:00:00", db: "VULMON", id: "CVE-2016-8610", }, { date: "2017-08-22T08:11:00", db: "BID", id: "93841", }, { date: "2023-02-13T00:00:00", db: "CNNVD", id: "CNNVD-201610-726", }, { date: "2024-11-21T02:59:39.983000", db: "NVD", id: "CVE-2016-8610", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "141173", }, { db: "PACKETSTORM", id: "141752", }, { db: "PACKETSTORM", id: "140890", }, { db: "PACKETSTORM", id: "140850", }, { db: "CNNVD", id: "CNNVD-201610-726", }, ], trust: 1, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "OpenSSL Resource Management Error Vulnerability", sources: [ { db: "CNNVD", id: "CNNVD-201610-726", }, ], trust: 0.6, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "resource management error", sources: [ { db: "CNNVD", id: "CNNVD-201610-726", }, ], trust: 0.6, }, }
var-201806-0648
Vulnerability from variot
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. Perl Contains a path traversal vulnerability.Information may be tampered with. Perl is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application. Information obtained could aid in further attacks. Perl 5.26.2 and prior versions are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. A security vulnerability exists in the Archive::Tar module in Perl 5.26.2 and earlier. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: perl-Archive-Tar security update Advisory ID: RHSA-2019:2097-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2097 Issue date: 2019-08-06 CVE Names: CVE-2018-12015 ==================================================================== 1. Summary:
An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch
Security Fix(es):
- perl: Directory traversal in Archive::Tar (CVE-2018-12015)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-12015 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXUl4sdzjgjWX9erEAQi6mw//djhWEf/xKLvAzFGIg6vOsD6SI4LHGRCu t5wotZBi4U38ktEQ8QKBOKqZ1/69uvs3Y4h59aCcv1WU4BqbuWuW9ZAZoNadRieR tKy5CSroeWRoExQQPLTEiCCWWPavAi6zgLLoLAXm+XzJgds0gKEN7X61VqpxDBhh wksoovuhk9oljC3GVnJg7L5Z8aGDVVRv7wp1fBrJ9g5F6Dj0oQmxuhp4i581+2uZ Xqc+5NDMw0hw0REMym1YAzqQdUkW7UUR8AocEt3+D4IHqbTlCr2e8pFEvkFy2Rnd OPZixM33aKQMLej4AoNVCNr0VREcZRK2Eh36GCdCF3N/m9DqsqJWpW1AlqJotIbY V8VEv1JYf5Na/+NhNMrpeIbsFEoIpNTO2FLVUMEOlJRqIEJsBndGNMgukV2sMqtS 1qpGSlUJ6FN8SE0h08bCAyokMAHtRtx4sVrtpdWgg8lw5sauCeefxwAkJESdxGj0 ZRleyq0oEkwxpX2PhpWNqMLTb8oNhEMJ2IgIAGkdya8flqkJq/EMRieqHfeuXwvE IKT/kfjqKRoF9GthCdtzb5/oRlCwyGbgZZyji47ToMrZIZgaz9ZBS7/L3BPqkr6S fu/W8z7j3Q2Y8/ICOfcdcI2xH98UUcr0WkRUUt0EyA9XeyZKrPzzwsOgyTZpITYA gSxbbqDK1oQ=+IUg -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3684-2 June 13, 2018
perl vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Perl could be made to overwrite arbitrary files if it received a specially crafted archive file.
Software Description: - perl: Practical Extraction and Report Language
Details:
USN-3684-1 fixed a vulnerability in perl. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Perl incorrectly handled certain archive files. An attacker could possibly use this to overwrite arbitrary files.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: perl 5.14.2-6ubuntu2.8
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4226-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq
Package : perl CVE ID : CVE-2018-12015 Debian Bug : 900834
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11.
For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4.
We recommend that you upgrade your perl packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following:
AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team
Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm
CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc.
configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36)
Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher
CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420)
FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy
Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs
Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs
file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher
Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative
iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT
IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team
IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher
IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8508: Dr. Silvio Cesare of InfoSect
Kernel Available for: macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team
Kernel Available for: macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG
Messages Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view sensitive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2019-8546: ChiYuan Chang
Notes Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view a user's locked notes Description: An access issue was addressed with improved memory management. CVE-2019-8537: Greg Walker (gregwalker.us)
PackageKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2019-8561: Jaron Bradley of Crowdstrike
Perl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: Multiple issues in Perl Description: Multiple issues in Perl were addressed in this update. CVE-2018-12015: Jakub Wilk CVE-2018-18311: Jayakrishna Menon CVE-2018-18313: Eiichi Tsukata
Power Management Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)
QuartzCore Available for: macOS Mojave 10.14.3 Impact: Processing malicious data may lead to unexpected application termination Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8526: Linus Henze (pinauten.de)
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)
Siri Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest
Time Machine Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to execute arbitrary shell commands Description: This issue was addressed with improved checks. CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs
TrueTypeScaler Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative
XPC Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs
Additional recognition
Accounts We would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt for their assistance.
Books We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
Mail We would like to acknowledge Craig Young of Tripwire VERT and Hanno Böck for their assistance.
Time Machine We would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.
Installation note:
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9 FvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT vyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D Eqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33 iAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM ucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB sSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p 7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J +9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7 OLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0 zBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS 1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk= =QV0f -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201806-0648", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "ubuntu linux", scope: "eq", trust: 1.6, vendor: "canonical", version: "16.04", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "12.04", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "14.04", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "17.10", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "8.0", }, { model: "mac os x", scope: "lt", trust: 1, vendor: "apple", version: "10.14.4", }, { model: "archive\\:\\:tar", scope: "lte", trust: 1, vendor: "archive tar", version: "2.28", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.04", }, { model: "data ontap edge", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "perl", scope: "lte", trust: 1, vendor: "perl", version: "5.26.2", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "snap creator framework", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "archive::tar", scope: null, trust: 0.8, vendor: "archive tar", version: null, }, { model: "ubuntu", scope: null, trust: 0.8, vendor: "canonical", version: null, }, { model: "gnu/linux", scope: null, trust: 0.8, vendor: "debian", version: null, }, { model: "perl", scope: "lte", trust: 0.8, vendor: "the perl", version: "5.26.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.14", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.64", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.7.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.20.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.2.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.18", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.9.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.52", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.96", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.14.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.31", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.62", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.3.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.61", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.14.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.16", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.26.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.16.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.8", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.7.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.01", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.66", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.1.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.20", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.6.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.1.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.21", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.73", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.8", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.15", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.47", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.17.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.43", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.18.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.12.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.22.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.93", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.26", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.16.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.22", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.89", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.71", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.18.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.48", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.67", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.8", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.90", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.4.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.15.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.4", }, { model: "rc1", scope: "eq", trust: 0.3, vendor: "perl", version: "5.10.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.92", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.8", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.2.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.85", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.49", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.88", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.80", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.68", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.63", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.5.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.83", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.86", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.87", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.9.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.65", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.13.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.84", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.24.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.11", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.12.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.91", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.99", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.20.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.24", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.10", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.97", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.9.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.2.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.44", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.81", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.98", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.7.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.94", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.16.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.70", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.9", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.17", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.10", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.10", }, { model: "rc2", scope: "eq", trust: 0.3, vendor: "perl", version: "5.10.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.22", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.1.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.82", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.12", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.10.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.0.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.8.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.17.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.14.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.41", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.45", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.16", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.14", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.95", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.12.0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.11.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.5.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.42", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.00", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.1.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.20", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.72", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "1.46", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.4", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.69", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.6.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.3", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "0.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.12.1", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.17.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.11.5", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.14.2", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.13.9", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.8.6", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.10.7", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "2.9.1", }, ], sources: [ { db: "BID", id: "104423", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "CNNVD", id: "CNNVD-201806-391", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:archive%3a%3atar_project:archive%3a%3atar", vulnerable: true, }, { cpe22Uri: "cpe:/o:canonical:ubuntu_linux", vulnerable: true, }, { cpe22Uri: "cpe:/o:debian:debian_linux", vulnerable: true, }, { cpe22Uri: "cpe:/a:perl:perl", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2018-006155", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Apple,Red Hat", sources: [ { db: "CNNVD", id: "CNNVD-201806-391", }, ], trust: 0.6, }, cve: "CVE-2018-12015", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2018-12015", impactScore: 4.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-121932", impactScore: 4.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2018-12015", impactScore: 3.6, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1.8, userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2018-12015", trust: 1, value: "HIGH", }, { author: "NVD", id: "CVE-2018-12015", trust: 0.8, value: "High", }, { author: "CNNVD", id: "CNNVD-201806-391", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-121932", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2018-12015", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-121932", }, { db: "VULMON", id: "CVE-2018-12015", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "CNNVD", id: "CNNVD-201806-391", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. Perl Contains a path traversal vulnerability.Information may be tampered with. Perl is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. \nRemote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application. Information obtained could aid in further attacks. \nPerl 5.26.2 and prior versions are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. A security vulnerability exists in the Archive::Tar module in Perl 5.26.2 and earlier. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: perl-Archive-Tar security update\nAdvisory ID: RHSA-2019:2097-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:2097\nIssue date: 2019-08-06\nCVE Names: CVE-2018-12015\n====================================================================\n1. Summary:\n\nAn update for perl-Archive-Tar is now available for Red Hat Enterprise\nLinux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode (v. 7) - noarch\nRed Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Enterprise Linux Workstation (v. 7) - noarch\n\n3. \n\nSecurity Fix(es):\n\n* perl: Directory traversal in Archive::Tar (CVE-2018-12015)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-12015\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUl4sdzjgjWX9erEAQi6mw//djhWEf/xKLvAzFGIg6vOsD6SI4LHGRCu\nt5wotZBi4U38ktEQ8QKBOKqZ1/69uvs3Y4h59aCcv1WU4BqbuWuW9ZAZoNadRieR\ntKy5CSroeWRoExQQPLTEiCCWWPavAi6zgLLoLAXm+XzJgds0gKEN7X61VqpxDBhh\nwksoovuhk9oljC3GVnJg7L5Z8aGDVVRv7wp1fBrJ9g5F6Dj0oQmxuhp4i581+2uZ\nXqc+5NDMw0hw0REMym1YAzqQdUkW7UUR8AocEt3+D4IHqbTlCr2e8pFEvkFy2Rnd\nOPZixM33aKQMLej4AoNVCNr0VREcZRK2Eh36GCdCF3N/m9DqsqJWpW1AlqJotIbY\nV8VEv1JYf5Na/+NhNMrpeIbsFEoIpNTO2FLVUMEOlJRqIEJsBndGNMgukV2sMqtS\n1qpGSlUJ6FN8SE0h08bCAyokMAHtRtx4sVrtpdWgg8lw5sauCeefxwAkJESdxGj0\nZRleyq0oEkwxpX2PhpWNqMLTb8oNhEMJ2IgIAGkdya8flqkJq/EMRieqHfeuXwvE\nIKT/kfjqKRoF9GthCdtzb5/oRlCwyGbgZZyji47ToMrZIZgaz9ZBS7/L3BPqkr6S\nfu/W8z7j3Q2Y8/ICOfcdcI2xH98UUcr0WkRUUt0EyA9XeyZKrPzzwsOgyTZpITYA\ngSxbbqDK1oQ=+IUg\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. ==========================================================================\nUbuntu Security Notice USN-3684-2\nJune 13, 2018\n\nperl vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nPerl could be made to overwrite arbitrary files if it received\na specially crafted archive file. \n\nSoftware Description:\n- perl: Practical Extraction and Report Language\n\nDetails:\n\nUSN-3684-1 fixed a vulnerability in perl. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Perl incorrectly handled certain archive files. \n An attacker could possibly use this to overwrite arbitrary files. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n perl 5.14.2-6ubuntu2.8\n\nIn general, a standard system update will make all the necessary\nchanges. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4226-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 12, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : perl\nCVE ID : CVE-2018-12015\nDebian Bug : 900834\n\nJakub Wilk discovered a directory traversal flaw in the Archive::Tar\nmodule, allowing an attacker to overwrite any file writable by the\nextracting user via a specially crafted tar archive. \n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.20.2-3+deb8u11. \n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.24.1-3+deb9u4. \n\nWe recommend that you upgrade your perl packages. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update\n2019-002 High Sierra, Security Update 2019-002 Sierra\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra are now available and\naddresses the following:\n\nAppleGraphicsControl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and\nshrek_wzw of Qihoo 360 Nirvan Team\n\nBom\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may bypass Gatekeeper checks\nDescription: This issue was addressed with improved handling of file\nmetadata. \nCVE-2019-6239: Ian Moorhouse and Michael Trimm\n\nCFString\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted string may lead to a denial\nof service\nDescription: A validation issue was addressed with improved logic. \nCVE-2019-8516: SWIPS Team of Frifee Inc. \n\nconfigd\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\nContacts\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2019-8511: an anonymous researcher\n\nCoreCrypto\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nDiskArbitration\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An encrypted volume may be unmounted and remounted by a\ndifferent user without prompting for the password\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8522: Colin Meginnis (@falc420)\n\nFaceTime\nAvailable for: macOS Mojave 10.14.3\nImpact: A user's video may not be paused in a FaceTime call if they\nexit the FaceTime app while the call is ringing\nDescription: An issue existed in the pausing of FaceTime video. The\nissue was resolved with improved logic. \nCVE-2019-8550: Lauren Guzniczak of Keystone Academy\n\nFeedback Assistant\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to gain root privileges\nDescription: A race condition was addressed with additional\nvalidation. \nCVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs\n\nFeedback Assistant\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs\n\nfile\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted file might disclose user\ninformation\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-6237: an anonymous researcher\n\nGraphics Drivers\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin\n(@panicaII) and Junzhi Lu of Trend Micro Research working with Trend\nMicro's Zero Day Initiative\n\niAP\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nIOGraphics\nAvailable for: macOS Mojave 10.14.3\nImpact: A Mac may not lock when disconnecting from an external\nmonitor\nDescription: A lock handling issue was addressed with improved lock\nhandling. \nCVE-2019-8533: an anonymous researcher, James Eagan of Télécom\nParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT\n\nIOHIDFamily\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to cause unexpected system\ntermination or read kernel memory\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nIOKit\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8504: an anonymous researcher\n\nIOKit SCSI\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A remote attacker may be able to cause unexpected system\ntermination or corrupt kernel memory\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: Mounting a maliciously crafted NFS network share may lead to\narbitrary code execution with system privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8508: Dr. Silvio Cesare of InfoSect\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8514: Samuel Groß of Google Project Zero\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2019-7293: Ned Williamson of Google\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An out-of-bounds read issue existed that led to the\ndisclosure of kernel memory. This was addressed with improved input\nvalidation. \nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\nMessages\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view sensitive user information\nDescription: An access issue was addressed with additional sandbox\nrestrictions. \nCVE-2019-8546: ChiYuan Chang\n\nNotes\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view a user's locked notes\nDescription: An access issue was addressed with improved memory\nmanagement. \nCVE-2019-8537: Greg Walker (gregwalker.us)\n\nPackageKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A logic issue was addressed with improved validation. \nCVE-2019-8561: Jaron Bradley of Crowdstrike\n\nPerl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: Multiple issues in Perl\nDescription: Multiple issues in Perl were addressed in this update. \nCVE-2018-12015: Jakub Wilk\nCVE-2018-18311: Jayakrishna Menon\nCVE-2018-18313: Eiichi Tsukata\n\nPower Management\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: Multiple input validation issues existed in MIG\ngenerated code. These issues were addressed with improved validation. \nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure\n(ssd-disclosure.com)\n\nQuartzCore\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing malicious data may lead to unexpected application\ntermination\nDescription: Multiple memory corruption issues were addressed with\nimproved input validation. \nCVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2019-8526: Linus Henze (pinauten.de)\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre\n(NCSC)\n\nSiri\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to initiate a Dictation\nrequest without user authorization\nDescription: An API issue existed in the handling of dictation\nrequests. This issue was addressed with improved validation. \nCVE-2019-8502: Luke Deshotels of North Carolina State University,\nJordan Beichler of North Carolina State University, William Enck of\nNorth Carolina State University, Costin Carabaș of University\nPOLITEHNICA of Bucharest, and Răzvan Deaconescu of University\nPOLITEHNICA of Bucharest\n\nTime Machine\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A local user may be able to execute arbitrary shell commands\nDescription: This issue was addressed with improved checks. \nCVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs\n\nTrueTypeScaler\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted font may result in the\ndisclosure of process memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero\nDay Initiative\n\nXPC\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\nAdditional recognition\n\nAccounts\nWe would like to acknowledge Milan Stute of Secure Mobile Networking\nLab at Technische Universität Darmstadt for their assistance. \n\nBooks\nWe would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for\ntheir assistance. \n\nKernel\nWe would like to acknowledge Brandon Azad of Google Project Zero for\ntheir assistance. \n\nMail\nWe would like to acknowledge Craig Young of Tripwire VERT and Hanno\nBöck for their assistance. \n\nTime Machine\nWe would like to acknowledge CodeColorist of Ant-Financial LightYear\nLabs for their assistance. \n\nInstallation note:\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra may be obtained from the\nMac App Store or Apple's Software Downloads web site:\nhttps://support.apple.com/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple's Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt\nc2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9\nFvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT\nvyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D\nEqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33\niAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM\nucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB\nsSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p\n7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J\n+9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7\nOLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0\nzBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS\n1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk=\n=QV0f\n-----END PGP SIGNATURE-----\n", sources: [ { db: "NVD", id: "CVE-2018-12015", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "BID", id: "104423", }, { db: "VULHUB", id: "VHN-121932", }, { db: "VULMON", id: "CVE-2018-12015", }, { db: "PACKETSTORM", id: "153939", }, { db: "PACKETSTORM", id: "148182", }, { db: "PACKETSTORM", id: "148186", }, { db: "PACKETSTORM", id: "148159", }, { db: "PACKETSTORM", id: "152222", }, ], trust: 2.52, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2018-12015", trust: 3.4, }, { db: "BID", id: "104423", trust: 2.1, }, { db: "SECTRACK", id: "1041048", trust: 1.8, }, { db: "PACKETSTORM", id: "153939", trust: 0.8, }, { db: "PACKETSTORM", id: "152222", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2018-006155", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201806-391", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.2986", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.0990", trust: 0.6, }, { db: "PACKETSTORM", id: "148186", trust: 0.2, }, { db: "PACKETSTORM", id: "148159", trust: 0.2, }, { db: "PACKETSTORM", id: "148182", trust: 0.2, }, { db: "VULHUB", id: "VHN-121932", trust: 0.1, }, { db: "VULMON", id: "CVE-2018-12015", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-121932", }, { db: "VULMON", id: "CVE-2018-12015", }, { db: "BID", id: "104423", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "PACKETSTORM", id: "153939", }, { db: "PACKETSTORM", id: "148182", }, { db: "PACKETSTORM", id: "148186", }, { db: "PACKETSTORM", id: "148159", }, { db: "PACKETSTORM", id: "152222", }, { db: "CNNVD", id: "CNNVD-201806-391", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, id: "VAR-201806-0648", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-121932", }, ], trust: 0.01, }, last_update_date: "2024-11-23T21:11:43.028000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "900834", trust: 0.8, url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { title: "DSA-4226", trust: 0.8, url: "https://www.debian.org/security/2018/dsa-4226", }, { title: "Top Page", trust: 0.8, url: "https://www.perl.org/", }, { title: "USN-3684-1", trust: 0.8, url: "https://usn.ubuntu.com/3684-1/", }, { title: "USN-3684-2", trust: 0.8, url: "https://usn.ubuntu.com/3684-2/", }, { title: "Red Hat: Moderate: perl-Archive-Tar security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192097 - Security Advisory", }, { title: "Debian CVElist Bug Report Logs: perl: CVE-2018-12015: Archive::Tar: directory traversal", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=ae01e1751a4de5ce20f0a869eb70bbc1", }, { title: "Ubuntu Security Notice: perl vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3684-2", }, { title: "Ubuntu Security Notice: perl vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3684-1", }, { title: "Debian Security Advisories: DSA-4226-1 perl -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=162819cebf8a5021e191f0a64ae86db8", }, { title: "Amazon Linux AMI: ALAS-2019-1287", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1287", }, { title: "Red Hat: CVE-2018-12015", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-12015", }, { title: "Amazon Linux 2: ALAS2-2019-1330", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1330", }, { title: "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=aea3fcafd82c179d3a5dfa015e920864", }, { title: "traversal-archives", trust: 0.1, url: "https://github.com/jwilk/traversal-archives ", }, { title: "iot-cves", trust: 0.1, url: "https://github.com/InesMartins31/iot-cves ", }, { title: "Exp101tsArchiv30thers", trust: 0.1, url: "https://github.com/nu11secur1ty/Exp101tsArchiv30thers ", }, { title: "awesome-cve-poc_qazbnm456", trust: 0.1, url: "https://github.com/xbl3/awesome-cve-poc_qazbnm456 ", }, ], sources: [ { db: "VULMON", id: "CVE-2018-12015", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-59", trust: 1.1, }, { problemtype: "CWE-22", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-121932", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.6, url: "https://access.redhat.com/errata/rhsa-2019:2097", }, { trust: 2.5, url: "http://www.securityfocus.com/bid/104423", }, { trust: 2.1, url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834", }, { trust: 1.9, url: "https://usn.ubuntu.com/3684-2/", }, { trust: 1.8, url: "https://seclists.org/bugtraq/2019/mar/42", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20180927-0001/", }, { trust: 1.8, url: "https://support.apple.com/kb/ht209600", }, { trust: 1.8, url: "https://www.debian.org/security/2018/dsa-4226", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2019/mar/49", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1041048", }, { trust: 1.8, url: "https://usn.ubuntu.com/3684-1/", }, { trust: 1.3, url: "https://nvd.nist.gov/vuln/detail/cve-2018-12015", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12015", }, { trust: 0.6, url: "https://support.apple.com/en-au/ht209600", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.2986/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/77806", }, { trust: 0.6, url: "https://support.apple.com/en-us/ht209600", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/152222/apple-security-advisory-2019-3-25-2.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/153939/red-hat-security-advisory-2019-2097-01.html", }, { trust: 0.6, url: "http://www.ibm.com/support/docview.wss?uid=ibm10870798", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2018-12015", }, { trust: 0.3, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588760", }, { trust: 0.3, url: "www.perl.org", }, { trust: 0.2, url: "https://usn.ubuntu.com/usn/usn-3684-1", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/59.html", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://tools.cisco.com/security/center/viewalert.x?alertid=58456", }, { trust: 0.1, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.1, url: "https://bugzilla.redhat.com/):", }, { trust: 0.1, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.1, url: "https://access.redhat.com/articles/11258", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.1, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/perl/5.26.1-6ubuntu0.1", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/perl/5.22.1-9ubuntu0.5", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/perl/5.26.0-8ubuntu1.2", }, { trust: 0.1, url: "https://launchpad.net/ubuntu/+source/perl/5.18.2-2ubuntu1.6", }, { trust: 0.1, url: "https://usn.ubuntu.com/usn/usn-3684-2", }, { trust: 0.1, url: "https://security-tracker.debian.org/tracker/perl", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8514", }, { trust: 0.1, url: "https://support.apple.com/kb/ht201222", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8511", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8519", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8502", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8516", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6239", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18313", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6237", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8540", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8526", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8527", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8533", }, { trust: 0.1, url: "https://support.apple.com/downloads/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8520", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8517", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8521", }, { trust: 0.1, url: "https://www.apple.com/support/security/pgp/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6207", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8504", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-7293", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8510", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8508", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8530", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8513", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8529", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8537", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8507", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18311", }, ], sources: [ { db: "VULHUB", id: "VHN-121932", }, { db: "VULMON", id: "CVE-2018-12015", }, { db: "BID", id: "104423", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "PACKETSTORM", id: "153939", }, { db: "PACKETSTORM", id: "148182", }, { db: "PACKETSTORM", id: "148186", }, { db: "PACKETSTORM", id: "148159", }, { db: "PACKETSTORM", id: "152222", }, { db: "CNNVD", id: "CNNVD-201806-391", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-121932", }, { db: "VULMON", id: "CVE-2018-12015", }, { db: "BID", id: "104423", }, { db: "JVNDB", id: "JVNDB-2018-006155", }, { db: "PACKETSTORM", id: "153939", }, { db: "PACKETSTORM", id: "148182", }, { db: "PACKETSTORM", id: "148186", }, { db: "PACKETSTORM", id: "148159", }, { db: "PACKETSTORM", id: "152222", }, { db: "CNNVD", id: "CNNVD-201806-391", }, { db: "NVD", id: "CVE-2018-12015", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2018-06-07T00:00:00", db: "VULHUB", id: "VHN-121932", }, { date: "2018-06-07T00:00:00", db: "VULMON", id: "CVE-2018-12015", }, { date: "2018-06-07T00:00:00", db: "BID", id: "104423", }, { date: "2018-08-09T00:00:00", db: "JVNDB", id: "JVNDB-2018-006155", }, { date: "2019-08-06T21:11:21", db: "PACKETSTORM", id: "153939", }, { date: "2018-06-13T15:23:00", db: "PACKETSTORM", id: "148182", }, { date: "2018-06-13T14:42:00", db: "PACKETSTORM", id: "148186", }, { date: "2018-06-12T16:08:35", db: "PACKETSTORM", id: "148159", }, { date: "2019-03-26T14:40:53", db: "PACKETSTORM", id: "152222", }, { date: "2018-06-08T00:00:00", db: "CNNVD", id: "CNNVD-201806-391", }, { date: "2018-06-07T13:29:00.240000", db: "NVD", id: "CVE-2018-12015", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-08-24T00:00:00", db: "VULHUB", id: "VHN-121932", }, { date: "2020-08-24T00:00:00", db: "VULMON", id: "CVE-2018-12015", }, { date: "2018-06-07T00:00:00", db: "BID", id: "104423", }, { date: "2018-08-09T00:00:00", db: "JVNDB", id: "JVNDB-2018-006155", }, { date: "2021-10-29T00:00:00", db: "CNNVD", id: "CNNVD-201806-391", }, { date: "2024-11-21T03:44:24.850000", db: "NVD", id: "CVE-2018-12015", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201806-391", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Perl Path traversal vulnerability", sources: [ { db: "JVNDB", id: "JVNDB-2018-006155", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "post link", sources: [ { db: "CNNVD", id: "CNNVD-201806-391", }, ], trust: 0.6, }, }
var-202001-1866
Vulnerability from variot
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. There is a security vulnerability in the xmlStringLenDecodeEntities of the parser.c file in libxml2 version 2.9.10. It exists that libxml2 incorrectly handled certain XML files. (CVE-2019-19956, CVE-2020-7595). Description:
Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.
These updated images include numerous security fixes, bug fixes, and enhancements. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1806266 - Require an extension to the cephfs subvolume commands, that can return metadata regarding a subvolume
1813506 - Dockerfile not compatible with docker and buildah
1817438 - OSDs not distributed uniformly across OCS nodes on a 9-node AWS IPI setup
1817850 - [BAREMETAL] rook-ceph-operator does not reconcile when osd deployment is deleted when performed node replacement
1827157 - OSD hitting default CPU limit on AWS i3en.2xlarge instances limiting performance
1829055 - [RFE] add insecureEdgeTerminationPolicy: Redirect to noobaa mgmt route (http to https)
1833153 - add a variable for sleep time of rook operator between checks of downed OSD+Node.
1836299 - NooBaa Operator deploys with HPA that fires maxreplicas alerts by default
1842254 - [NooBaa] Compression stats do not add up when compression id disabled
1845976 - OCS 4.5 Independent mode: must-gather commands fails to collect ceph command outputs from external cluster
1849771 - [RFE] Account created by OBC should have same permissions as bucket owner
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1854500 - [tracker-rhcs bug 1838931] mgr/volumes: add command to return metadata of a subvolume snapshot
1854501 - [Tracker-rhcs bug 1848494 ]pybind/mgr/volumes: Add the ability to keep snapshots of subvolumes independent of the source subvolume
1854503 - [tracker-rhcs-bug 1848503] cephfs: Provide alternatives to increase the total cephfs subvolume snapshot counts to greater than the current 400 across a Cephfs volume
1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1858195 - [GSS] registry pod stuck in ContainerCreating due to pvc from cephfs storage class fail to mount
1859183 - PV expansion is failing in retry loop in pre-existing PV after upgrade to OCS 4.5 (i.e. if the PV spec does not contain expansion params)
1859229 - Rook should delete extra MON PVCs in case first reconcile takes too long and rook skips "b" and "c" (spawned from Bug 1840084#c14)
1859478 - OCS 4.6 : Upon deployment, CSI Pods in CLBO with error - flag provided but not defined: -metadatastorage
1860022 - OCS 4.6 Deployment: LBP CSV and pod should not be deployed since ob/obc CRDs are owned from OCS 4.5 onwards
1860034 - OCS 4.6 Deployment in ocs-ci : Toolbox pod in ContainerCreationError due to key admin-secret not found
1860670 - OCS 4.5 Uninstall External: Openshift-storage namespace in Terminating state as CephObjectStoreUser had finalizers remaining
1860848 - Add validation for rgw-pool-prefix in the ceph-external-cluster-details-exporter script
1861780 - [Tracker BZ1866386][IBM s390x] Mount Failed for CEPH while running couple of OCS test cases.
1865938 - CSIDrivers missing in OCS 4.6
1867024 - [ocs-operator] operator v4.6.0-519.ci is in Installing state
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1868060 - [External Cluster] Noobaa-default-backingstore PV in released state upon OCS 4.5 uninstall (Secret not found)
1868703 - [rbd] After volume expansion, the new size is not reflected on the pod
1869411 - capture full crash information from ceph
1870061 - [RHEL][IBM] OCS un-install should make the devices raw
1870338 - OCS 4.6 must-gather : ocs-must-gather-xxx-helper pod in ContainerCreationError (couldn't find key admin-secret)
1870631 - OCS 4.6 Deployment : RGW pods went into 'CrashLoopBackOff' state on Z Platform
1872119 - Updates don't work on StorageClass which will keep PV expansion disabled for upgraded cluster
1872696 - [ROKS][RFE]NooBaa Configure IBM COS as default backing store
1873864 - Noobaa: On an baremetal RHCOS cluster, some backingstores are stuck in PROGRESSING state with INVALID_ENDPOINT TemporaryError
1874606 - CVE-2020-7720 nodejs-node-forge: prototype pollution via the util.setPath function
1875476 - Change noobaa logo in the noobaa UI
1877339 - Incorrect use of logr
1877371 - NooBaa UI warning message on Deploy Kubernetes Pool process - typo and shown number is incorrect
1878153 - OCS 4.6 must-gather: collect node information under cluster_scoped_resources/oc_output directory
1878714 - [FIPS enabled] BadDigest error on file upload to noobaa bucket
1878853 - [External Mode] ceph-external-cluster-details-exporter.py does not tolerate TLS enabled RGW
1879008 - ocs-osd-removal job fails because it can't find admin-secret in rook-ceph-mon secret
1879072 - Deployment with encryption at rest is failing to bring up OSD pods
1879919 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed
1880255 - Collect rbd info and subvolume info and snapshot info command output
1881028 - CVE-2020-8237 nodejs-json-bigint: Prototype pollution via __proto__ assignment could result in DoS
1881071 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed
1882397 - MCG decompression problem with snappy on s390x arch
1883253 - CSV doesn't contain values required for UI to enable minimal deployment and cluster encryption
1883398 - Update csi sidecar containers in rook
1883767 - Using placement strategies in cluster-service.yaml causes ocs-operator to crash
1883810 - [External mode] RGW metrics is not available after OCS upgrade from 4.5 to 4.6
1883927 - Deployment with encryption at rest is failing to bring up OSD pods
1885175 - Handle disappeared underlying device for encrypted OSD
1885428 - panic seen in rook-ceph during uninstall - "close of closed channel"
1885648 - [Tracker for https://bugzilla.redhat.com/show_bug.cgi?id=1885700] FSTYPE for localvolumeset devices shows up as ext2 after uninstall
1885971 - ocs-storagecluster-cephobjectstore doesn't report true state of RGW
1886308 - Default VolumeSnapshot Classes not created in External Mode
1886348 - osd removal job failed with status "Error"
1886551 - Clone creation failed after timeout of 5 hours of Azure platrom for 3 CephFS PVCs ( PVC sizes: 1, 25 and 100 GB)
1886709 - [External] RGW storageclass disappears after upgrade from OCS 4.5 to 4.6
1886859 - OCS 4.6: Uninstall stuck indefinitely if any Ceph pods are in Pending state before uninstall
1886873 - [OCS 4.6 External/Internal Uninstall] - Storage Cluster deletion stuck indefinitely, "failed to delete object store", remaining users: [noobaa-ceph-objectstore-user]
1888583 - [External] When deployment is attempted without specifying the monitoring-endpoint while generating JSON, the CSV is stuck in installing state
1888593 - [External] Add validation for monitoring-endpoint and port in the exporter script
1888614 - [External] Unreachable monitoring-endpoint used during deployment causes ocs-operator to crash
1889441 - Traceback error message while running OCS 4.6 must-gather
1889683 - [GSS] Noobaa Problem when setting public access to a bucket
1889866 - Post node power off/on, an unused MON PVC still stays back in the cluster
1890183 - [External] ocs-operator logs are filled with "failed to reconcile metrics exporter"
1890638 - must-gather helper pod should be deleted after collecting ceph crash info
1890971 - [External] RGW metrics are not available if anything else except 9283 is provided as the monitoring-endpoint-port
1891856 - ocs-metrics-exporter pod should have tolerations for OCS taint
1892206 - [GSS] Ceph image/version mismatch
1892234 - clone #95 creation failed for CephFS PVC ( 10 GB PVC size) during multiple clones creation test
1893624 - Must Gather is not collecting the tar file from NooBaa diagnose
1893691 - OCS4.6 must_gather failes to complete in 600sec
1893714 - Bad response for upload an object with encryption
1895402 - Mon pods didn't get upgraded in 720 second timeout from OCS 4.5 upgrade to 4.6
1896298 - [RFE] Monitoring for Namespace buckets and resources
1896831 - Clone#452 for RBD PVC ( PVC size 1 GB) failed to be created for 600 secs
1898521 - [CephFS] Deleting cephfsplugin pod along with app pods will make PV remain in Released state after deleting the PVC
1902627 - must-gather should wait for debug pods to be in ready state
1904171 - RGW Service is unavailable for a short period during upgrade to OCS 4.6
Bug Fix(es): * NVD feed fixed in Clair-v2 (clair-jwt image)
- Solution:
Download the release images via:
quay.io/redhat/quay:v3.3.3 quay.io/redhat/clair-jwt:v3.3.3 quay.io/redhat/quay-builder:v3.3.3 quay.io/redhat/clair:v3.3.3
- Bugs fixed (https://bugzilla.redhat.com/):
1905758 - CVE-2020-27831 quay: email notifications authorization bypass 1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display
- JIRA issues fixed (https://issues.jboss.org/):
PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version
- Solution:
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html
- Bugs fixed (https://bugzilla.redhat.com/):
1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1850004 - CVE-2020-11023 jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution 1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection 1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape
Bug Fix(es):
-
Aggregator pod tries to parse ConfigMaps without results (BZ#1899479)
-
The compliancesuite object returns error with ocp4-cis tailored profile (BZ#1902251)
-
The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object (BZ#1902634)
-
[OCP v46] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object (BZ#1907414)
-
The profile parser pod deployment and associated profiles should get removed after upgrade the compliance operator (BZ#1908991)
-
Applying the "rhcos4-moderate" compliance profile leads to Ignition error "something else exists at that path" (BZ#1909081)
-
[OCP v46] Always update the default profilebundles on Compliance operator startup (BZ#1909122)
-
Bugs fixed (https://bugzilla.redhat.com/):
1899479 - Aggregator pod tries to parse ConfigMaps without results 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1902251 - The compliancesuite object returns error with ocp4-cis tailored profile 1902634 - The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object 1907414 - [OCP v46] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object 1908991 - The profile parser pod deployment and associated profiles should get removed after upgrade the compliance operator 1909081 - Applying the "rhcos4-moderate" compliance profile leads to Ignition error "something else exists at that path" 1909122 - [OCP v46] Always update the default profilebundles on Compliance operator startup
- Bugs fixed (https://bugzilla.redhat.com/):
1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling
- To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor. Solution:
For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/):
1823765 - nfd-workers crash under an ipv6 environment 1838802 - mysql8 connector from operatorhub does not work with metering operator 1838845 - Metering operator can't connect to postgres DB from Operator Hub 1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1868294 - NFD operator does not allow customisation of nfd-worker.conf 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 1890672 - NFD is missing a build flag to build correctly 1890741 - path to the CA trust bundle ConfigMap is broken in report operator 1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster 1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel 1900125 - FIPS error while generating RSA private key for CA 1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub 1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub 1913837 - The CI and ART 4.7 metering images are not mirrored 1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le 1916010 - olm skip range is set to the wrong range 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923998 - NFD Operator is failing to update and remains in Replacing state
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libxml2 security update Advisory ID: RHSA-2020:4479-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4479 Issue date: 2020-11-03 CVE Names: CVE-2019-19956 CVE-2019-20388 CVE-2020-7595 ==================================================================== 1. Summary:
An update for libxml2 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The libxml2 library is a development toolbox providing the implementation of various XML standards.
Security Fix(es):
-
libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c (CVE-2019-19956)
-
libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)
-
libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
The desktop must be restarted (log out, then log back in) for this update to take effect.
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
aarch64: libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm libxml2-debugsource-2.9.7-8.el8.aarch64.rpm libxml2-devel-2.9.7-8.el8.aarch64.rpm python3-libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm
ppc64le: libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm libxml2-debugsource-2.9.7-8.el8.ppc64le.rpm libxml2-devel-2.9.7-8.el8.ppc64le.rpm python3-libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm
s390x: libxml2-debuginfo-2.9.7-8.el8.s390x.rpm libxml2-debugsource-2.9.7-8.el8.s390x.rpm libxml2-devel-2.9.7-8.el8.s390x.rpm python3-libxml2-debuginfo-2.9.7-8.el8.s390x.rpm
x86_64: libxml2-debuginfo-2.9.7-8.el8.i686.rpm libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm libxml2-debugsource-2.9.7-8.el8.i686.rpm libxml2-debugsource-2.9.7-8.el8.x86_64.rpm libxml2-devel-2.9.7-8.el8.i686.rpm libxml2-devel-2.9.7-8.el8.x86_64.rpm python3-libxml2-debuginfo-2.9.7-8.el8.i686.rpm python3-libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 8):
Source: libxml2-2.9.7-8.el8.src.rpm
aarch64: libxml2-2.9.7-8.el8.aarch64.rpm libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm libxml2-debugsource-2.9.7-8.el8.aarch64.rpm python3-libxml2-2.9.7-8.el8.aarch64.rpm python3-libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm
ppc64le: libxml2-2.9.7-8.el8.ppc64le.rpm libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm libxml2-debugsource-2.9.7-8.el8.ppc64le.rpm python3-libxml2-2.9.7-8.el8.ppc64le.rpm python3-libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm
s390x: libxml2-2.9.7-8.el8.s390x.rpm libxml2-debuginfo-2.9.7-8.el8.s390x.rpm libxml2-debugsource-2.9.7-8.el8.s390x.rpm python3-libxml2-2.9.7-8.el8.s390x.rpm python3-libxml2-debuginfo-2.9.7-8.el8.s390x.rpm
x86_64: libxml2-2.9.7-8.el8.i686.rpm libxml2-2.9.7-8.el8.x86_64.rpm libxml2-debuginfo-2.9.7-8.el8.i686.rpm libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm libxml2-debugsource-2.9.7-8.el8.i686.rpm libxml2-debugsource-2.9.7-8.el8.x86_64.rpm python3-libxml2-2.9.7-8.el8.x86_64.rpm python3-libxml2-debuginfo-2.9.7-8.el8.i686.rpm python3-libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX6I21tzjgjWX9erEAQjPWQ/9HUwbjkw/cY8D3Rd6eR/cQbQjwrpJdOHJ YIZQ3ZgphMhXXNMZmPfFTI2cwLkirN7uH73KtT3+LOsepnzhyhRghQgRUaLYFXgl OMUCjzevES36P3bY9N2rk6xvfU4pnpeWb94t6sEiJuWdCDIs52UY41ODOnGVJorw mxYe8rtP3FAAicPOG/OEWFiTZxH3inn2TbWixRHH1eG7ySvjbQfbfjA4e5zoY84K EizU1IVu9rJfgnwfknKDote31LjHzvbw5SsCyAHlMz6f4Z7UhHefOlVAyB6XHFjF rN5ADjtF1B5wjxtYSGmnfNxsrdtDyOC5T31EA2EC5qyQ6XBL9GUix8BPmK0fPXxI BXXNYmwSXsIaeAwq6d5LbSBNI5ntU6tDyZ7lvDNkEgI4sRxIBZ84IVeDbLcgOwJv OA/M0eg2o7uKiNF0DV4ZVHCVHeH5LoaBhrq/0B21FkM9JxRX8vEwhavkR9oVW331 yFlmYiZpOQkD6P0omCtwED4jmCg9hdRCfXCbUbYpmpWoK9Plp3hY/v2RfUEMROYV R+o8hCb1wbiyIPLVvsuVppM/rUUfuQ6sd9FwwsbjgdeCrx+++wCX/NwlzIPwtT4F Gnj1SaXE0/5Ilyb3Tqq1QYcLe7YfVk/0Iip9V+t4HPyWRVOFFYexqjXZCNt2L8JS NiiH7H8gSOo\xba8C -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution:
See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index
- Bugs fixed (https://bugzilla.redhat.com/):
1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time 1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time 1906381 - Release of OpenShift Serverless Serving 1.12.0 1906382 - Release of OpenShift Serverless Eventing 1.12.0
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202001-1866", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "libxml2", scope: "eq", trust: 1.8, vendor: "xmlsoft", version: "2.9.10", }, { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "steelstore cloud integrated storage", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "30", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "12.04", }, { model: "communications cloud native core network function cloud native environment", scope: "eq", trust: 1, vendor: "oracle", version: "1.10.0", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "31", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.4.0.0", }, { model: "real user experience insight", scope: "eq", trust: 1, vendor: "oracle", version: "13.4.1.0", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "clustered data ontap", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h300s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h300e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.04", }, { model: "real user experience insight", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.1.0", }, { model: "h700e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h500s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "mysql workbench", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.26", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "16.04", }, { model: "sinema remote connect server", scope: "lt", trust: 1, vendor: "siemens", version: "3.0", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "14.04", }, { model: "h410c", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.4.0.0", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "19.10", }, { model: "symantec netbackup", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "32", }, { model: "h500e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.58", }, { model: "h700s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h410s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "real user experience insight", scope: "eq", trust: 1, vendor: "oracle", version: "13.5.1.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.5.0.0", }, { model: "libxml2", scope: "eq", trust: 0.8, vendor: "xmlsoft", version: null, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "160624", }, { db: "PACKETSTORM", id: "160889", }, { db: "PACKETSTORM", id: "160125", }, { db: "PACKETSTORM", id: "161727", }, { db: "PACKETSTORM", id: "161016", }, { db: "PACKETSTORM", id: "159553", }, { db: "PACKETSTORM", id: "161536", }, { db: "PACKETSTORM", id: "159851", }, { db: "PACKETSTORM", id: "160961", }, { db: "CNNVD", id: "CNNVD-202001-965", }, ], trust: 1.5, }, cve: "CVE-2020-7595", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2020-7595", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-185720", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2020-7595", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 7.5, baseSeverity: "High", confidentialityImpact: "None", exploitabilityScore: null, id: "CVE-2020-7595", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-7595", trust: 1, value: "HIGH", }, { author: "NVD", id: "CVE-2020-7595", trust: 0.8, value: "High", }, { author: "CNNVD", id: "CNNVD-202001-965", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-185720", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2020-7595", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-185720", }, { db: "VULMON", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "CNNVD", id: "CNNVD-202001-965", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. There is a security vulnerability in the xmlStringLenDecodeEntities of the parser.c file in libxml2 version 2.9.10. It exists that libxml2 incorrectly handled certain XML files. \n(CVE-2019-19956, CVE-2020-7595). Description:\n\nRed Hat OpenShift Container Storage is software-defined storage integrated\nwith and optimized for the Red Hat OpenShift Container Platform. Red Hat\nOpenShift Container Storage is a highly scalable, production-grade\npersistent storage for stateful applications running in the Red Hat\nOpenShift Container Platform. In addition to persistent storage, Red Hat\nOpenShift Container Storage provisions a multicloud data management service\nwith an S3 compatible API. \n\nThese updated images include numerous security fixes, bug fixes, and\nenhancements. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):\n\n1806266 - Require an extension to the cephfs subvolume commands, that can return metadata regarding a subvolume\n1813506 - Dockerfile not compatible with docker and buildah\n1817438 - OSDs not distributed uniformly across OCS nodes on a 9-node AWS IPI setup\n1817850 - [BAREMETAL] rook-ceph-operator does not reconcile when osd deployment is deleted when performed node replacement\n1827157 - OSD hitting default CPU limit on AWS i3en.2xlarge instances limiting performance\n1829055 - [RFE] add insecureEdgeTerminationPolicy: Redirect to noobaa mgmt route (http to https)\n1833153 - add a variable for sleep time of rook operator between checks of downed OSD+Node. \n1836299 - NooBaa Operator deploys with HPA that fires maxreplicas alerts by default\n1842254 - [NooBaa] Compression stats do not add up when compression id disabled\n1845976 - OCS 4.5 Independent mode: must-gather commands fails to collect ceph command outputs from external cluster\n1849771 - [RFE] Account created by OBC should have same permissions as bucket owner\n1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash\n1854500 - [tracker-rhcs bug 1838931] mgr/volumes: add command to return metadata of a subvolume snapshot\n1854501 - [Tracker-rhcs bug 1848494 ]pybind/mgr/volumes: Add the ability to keep snapshots of subvolumes independent of the source subvolume\n1854503 - [tracker-rhcs-bug 1848503] cephfs: Provide alternatives to increase the total cephfs subvolume snapshot counts to greater than the current 400 across a Cephfs volume\n1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS\n1858195 - [GSS] registry pod stuck in ContainerCreating due to pvc from cephfs storage class fail to mount\n1859183 - PV expansion is failing in retry loop in pre-existing PV after upgrade to OCS 4.5 (i.e. if the PV spec does not contain expansion params)\n1859229 - Rook should delete extra MON PVCs in case first reconcile takes too long and rook skips \"b\" and \"c\" (spawned from Bug 1840084#c14)\n1859478 - OCS 4.6 : Upon deployment, CSI Pods in CLBO with error - flag provided but not defined: -metadatastorage\n1860022 - OCS 4.6 Deployment: LBP CSV and pod should not be deployed since ob/obc CRDs are owned from OCS 4.5 onwards\n1860034 - OCS 4.6 Deployment in ocs-ci : Toolbox pod in ContainerCreationError due to key admin-secret not found\n1860670 - OCS 4.5 Uninstall External: Openshift-storage namespace in Terminating state as CephObjectStoreUser had finalizers remaining\n1860848 - Add validation for rgw-pool-prefix in the ceph-external-cluster-details-exporter script\n1861780 - [Tracker BZ1866386][IBM s390x] Mount Failed for CEPH while running couple of OCS test cases. \n1865938 - CSIDrivers missing in OCS 4.6\n1867024 - [ocs-operator] operator v4.6.0-519.ci is in Installing state\n1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs\n1868060 - [External Cluster] Noobaa-default-backingstore PV in released state upon OCS 4.5 uninstall (Secret not found)\n1868703 - [rbd] After volume expansion, the new size is not reflected on the pod\n1869411 - capture full crash information from ceph\n1870061 - [RHEL][IBM] OCS un-install should make the devices raw\n1870338 - OCS 4.6 must-gather : ocs-must-gather-xxx-helper pod in ContainerCreationError (couldn't find key admin-secret)\n1870631 - OCS 4.6 Deployment : RGW pods went into 'CrashLoopBackOff' state on Z Platform\n1872119 - Updates don't work on StorageClass which will keep PV expansion disabled for upgraded cluster\n1872696 - [ROKS][RFE]NooBaa Configure IBM COS as default backing store\n1873864 - Noobaa: On an baremetal RHCOS cluster, some backingstores are stuck in PROGRESSING state with INVALID_ENDPOINT TemporaryError\n1874606 - CVE-2020-7720 nodejs-node-forge: prototype pollution via the util.setPath function\n1875476 - Change noobaa logo in the noobaa UI\n1877339 - Incorrect use of logr\n1877371 - NooBaa UI warning message on Deploy Kubernetes Pool process - typo and shown number is incorrect\n1878153 - OCS 4.6 must-gather: collect node information under cluster_scoped_resources/oc_output directory\n1878714 - [FIPS enabled] BadDigest error on file upload to noobaa bucket\n1878853 - [External Mode] ceph-external-cluster-details-exporter.py does not tolerate TLS enabled RGW\n1879008 - ocs-osd-removal job fails because it can't find admin-secret in rook-ceph-mon secret\n1879072 - Deployment with encryption at rest is failing to bring up OSD pods\n1879919 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed\n1880255 - Collect rbd info and subvolume info and snapshot info command output\n1881028 - CVE-2020-8237 nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS\n1881071 - [External] Upgrade mechanism from OCS 4.5 to OCS 4.6 needs to be fixed\n1882397 - MCG decompression problem with snappy on s390x arch\n1883253 - CSV doesn't contain values required for UI to enable minimal deployment and cluster encryption\n1883398 - Update csi sidecar containers in rook\n1883767 - Using placement strategies in cluster-service.yaml causes ocs-operator to crash\n1883810 - [External mode] RGW metrics is not available after OCS upgrade from 4.5 to 4.6\n1883927 - Deployment with encryption at rest is failing to bring up OSD pods\n1885175 - Handle disappeared underlying device for encrypted OSD\n1885428 - panic seen in rook-ceph during uninstall - \"close of closed channel\"\n1885648 - [Tracker for https://bugzilla.redhat.com/show_bug.cgi?id=1885700] FSTYPE for localvolumeset devices shows up as ext2 after uninstall\n1885971 - ocs-storagecluster-cephobjectstore doesn't report true state of RGW\n1886308 - Default VolumeSnapshot Classes not created in External Mode\n1886348 - osd removal job failed with status \"Error\"\n1886551 - Clone creation failed after timeout of 5 hours of Azure platrom for 3 CephFS PVCs ( PVC sizes: 1, 25 and 100 GB)\n1886709 - [External] RGW storageclass disappears after upgrade from OCS 4.5 to 4.6\n1886859 - OCS 4.6: Uninstall stuck indefinitely if any Ceph pods are in Pending state before uninstall\n1886873 - [OCS 4.6 External/Internal Uninstall] - Storage Cluster deletion stuck indefinitely, \"failed to delete object store\", remaining users: [noobaa-ceph-objectstore-user]\n1888583 - [External] When deployment is attempted without specifying the monitoring-endpoint while generating JSON, the CSV is stuck in installing state\n1888593 - [External] Add validation for monitoring-endpoint and port in the exporter script\n1888614 - [External] Unreachable monitoring-endpoint used during deployment causes ocs-operator to crash\n1889441 - Traceback error message while running OCS 4.6 must-gather\n1889683 - [GSS] Noobaa Problem when setting public access to a bucket\n1889866 - Post node power off/on, an unused MON PVC still stays back in the cluster\n1890183 - [External] ocs-operator logs are filled with \"failed to reconcile metrics exporter\"\n1890638 - must-gather helper pod should be deleted after collecting ceph crash info\n1890971 - [External] RGW metrics are not available if anything else except 9283 is provided as the monitoring-endpoint-port\n1891856 - ocs-metrics-exporter pod should have tolerations for OCS taint\n1892206 - [GSS] Ceph image/version mismatch\n1892234 - clone #95 creation failed for CephFS PVC ( 10 GB PVC size) during multiple clones creation test\n1893624 - Must Gather is not collecting the tar file from NooBaa diagnose\n1893691 - OCS4.6 must_gather failes to complete in 600sec\n1893714 - Bad response for upload an object with encryption\n1895402 - Mon pods didn't get upgraded in 720 second timeout from OCS 4.5 upgrade to 4.6\n1896298 - [RFE] Monitoring for Namespace buckets and resources\n1896831 - Clone#452 for RBD PVC ( PVC size 1 GB) failed to be created for 600 secs\n1898521 - [CephFS] Deleting cephfsplugin pod along with app pods will make PV remain in Released state after deleting the PVC\n1902627 - must-gather should wait for debug pods to be in ready state\n1904171 - RGW Service is unavailable for a short period during upgrade to OCS 4.6\n\n5. \n\nBug Fix(es):\n* NVD feed fixed in Clair-v2 (clair-jwt image)\n\n3. Solution:\n\nDownload the release images via:\n\nquay.io/redhat/quay:v3.3.3\nquay.io/redhat/clair-jwt:v3.3.3\nquay.io/redhat/quay-builder:v3.3.3\nquay.io/redhat/clair:v3.3.3\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1905758 - CVE-2020-27831 quay: email notifications authorization bypass\n1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nPROJQUAY-1124 - NVD feed is broken for latest Clair v2 version\n\n6. Solution:\n\nFor information on upgrading Ansible Tower, reference the Ansible Tower\nUpgrade and Migration Guide:\nhttps://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/\nindex.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page\n1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution\n1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection\n1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape\n\n5. \n\nBug Fix(es):\n\n* Aggregator pod tries to parse ConfigMaps without results (BZ#1899479)\n\n* The compliancesuite object returns error with ocp4-cis tailored profile\n(BZ#1902251)\n\n* The compliancesuite does not trigger when there are multiple rhcos4\nprofiles added in scansettingbinding object (BZ#1902634)\n\n* [OCP v46] Not all remediations get applied through machineConfig although\nthe status of all rules shows Applied in ComplianceRemediations object\n(BZ#1907414)\n\n* The profile parser pod deployment and associated profiles should get\nremoved after upgrade the compliance operator (BZ#1908991)\n\n* Applying the \"rhcos4-moderate\" compliance profile leads to Ignition error\n\"something else exists at that path\" (BZ#1909081)\n\n* [OCP v46] Always update the default profilebundles on Compliance operator\nstartup (BZ#1909122)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n1899479 - Aggregator pod tries to parse ConfigMaps without results\n1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service\n1902251 - The compliancesuite object returns error with ocp4-cis tailored profile\n1902634 - The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object\n1907414 - [OCP v46] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object\n1908991 - The profile parser pod deployment and associated profiles should get removed after upgrade the compliance operator\n1909081 - Applying the \"rhcos4-moderate\" compliance profile leads to Ignition error \"something else exists at that path\"\n1909122 - [OCP v46] Always update the default profilebundles on Compliance operator startup\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling\n\n5. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor. Solution:\n\nFor OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster\n- -cli.html. Bugs fixed (https://bugzilla.redhat.com/):\n\n1823765 - nfd-workers crash under an ipv6 environment\n1838802 - mysql8 connector from operatorhub does not work with metering operator\n1838845 - Metering operator can't connect to postgres DB from Operator Hub\n1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values\n1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash\n1868294 - NFD operator does not allow customisation of nfd-worker.conf\n1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration\n1890672 - NFD is missing a build flag to build correctly\n1890741 - path to the CA trust bundle ConfigMap is broken in report operator\n1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster\n1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel\n1900125 - FIPS error while generating RSA private key for CA\n1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub\n1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub\n1913837 - The CI and ART 4.7 metering images are not mirrored\n1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le\n1916010 - olm skip range is set to the wrong range\n1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation\n1923998 - NFD Operator is failing to update and remains in Replacing state\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libxml2 security update\nAdvisory ID: RHSA-2020:4479-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:4479\nIssue date: 2020-11-03\nCVE Names: CVE-2019-19956 CVE-2019-20388 CVE-2020-7595\n====================================================================\n1. Summary:\n\nAn update for libxml2 is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards. \n\nSecurity Fix(es):\n\n* libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c\n(CVE-2019-19956)\n\n* libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)\n\n* libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file\nsituations (CVE-2020-7595)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.3 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe desktop must be restarted (log out, then log back in) for this update\nto take effect. \n\n5. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\naarch64:\nlibxml2-debuginfo-2.9.7-8.el8.aarch64.rpm\nlibxml2-debugsource-2.9.7-8.el8.aarch64.rpm\nlibxml2-devel-2.9.7-8.el8.aarch64.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm\n\nppc64le:\nlibxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm\nlibxml2-debugsource-2.9.7-8.el8.ppc64le.rpm\nlibxml2-devel-2.9.7-8.el8.ppc64le.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm\n\ns390x:\nlibxml2-debuginfo-2.9.7-8.el8.s390x.rpm\nlibxml2-debugsource-2.9.7-8.el8.s390x.rpm\nlibxml2-devel-2.9.7-8.el8.s390x.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.s390x.rpm\n\nx86_64:\nlibxml2-debuginfo-2.9.7-8.el8.i686.rpm\nlibxml2-debuginfo-2.9.7-8.el8.x86_64.rpm\nlibxml2-debugsource-2.9.7-8.el8.i686.rpm\nlibxml2-debugsource-2.9.7-8.el8.x86_64.rpm\nlibxml2-devel-2.9.7-8.el8.i686.rpm\nlibxml2-devel-2.9.7-8.el8.x86_64.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.i686.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm\n\nRed Hat Enterprise Linux BaseOS (v. 8):\n\nSource:\nlibxml2-2.9.7-8.el8.src.rpm\n\naarch64:\nlibxml2-2.9.7-8.el8.aarch64.rpm\nlibxml2-debuginfo-2.9.7-8.el8.aarch64.rpm\nlibxml2-debugsource-2.9.7-8.el8.aarch64.rpm\npython3-libxml2-2.9.7-8.el8.aarch64.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.aarch64.rpm\n\nppc64le:\nlibxml2-2.9.7-8.el8.ppc64le.rpm\nlibxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm\nlibxml2-debugsource-2.9.7-8.el8.ppc64le.rpm\npython3-libxml2-2.9.7-8.el8.ppc64le.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.ppc64le.rpm\n\ns390x:\nlibxml2-2.9.7-8.el8.s390x.rpm\nlibxml2-debuginfo-2.9.7-8.el8.s390x.rpm\nlibxml2-debugsource-2.9.7-8.el8.s390x.rpm\npython3-libxml2-2.9.7-8.el8.s390x.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.s390x.rpm\n\nx86_64:\nlibxml2-2.9.7-8.el8.i686.rpm\nlibxml2-2.9.7-8.el8.x86_64.rpm\nlibxml2-debuginfo-2.9.7-8.el8.i686.rpm\nlibxml2-debuginfo-2.9.7-8.el8.x86_64.rpm\nlibxml2-debugsource-2.9.7-8.el8.i686.rpm\nlibxml2-debugsource-2.9.7-8.el8.x86_64.rpm\npython3-libxml2-2.9.7-8.el8.x86_64.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.i686.rpm\npython3-libxml2-debuginfo-2.9.7-8.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-19956\nhttps://access.redhat.com/security/cve/CVE-2019-20388\nhttps://access.redhat.com/security/cve/CVE-2020-7595\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX6I21tzjgjWX9erEAQjPWQ/9HUwbjkw/cY8D3Rd6eR/cQbQjwrpJdOHJ\nYIZQ3ZgphMhXXNMZmPfFTI2cwLkirN7uH73KtT3+LOsepnzhyhRghQgRUaLYFXgl\nOMUCjzevES36P3bY9N2rk6xvfU4pnpeWb94t6sEiJuWdCDIs52UY41ODOnGVJorw\nmxYe8rtP3FAAicPOG/OEWFiTZxH3inn2TbWixRHH1eG7ySvjbQfbfjA4e5zoY84K\nEizU1IVu9rJfgnwfknKDote31LjHzvbw5SsCyAHlMz6f4Z7UhHefOlVAyB6XHFjF\nrN5ADjtF1B5wjxtYSGmnfNxsrdtDyOC5T31EA2EC5qyQ6XBL9GUix8BPmK0fPXxI\nBXXNYmwSXsIaeAwq6d5LbSBNI5ntU6tDyZ7lvDNkEgI4sRxIBZ84IVeDbLcgOwJv\nOA/M0eg2o7uKiNF0DV4ZVHCVHeH5LoaBhrq/0B21FkM9JxRX8vEwhavkR9oVW331\nyFlmYiZpOQkD6P0omCtwED4jmCg9hdRCfXCbUbYpmpWoK9Plp3hY/v2RfUEMROYV\nR+o8hCb1wbiyIPLVvsuVppM/rUUfuQ6sd9FwwsbjgdeCrx+++wCX/NwlzIPwtT4F\nGnj1SaXE0/5Ilyb3Tqq1QYcLe7YfVk/0Iip9V+t4HPyWRVOFFYexqjXZCNt2L8JS\nNiiH7H8gSOo\\xba8C\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Solution:\n\nSee the documentation at:\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/\n4.6/html/serverless_applications/index\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS\n1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers\n1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time\n1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time\n1906381 - Release of OpenShift Serverless Serving 1.12.0\n1906382 - Release of OpenShift Serverless Eventing 1.12.0\n\n5", sources: [ { db: "NVD", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "VULHUB", id: "VHN-185720", }, { db: "VULMON", id: "CVE-2020-7595", }, { db: "PACKETSTORM", id: "160624", }, { db: "PACKETSTORM", id: "160889", }, { db: "PACKETSTORM", id: "160125", }, { db: "PACKETSTORM", id: "161727", }, { db: "PACKETSTORM", id: "161016", }, { db: "PACKETSTORM", id: "159553", }, { db: "PACKETSTORM", id: "161536", }, { db: "PACKETSTORM", id: "159851", }, { db: "PACKETSTORM", id: "160961", }, ], trust: 2.61, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-7595", trust: 3.5, }, { db: "SIEMENS", id: "SSA-292794", trust: 1.8, }, { db: "ICS CERT", id: "ICSA-21-103-08", trust: 1.8, }, { db: "PACKETSTORM", id: "159851", trust: 0.8, }, { db: "JVN", id: "JVNVU96269392", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2020-001451", trust: 0.8, }, { db: "PACKETSTORM", id: "159349", trust: 0.7, }, { db: "PACKETSTORM", id: "161916", trust: 0.7, }, { db: "PACKETSTORM", id: "162694", trust: 0.7, }, { db: "PACKETSTORM", id: "159639", trust: 0.7, }, { db: "CNNVD", id: "CNNVD-202001-965", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2021.0584", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.3732", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1207", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3535", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2604", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1744", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0902", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.4513", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1242", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1727", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3364", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.1564", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2162", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.1826", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0234", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3631", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0864", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0471", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0845", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3868", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0986", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.3550", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0691", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3248", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.4100", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3102", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0319", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1193", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0171", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3072", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.0099", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.1638", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.4058", trust: 0.6, }, { db: "PACKETSTORM", id: "158168", trust: 0.6, }, { db: "CS-HELP", id: "SB2021041514", trust: 0.6, }, { db: "CS-HELP", id: "SB2021091331", trust: 0.6, }, { db: "CS-HELP", id: "SB2021052216", trust: 0.6, }, { db: "CS-HELP", id: "SB2022072097", trust: 0.6, }, { db: "CS-HELP", id: "SB2021111735", trust: 0.6, }, { db: "CNVD", id: "CNVD-2020-04827", trust: 0.1, }, { db: "VULHUB", id: "VHN-185720", trust: 0.1, }, { db: "VULMON", id: "CVE-2020-7595", trust: 0.1, }, { db: "PACKETSTORM", id: "160624", trust: 0.1, }, { db: "PACKETSTORM", id: "160889", trust: 0.1, }, { db: "PACKETSTORM", id: "160125", trust: 0.1, }, { db: "PACKETSTORM", id: "161727", trust: 0.1, }, { db: "PACKETSTORM", id: "161016", trust: 0.1, }, { db: "PACKETSTORM", id: "159553", trust: 0.1, }, { db: "PACKETSTORM", id: "161536", trust: 0.1, }, { db: "PACKETSTORM", id: "160961", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-185720", }, { db: "VULMON", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "PACKETSTORM", id: "160624", }, { db: "PACKETSTORM", id: "160889", }, { db: "PACKETSTORM", id: "160125", }, { db: "PACKETSTORM", id: "161727", }, { db: "PACKETSTORM", id: "161016", }, { db: "PACKETSTORM", id: "159553", }, { db: "PACKETSTORM", id: "161536", }, { db: "PACKETSTORM", id: "159851", }, { db: "PACKETSTORM", id: "160961", }, { db: "CNNVD", id: "CNNVD-202001-965", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, id: "VAR-202001-1866", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-185720", }, ], trust: 0.7003805, }, last_update_date: "2024-11-29T22:32:28.603000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "0e1a49c8", trust: 0.8, url: "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", }, { title: "libxml2 Security vulnerabilities", trust: 0.6, url: "http://123.124.177.30/web/xxk/bdxqById.tag?id=109237", }, { title: "Debian CVElist Bug Report Logs: libxml2: CVE-2020-7595", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=8128495aba3a49b2f3e0b9ee0e8401af", }, { title: "Ubuntu Security Notice: libxml2 vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4274-1", }, { title: "Red Hat: Moderate: libxml2 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204479 - Security Advisory", }, { title: "Red Hat: Moderate: libxml2 security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203996 - Security Advisory", }, { title: "Arch Linux Issues: ", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2020-7595 log", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202646 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202644 - Security Advisory", }, { title: "Amazon Linux AMI: ALAS-2020-1438", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1438", }, { title: "Arch Linux Advisories: [ASA-202011-15] libxml2: multiple issues", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202011-15", }, { title: "Amazon Linux 2: ALAS2-2020-1534", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1534", }, { title: "Siemens Security Advisories: Siemens Security Advisory", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=0d160980ab72db34060d62c89304b6f2", }, { title: "Red Hat: Moderate: Release of OpenShift Serverless 1.11.0", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20205149 - Security Advisory", }, { title: "Red Hat: Moderate: security update - Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204255 - Security Advisory", }, { title: "Red Hat: Moderate: security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204254 - Security Advisory", }, { title: "Red Hat: Moderate: Release of OpenShift Serverless 1.12.0", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20210146 - Security Advisory", }, { title: "Red Hat: Low: OpenShift Container Platform 4.3.40 security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204264 - Security Advisory", }, { title: "Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20210190 - Security Advisory", }, { title: "Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20210436 - Security Advisory", }, { title: "Red Hat: Moderate: Red Hat Quay v3.3.3 bug fix and security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20210050 - Security Advisory", }, { title: "IBM: Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3201548b0e11fd3ecd83fd36fc045a8e", }, { title: "Red Hat: Moderate: Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20205605 - Security Advisory", }, { title: "Siemens Security Advisories: Siemens Security Advisory", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d", }, { title: "", trust: 0.1, url: "https://github.com/vincent-deng/veracode-container-security-finding-parser ", }, ], sources: [ { db: "VULMON", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "CNNVD", id: "CNNVD-202001-965", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-835", trust: 1.1, }, { problemtype: "infinite loop (CWE-835) [NVD Evaluation ]", trust: 0.8, }, ], sources: [ { db: "VULHUB", id: "VHN-185720", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.5, url: "https://usn.ubuntu.com/4274-1/", }, { trust: 2.4, url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08", }, { trust: 2.4, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.8, url: "https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20200702-0005/", }, { trust: 1.8, url: "https://security.gentoo.org/glsa/202010-04", }, { trust: 1.8, url: "https://gitlab.gnome.org/gnome/libxml2/commit/0e1a49c89076", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1.8, url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html", }, { trust: 1.5, url: "https://nvd.nist.gov/vuln/detail/cve-2020-7595", }, { trust: 1.5, url: "https://access.redhat.com/security/cve/cve-2020-7595", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545spoi3zppnpx4tfrive4jvrtjrkull/", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5r55zr52rmbx24tqtwhciwkjvrv6yawi/", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/jdpf3aavkuakdyfmfksiqsvvs3eefpqh/", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2019-20388", }, { trust: 0.9, url: "https://bugzilla.redhat.com/):", }, { trust: 0.9, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2019-19956", }, { trust: 0.8, url: "https://jvn.jp/vu/jvnvu96269392/index.html", }, { trust: 0.8, url: "https://access.redhat.com/security/cve/cve-2019-15903", }, { trust: 0.8, url: "https://access.redhat.com/security/cve/cve-2018-20843", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2018-20843", }, { trust: 0.8, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19956", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20388", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5r55zr52rmbx24tqtwhciwkjvrv6yawi/", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545spoi3zppnpx4tfrive4jvrtjrkull/", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/jdpf3aavkuakdyfmfksiqsvvs3eefpqh/", }, { trust: 0.7, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.7, url: "https://nvd.nist.gov/vuln/detail/cve-2019-15903", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-20907", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-13050", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-20218", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-19221", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-1751", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-16168", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-9327", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-16935", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-5018", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-1730", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-19906", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-20387", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-1752", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-20454", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-13627", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-6405", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13050", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2019-14889", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-13632", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-10029", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-13630", }, { trust: 0.6, url: "https://access.redhat.com/security/cve/cve-2020-13631", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6455281", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3535/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0902/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3248/", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021052216", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2162/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1727", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1207", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-libxml2-vulnerabilities-cve-2019-19956-cve-2019-20388-cve-2020-7595/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-4/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0171/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3072", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-management-module-amm-is-affected-by-vulnerabilities-in-libxml2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.4100/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6520474", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0845", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0691", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162694/red-hat-security-advisory-2021-2021-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0099/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.4058", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.1638/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/libxml2-infinite-loop-via-xmlstringlendecodeentities-31396", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3868/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1744", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022072097", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/158168/red-hat-security-advisory-2020-2646-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021111735", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0319/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0471/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.4513/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-multiple-vulnerabilities-2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0234/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0584", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-6/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1193", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.1564/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-management-module-cmm-is-affected-by-vulnerabilities-in-libxml2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0864", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.3732", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.0986", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creator-bomc-is-affected-by-vulnerabilities-in-libxml2/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/159349/red-hat-security-advisory-2020-3996-01.html", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-6/", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021091331", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2604", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/159851/red-hat-security-advisory-2020-4479-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1242", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021041514", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.1826/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/159639/gentoo-linux-security-advisory-202010-04.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3102/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.3550", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/161916/red-hat-security-advisory-2021-0949-01.html", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-vulnerabilities-in-libxml2/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-5/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3631/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3364/", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2019-20916", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-14422", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-8492", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-1971", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20454", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20907", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19906", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5018", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-14889", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20387", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13627", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19221", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-16935", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-16168", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20218", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9925", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9802", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9895", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8625", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-15165", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-14382", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8812", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3899", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8819", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3867", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8720", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9893", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8808", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3902", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3900", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9805", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8820", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9807", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8769", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8710", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8813", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9850", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8811", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9803", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-8177", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9862", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3885", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-15503", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-10018", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8835", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8764", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8844", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3865", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3864", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-14391", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3862", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3901", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8823", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3895", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-11793", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9894", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8816", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9843", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8771", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3897", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9806", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8814", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8743", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-9915", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8815", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8783", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-20807", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8766", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8846", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3868", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-3894", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2019-8782", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-24659", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20916", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2019-1551", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-14040", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8743", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8710", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20807", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-15165", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8720", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8625", }, { trust: 0.2, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-11068", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-18197", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-11068", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1752", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1730", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13631", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13632", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10029", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-1551", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1751", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13630", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17006", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-12749", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12401", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1971", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-14866", }, { trust: 0.2, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17006", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-11719", }, { trust: 0.2, url: "https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17023", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17023", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-12749", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-6829", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-14866", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12403", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12400", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-11756", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-11756", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12243", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12400", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-11727", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12243", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-11719", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-11727", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17498", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17498", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12402", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17450", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17450", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17546", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17546", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/835.html", }, { trust: 0.1, url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16300", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14466", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-10105", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-15166", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16230", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-18609", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-16845", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14467", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-10103", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14469", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16229", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14465", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14882", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16227", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14461", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14881", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14464", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14463", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16228", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14879", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_openshift_container_s", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14469", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-10105", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14880", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14461", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5605", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-25660", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14468", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14466", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14882", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15586", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16227", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14464", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16452", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16230", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14468", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14467", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14462", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14880", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14881", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16300", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14462", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16229", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16451", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-10103", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16228", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14463", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16451", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14879", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14019", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14470", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14470", }, { trust: 0.1, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1885700]", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-14465", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16452", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-7720", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8237", }, { trust: 0.1, url: "https://issues.jboss.org/):", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:0050", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8771", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27831", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8769", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27832", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8764", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8766", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5149", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14040", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14422", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12723", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11023", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12402", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20372", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-10878", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20228", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20253", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12401", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11023", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:0778", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11022", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-12723", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-10543", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20191", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20180", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2016-5766", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12403", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10878", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20178", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-5766", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-20372", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11022", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10543", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35678", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:0190", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-18197", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27813", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5188", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-12652", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-19126", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1240", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-20386", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-18874", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-12450", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:4255", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-14973", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-14822", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-12652", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-14822", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20386", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-18874", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14365", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5094", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-5188", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19126", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-5094", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-5482", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-14973", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5482", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-5313", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-12450", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhea-2020:5633", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8624", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.7/updating/updating-cluster", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-13225", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8623", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8566", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-25211", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5635", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15157", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-25658", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15999", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-3884", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-3884", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8622", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13225", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3121", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-24750", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8619", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-3898", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:4479", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/", }, { trust: 0.1, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:0146", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-28362", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-24553", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-24553", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-24659", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-28366", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-28362", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-28366", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-28367", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-28367", }, ], sources: [ { db: "VULHUB", id: "VHN-185720", }, { db: "VULMON", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "PACKETSTORM", id: "160624", }, { db: "PACKETSTORM", id: "160889", }, { db: "PACKETSTORM", id: "160125", }, { db: "PACKETSTORM", id: "161727", }, { db: "PACKETSTORM", id: "161016", }, { db: "PACKETSTORM", id: "159553", }, { db: "PACKETSTORM", id: "161536", }, { db: "PACKETSTORM", id: "159851", }, { db: "PACKETSTORM", id: "160961", }, { db: "CNNVD", id: "CNNVD-202001-965", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-185720", }, { db: "VULMON", id: "CVE-2020-7595", }, { db: "JVNDB", id: "JVNDB-2020-001451", }, { db: "PACKETSTORM", id: "160624", }, { db: "PACKETSTORM", id: "160889", }, { db: "PACKETSTORM", id: "160125", }, { db: "PACKETSTORM", id: "161727", }, { db: "PACKETSTORM", id: "161016", }, { db: "PACKETSTORM", id: "159553", }, { db: "PACKETSTORM", id: "161536", }, { db: "PACKETSTORM", id: "159851", }, { db: "PACKETSTORM", id: "160961", }, { db: "CNNVD", id: "CNNVD-202001-965", }, { db: "NVD", id: "CVE-2020-7595", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-01-21T00:00:00", db: "VULHUB", id: "VHN-185720", }, { date: "2020-01-21T00:00:00", db: "VULMON", id: "CVE-2020-7595", }, { date: "2020-02-07T00:00:00", db: "JVNDB", id: "JVNDB-2020-001451", }, { date: "2020-12-18T19:14:41", db: "PACKETSTORM", id: "160624", }, { date: "2021-01-11T16:29:48", db: "PACKETSTORM", id: "160889", }, { date: "2020-11-18T20:48:43", db: "PACKETSTORM", id: "160125", }, { date: "2021-03-09T16:25:11", db: "PACKETSTORM", id: "161727", }, { date: "2021-01-19T14:45:45", db: "PACKETSTORM", id: "161016", }, { date: "2020-10-14T16:52:18", db: "PACKETSTORM", id: "159553", }, { date: "2021-02-25T15:26:54", db: "PACKETSTORM", id: "161536", }, { date: "2020-11-04T15:29:08", db: "PACKETSTORM", id: "159851", }, { date: "2021-01-15T15:06:55", db: "PACKETSTORM", id: "160961", }, { date: "2020-01-21T00:00:00", db: "CNNVD", id: "CNNVD-202001-965", }, { date: "2020-01-21T23:15:13.867000", db: "NVD", id: "CVE-2020-7595", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-07-25T00:00:00", db: "VULHUB", id: "VHN-185720", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2020-7595", }, { date: "2021-06-16T04:57:00", db: "JVNDB", id: "JVNDB-2020-001451", }, { date: "2023-06-30T00:00:00", db: "CNNVD", id: "CNNVD-202001-965", }, { date: "2024-11-21T05:37:26.453000", db: "NVD", id: "CVE-2020-7595", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "160624", }, { db: "CNNVD", id: "CNNVD-202001-965", }, ], trust: 0.7, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "libxml2 Infinite loop vulnerability in", sources: [ { db: "JVNDB", id: "JVNDB-2020-001451", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "other", sources: [ { db: "CNNVD", id: "CNNVD-202001-965", }, ], trust: 0.6, }, }
var-201812-0273
Vulnerability from variot
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory. Perl Contains an out-of-bounds vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Perl is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input. Attackers can exploit these issues to execute arbitrary code on the affected application. Failed attempts will likely cause a denial-of-service condition. Perl versions 5.22 through 5.26 are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: rh-perl524-perl security update Advisory ID: RHSA-2019:0010-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2019:0010 Issue date: 2019-01-02 CVE Names: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 ==================================================================== 1. Summary:
An update for rh-perl524-perl is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
- Description:
Perl is a high-level programming language that is commonly used for system administration utilities and web programming.
Security Fix(es):
-
perl: Integer overflow leading to buffer overflow in Perl_my_setenv() (CVE-2018-18311)
-
perl: Heap-based buffer overflow in S_handle_regex_sets() (CVE-2018-18312)
-
perl: Heap-based buffer overflow in S_regatom() (CVE-2018-18314)
-
perl: Heap-based buffer read overflow in S_grok_bslash_N() (CVE-2018-18313)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank the Perl project for reporting these issues. Upstream acknowledges Jayakrishna Menon as the original reporter of CVE-2018-18311; Eiichi Tsukata as the original reporter of CVE-2018-18312 and CVE-2018-18313; and Jakub Wilk as the original reporter of CVE-2018-18314.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1646730 - CVE-2018-18311 perl: Integer overflow leading to buffer overflow in Perl_my_setenv() 1646734 - CVE-2018-18312 perl: Heap-based buffer overflow in S_handle_regex_sets() 1646738 - CVE-2018-18313 perl: Heap-based buffer read overflow in S_grok_bslash_N() 1646751 - CVE-2018-18314 perl: Heap-based buffer overflow in S_regatom()
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: rh-perl524-perl-5.24.0-381.el6.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: rh-perl524-perl-5.24.0-381.el6.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-perl524-perl-5.24.0-381.el7.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source: rh-perl524-perl-5.24.0-381.el7.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source: rh-perl524-perl-5.24.0-381.el7.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: rh-perl524-perl-5.24.0-381.el7.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-perl524-perl-5.24.0-381.el7.src.rpm
noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm
x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-18311 https://access.redhat.com/security/cve/CVE-2018-18312 https://access.redhat.com/security/cve/CVE-2018-18313 https://access.redhat.com/security/cve/CVE-2018-18314 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXCzjWdzjgjWX9erEAQgGbxAAjUats4SSpuFti8OldbpStTe7erlyVhih Gh5YONFxhYXSTeCv064Qbm+3m6gxbHBuQtsydMtXYGuMhA6ire2vQkJGT4/IAE1y 55aL3GLosOiqdu/yrydYnnSfxVBitY5dxN4sUBSeh54HOHzPx247zVMzMD2AwPQy DpdQ639qseh+Aq79z0ZOqofH9PHX3XDm2kypR7mhohxkORJ0rkoHAKgIfn5y7Y79 w8vTRn+S6C4goJUCMOUYU4eSuFx2PV6abOTvodGfPO2PPwivkVDIqr2UxMEZV4nA wh13K9FteozKWQApxVIkR3ipg55SHC9xHd1vpsnZRnGrnG4bO0EOTcsQ/9N2FztR soBINhCU0ycU9/Fal1Ul4COp6F2vpDsMveeMXcnmNX+f8H8UOtd8VoR5sJ6fhApC Lb+20d2AWuClUtqBghcRMTlXxYOu7KWYGVbamfDeIOH6p/p4XA8iDUeUFB5B4v4s eAnD0bqK1RRFpuOPO2Fi5F/LZ18olTA7TuTWDmBwj27nYxaLunZtctaLg6p/QgYS T5mPOFl6CGnafhZgy0iihwCCEjIcz34vPUe9kmK7ywBoJ3GIfNnGJmOs+FC7ntzQ L9YCjVEk5e8hTDGq6HohPF73gxAwdQVNYxzLoh7XmAvcBefL/eAK+YhDhCtc0ZUb ul+etyPMblM=Fj2Q -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
The following packages have been upgraded to a later upstream version: rh-perl526-perl (5.26.3), rh-perl526-perl-Module-CoreList (5.20181130). The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2018-18311
Jayakrishna Menon and Christophe Hauser discovered an integer
overflow vulnerability in Perl_my_setenv leading to a heap-based
buffer overflow with attacker-controlled input.
CVE-2018-18312
Eiichi Tsukata discovered that a crafted regular expression could
cause a heap-based buffer overflow write during compilation,
potentially allowing arbitrary code execution.
For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5.
We recommend that you upgrade your perl packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201909-01
https://security.gentoo.org/
Severity: Normal Title: Perl: Multiple vulnerabilities Date: September 06, 2019 Bugs: #653432, #670190 ID: 201909-01
Synopsis
Multiple vulnerabilities have been found in Perl, the worst of which could result in the arbitrary execution of code.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.28.2 >= 5.28.2
Description
Multiple vulnerabilities have been discovered in Perl. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Perl users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.28.2"
References
[ 1 ] CVE-2018-18311 https://nvd.nist.gov/vuln/detail/CVE-2018-18311 [ 2 ] CVE-2018-18312 https://nvd.nist.gov/vuln/detail/CVE-2018-18312 [ 3 ] CVE-2018-18313 https://nvd.nist.gov/vuln/detail/CVE-2018-18313 [ 4 ] CVE-2018-18314 https://nvd.nist.gov/vuln/detail/CVE-2018-18314 [ 5 ] CVE-2018-6797 https://nvd.nist.gov/vuln/detail/CVE-2018-6797 [ 6 ] CVE-2018-6798 https://nvd.nist.gov/vuln/detail/CVE-2018-6798 [ 7 ] CVE-2018-6913 https://nvd.nist.gov/vuln/detail/CVE-2018-6913
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201909-01
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following:
AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team
Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm
CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc.
configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36)
Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher
CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420)
FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy
Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs
Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs
file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher
Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative
iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT
IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team
IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher
IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8508: Dr. Silvio Cesare of InfoSect
Kernel Available for: macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team
Kernel Available for: macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG
Messages Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view sensitive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2019-8546: ChiYuan Chang
Notes Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view a user's locked notes Description: An access issue was addressed with improved memory management. CVE-2019-8537: Greg Walker (gregwalker.us)
PackageKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2019-8561: Jaron Bradley of Crowdstrike
Perl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: Multiple issues in Perl Description: Multiple issues in Perl were addressed in this update. CVE-2018-12015: Jakub Wilk CVE-2018-18311: Jayakrishna Menon CVE-2018-18313: Eiichi Tsukata
Power Management Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)
QuartzCore Available for: macOS Mojave 10.14.3 Impact: Processing malicious data may lead to unexpected application termination Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8526: Linus Henze (pinauten.de)
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)
Siri Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest
Time Machine Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to execute arbitrary shell commands Description: This issue was addressed with improved checks. CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs
TrueTypeScaler Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative
XPC Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs
Additional recognition
Accounts We would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt for their assistance.
Books We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
Mail We would like to acknowledge Craig Young of Tripwire VERT and Hanno Böck for their assistance.
Time Machine We would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.
Installation note:
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9 FvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT vyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D Eqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33 iAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM ucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB sSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p 7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J +9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7 OLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0 zBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS 1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk= =QV0f -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3834-2 December 03, 2018
perl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Perl.
Software Description: - perl: Practical Extraction and Report Language
Details:
USN-3834-1 fixed a vulnerability in perl. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Jayakrishna Menon discovered that Perl incorrectly handled Perl_my_setenv. (CVE-2018-18311)
Eiichi Tsukata discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service. (CVE-2018-18313)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: perl 5.14.2-6ubuntu2.9
In general, a standard system update will make all the necessary changes
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201812-0273", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "e-series santricity os controller", scope: "gte", trust: 1, vendor: "netapp", version: "11.0", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "12.04", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "14.04", }, { model: "perl", scope: "lt", trust: 1, vendor: "perl", version: "5.26.3", }, { model: "snapcenter", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.5", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.10", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "mac os x", scope: "lt", trust: 1, vendor: "apple", version: "10.14.4", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.04", }, { model: "e-series santricity os controller", scope: "lte", trust: 1, vendor: "netapp", version: "11.40", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "16.04", }, { model: "snap creator framework", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ubuntu", scope: null, trust: 0.8, vendor: "canonical", version: null, }, { model: "gnu/linux", scope: null, trust: 0.8, vendor: "debian", version: null, }, { model: "perl", scope: "lt", trust: 0.8, vendor: "the perl", version: "5.26.3", }, { model: "perl", scope: "eq", trust: 0.6, vendor: "perl", version: "5.12.1", }, { model: "perl", scope: "eq", trust: 0.6, vendor: "perl", version: "5.12.2", }, { model: "perl", scope: "eq", trust: 0.6, vendor: "perl", version: "5.12.0", }, { model: "software collections for rhel", scope: "eq", trust: 0.3, vendor: "redhat", version: "0", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.26", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.24", }, { model: "perl", scope: "eq", trust: 0.3, vendor: "perl", version: "5.22", }, { model: "perl", scope: "ne", trust: 0.3, vendor: "perl", version: "5.28.1", }, { model: "perl", scope: "ne", trust: 0.3, vendor: "perl", version: "5.26.3", }, ], sources: [ { db: "BID", id: "106072", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "CNNVD", id: "CNNVD-201811-926", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/o:canonical:ubuntu_linux", vulnerable: true, }, { cpe22Uri: "cpe:/o:debian:debian_linux", vulnerable: true, }, { cpe22Uri: "cpe:/a:perl:perl", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2018-012766", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Apple,Gentoo", sources: [ { db: "CNNVD", id: "CNNVD-201811-926", }, ], trust: 0.6, }, cve: "CVE-2018-18313", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2018-18313", impactScore: 4.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "VHN-128860", impactScore: 4.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:P/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2018-18313", impactScore: 5.2, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1.8, userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2018-18313", trust: 1, value: "CRITICAL", }, { author: "NVD", id: "CVE-2018-18313", trust: 0.8, value: "Critical", }, { author: "CNNVD", id: "CNNVD-201811-926", trust: 0.6, value: "CRITICAL", }, { author: "VULHUB", id: "VHN-128860", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2018-18313", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-128860", }, { db: "VULMON", id: "CVE-2018-18313", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "CNNVD", id: "CNNVD-201811-926", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory. Perl Contains an out-of-bounds vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Perl is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input. \nAttackers can exploit these issues to execute arbitrary code on the affected application. Failed attempts will likely cause a denial-of-service condition. \nPerl versions 5.22 through 5.26 are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: rh-perl524-perl security update\nAdvisory ID: RHSA-2019:0010-01\nProduct: Red Hat Software Collections\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:0010\nIssue date: 2019-01-02\nCVE Names: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313\n CVE-2018-18314\n====================================================================\n1. Summary:\n\nAn update for rh-perl524-perl is now available for Red Hat Software\nCollections. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\n\n3. Description:\n\nPerl is a high-level programming language that is commonly used for system\nadministration utilities and web programming. \n\nSecurity Fix(es):\n\n* perl: Integer overflow leading to buffer overflow in Perl_my_setenv()\n(CVE-2018-18311)\n\n* perl: Heap-based buffer overflow in S_handle_regex_sets()\n(CVE-2018-18312)\n\n* perl: Heap-based buffer overflow in S_regatom() (CVE-2018-18314)\n\n* perl: Heap-based buffer read overflow in S_grok_bslash_N()\n(CVE-2018-18313)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\nRed Hat would like to thank the Perl project for reporting these issues. \nUpstream acknowledges Jayakrishna Menon as the original reporter of\nCVE-2018-18311; Eiichi Tsukata as the original reporter of CVE-2018-18312\nand CVE-2018-18313; and Jakub Wilk as the original reporter of\nCVE-2018-18314. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1646730 - CVE-2018-18311 perl: Integer overflow leading to buffer overflow in Perl_my_setenv()\n1646734 - CVE-2018-18312 perl: Heap-based buffer overflow in S_handle_regex_sets()\n1646738 - CVE-2018-18313 perl: Heap-based buffer read overflow in S_grok_bslash_N()\n1646751 - CVE-2018-18314 perl: Heap-based buffer overflow in S_regatom()\n\n6. Package List:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):\n\nSource:\nrh-perl524-perl-5.24.0-381.el6.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nrh-perl524-perl-5.24.0-381.el6.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nrh-perl524-perl-5.24.0-381.el7.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):\n\nSource:\nrh-perl524-perl-5.24.0-381.el7.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):\n\nSource:\nrh-perl524-perl-5.24.0-381.el7.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):\n\nSource:\nrh-perl524-perl-5.24.0-381.el7.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nrh-perl524-perl-5.24.0-381.el7.src.rpm\n\nnoarch:\nrh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm\n\nx86_64:\nrh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-18311\nhttps://access.redhat.com/security/cve/CVE-2018-18312\nhttps://access.redhat.com/security/cve/CVE-2018-18313\nhttps://access.redhat.com/security/cve/CVE-2018-18314\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXCzjWdzjgjWX9erEAQgGbxAAjUats4SSpuFti8OldbpStTe7erlyVhih\nGh5YONFxhYXSTeCv064Qbm+3m6gxbHBuQtsydMtXYGuMhA6ire2vQkJGT4/IAE1y\n55aL3GLosOiqdu/yrydYnnSfxVBitY5dxN4sUBSeh54HOHzPx247zVMzMD2AwPQy\nDpdQ639qseh+Aq79z0ZOqofH9PHX3XDm2kypR7mhohxkORJ0rkoHAKgIfn5y7Y79\nw8vTRn+S6C4goJUCMOUYU4eSuFx2PV6abOTvodGfPO2PPwivkVDIqr2UxMEZV4nA\nwh13K9FteozKWQApxVIkR3ipg55SHC9xHd1vpsnZRnGrnG4bO0EOTcsQ/9N2FztR\nsoBINhCU0ycU9/Fal1Ul4COp6F2vpDsMveeMXcnmNX+f8H8UOtd8VoR5sJ6fhApC\nLb+20d2AWuClUtqBghcRMTlXxYOu7KWYGVbamfDeIOH6p/p4XA8iDUeUFB5B4v4s\neAnD0bqK1RRFpuOPO2Fi5F/LZ18olTA7TuTWDmBwj27nYxaLunZtctaLg6p/QgYS\nT5mPOFl6CGnafhZgy0iihwCCEjIcz34vPUe9kmK7ywBoJ3GIfNnGJmOs+FC7ntzQ\nL9YCjVEk5e8hTDGq6HohPF73gxAwdQVNYxzLoh7XmAvcBefL/eAK+YhDhCtc0ZUb\nul+etyPMblM=Fj2Q\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nThe following packages have been upgraded to a later upstream version:\nrh-perl526-perl (5.26.3), rh-perl526-perl-Module-CoreList (5.20181130). The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2018-18311\n\n Jayakrishna Menon and Christophe Hauser discovered an integer\n overflow vulnerability in Perl_my_setenv leading to a heap-based\n buffer overflow with attacker-controlled input. \n\nCVE-2018-18312\n\n Eiichi Tsukata discovered that a crafted regular expression could\n cause a heap-based buffer overflow write during compilation,\n potentially allowing arbitrary code execution. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 5.24.1-3+deb9u5. \n\nWe recommend that you upgrade your perl packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201909-01\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: Perl: Multiple vulnerabilities\n Date: September 06, 2019\n Bugs: #653432, #670190\n ID: 201909-01\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Perl, the worst of which\ncould result in the arbitrary execution of code. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-lang/perl < 5.28.2 >= 5.28.2\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Perl. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Perl users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/perl-5.28.2\"\n\nReferences\n==========\n\n[ 1 ] CVE-2018-18311\n https://nvd.nist.gov/vuln/detail/CVE-2018-18311\n[ 2 ] CVE-2018-18312\n https://nvd.nist.gov/vuln/detail/CVE-2018-18312\n[ 3 ] CVE-2018-18313\n https://nvd.nist.gov/vuln/detail/CVE-2018-18313\n[ 4 ] CVE-2018-18314\n https://nvd.nist.gov/vuln/detail/CVE-2018-18314\n[ 5 ] CVE-2018-6797\n https://nvd.nist.gov/vuln/detail/CVE-2018-6797\n[ 6 ] CVE-2018-6798\n https://nvd.nist.gov/vuln/detail/CVE-2018-6798\n[ 7 ] CVE-2018-6913\n https://nvd.nist.gov/vuln/detail/CVE-2018-6913\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201909-01\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2019 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update\n2019-002 High Sierra, Security Update 2019-002 Sierra\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra are now available and\naddresses the following:\n\nAppleGraphicsControl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and\nshrek_wzw of Qihoo 360 Nirvan Team\n\nBom\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may bypass Gatekeeper checks\nDescription: This issue was addressed with improved handling of file\nmetadata. \nCVE-2019-6239: Ian Moorhouse and Michael Trimm\n\nCFString\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted string may lead to a denial\nof service\nDescription: A validation issue was addressed with improved logic. \nCVE-2019-8516: SWIPS Team of Frifee Inc. \n\nconfigd\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\nContacts\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2019-8511: an anonymous researcher\n\nCoreCrypto\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nDiskArbitration\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An encrypted volume may be unmounted and remounted by a\ndifferent user without prompting for the password\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8522: Colin Meginnis (@falc420)\n\nFaceTime\nAvailable for: macOS Mojave 10.14.3\nImpact: A user's video may not be paused in a FaceTime call if they\nexit the FaceTime app while the call is ringing\nDescription: An issue existed in the pausing of FaceTime video. The\nissue was resolved with improved logic. \nCVE-2019-8550: Lauren Guzniczak of Keystone Academy\n\nFeedback Assistant\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to gain root privileges\nDescription: A race condition was addressed with additional\nvalidation. \nCVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs\n\nFeedback Assistant\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs\n\nfile\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted file might disclose user\ninformation\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-6237: an anonymous researcher\n\nGraphics Drivers\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin\n(@panicaII) and Junzhi Lu of Trend Micro Research working with Trend\nMicro's Zero Day Initiative\n\niAP\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nIOGraphics\nAvailable for: macOS Mojave 10.14.3\nImpact: A Mac may not lock when disconnecting from an external\nmonitor\nDescription: A lock handling issue was addressed with improved lock\nhandling. \nCVE-2019-8533: an anonymous researcher, James Eagan of Télécom\nParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT\n\nIOHIDFamily\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to cause unexpected system\ntermination or read kernel memory\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nIOKit\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8504: an anonymous researcher\n\nIOKit SCSI\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A remote attacker may be able to cause unexpected system\ntermination or corrupt kernel memory\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: Mounting a maliciously crafted NFS network share may lead to\narbitrary code execution with system privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8508: Dr. Silvio Cesare of InfoSect\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8514: Samuel Groß of Google Project Zero\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2019-7293: Ned Williamson of Google\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An out-of-bounds read issue existed that led to the\ndisclosure of kernel memory. This was addressed with improved input\nvalidation. \nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\nMessages\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view sensitive user information\nDescription: An access issue was addressed with additional sandbox\nrestrictions. \nCVE-2019-8546: ChiYuan Chang\n\nNotes\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view a user's locked notes\nDescription: An access issue was addressed with improved memory\nmanagement. \nCVE-2019-8537: Greg Walker (gregwalker.us)\n\nPackageKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A logic issue was addressed with improved validation. \nCVE-2019-8561: Jaron Bradley of Crowdstrike\n\nPerl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: Multiple issues in Perl\nDescription: Multiple issues in Perl were addressed in this update. \nCVE-2018-12015: Jakub Wilk\nCVE-2018-18311: Jayakrishna Menon\nCVE-2018-18313: Eiichi Tsukata\n\nPower Management\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: Multiple input validation issues existed in MIG\ngenerated code. These issues were addressed with improved validation. \nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure\n(ssd-disclosure.com)\n\nQuartzCore\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing malicious data may lead to unexpected application\ntermination\nDescription: Multiple memory corruption issues were addressed with\nimproved input validation. \nCVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2019-8526: Linus Henze (pinauten.de)\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre\n(NCSC)\n\nSiri\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to initiate a Dictation\nrequest without user authorization\nDescription: An API issue existed in the handling of dictation\nrequests. This issue was addressed with improved validation. \nCVE-2019-8502: Luke Deshotels of North Carolina State University,\nJordan Beichler of North Carolina State University, William Enck of\nNorth Carolina State University, Costin Carabaș of University\nPOLITEHNICA of Bucharest, and Răzvan Deaconescu of University\nPOLITEHNICA of Bucharest\n\nTime Machine\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A local user may be able to execute arbitrary shell commands\nDescription: This issue was addressed with improved checks. \nCVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs\n\nTrueTypeScaler\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted font may result in the\ndisclosure of process memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero\nDay Initiative\n\nXPC\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\nAdditional recognition\n\nAccounts\nWe would like to acknowledge Milan Stute of Secure Mobile Networking\nLab at Technische Universität Darmstadt for their assistance. \n\nBooks\nWe would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for\ntheir assistance. \n\nKernel\nWe would like to acknowledge Brandon Azad of Google Project Zero for\ntheir assistance. \n\nMail\nWe would like to acknowledge Craig Young of Tripwire VERT and Hanno\nBöck for their assistance. \n\nTime Machine\nWe would like to acknowledge CodeColorist of Ant-Financial LightYear\nLabs for their assistance. \n\nInstallation note:\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra may be obtained from the\nMac App Store or Apple's Software Downloads web site:\nhttps://support.apple.com/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple's Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt\nc2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9\nFvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT\nvyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D\nEqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33\niAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM\nucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB\nsSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p\n7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J\n+9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7\nOLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0\nzBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS\n1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk=\n=QV0f\n-----END PGP SIGNATURE-----\n. ==========================================================================\nUbuntu Security Notice USN-3834-2\nDecember 03, 2018\n\nperl vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Perl. \n\nSoftware Description:\n- perl: Practical Extraction and Report Language\n\nDetails:\n\nUSN-3834-1 fixed a vulnerability in perl. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n Jayakrishna Menon discovered that Perl incorrectly handled\n Perl_my_setenv. (CVE-2018-18311)\n\n Eiichi Tsukata discovered that Perl incorrectly handled certain\n regular expressions. An attacker could use this issue to cause Perl to\n crash, resulting in a denial of service. (CVE-2018-18313)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n perl 5.14.2-6ubuntu2.9\n\nIn general, a standard system update will make all the necessary\nchanges", sources: [ { db: "NVD", id: "CVE-2018-18313", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "BID", id: "106072", }, { db: "VULHUB", id: "VHN-128860", }, { db: "VULMON", id: "CVE-2018-18313", }, { db: "PACKETSTORM", id: "151001", }, { db: "PACKETSTORM", id: "151000", }, { db: "PACKETSTORM", id: "150523", }, { db: "PACKETSTORM", id: "154385", }, { db: "PACKETSTORM", id: "152222", }, { db: "PACKETSTORM", id: "150565", }, ], trust: 2.61, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2018-18313", trust: 3.5, }, { db: "SECTRACK", id: "1042181", trust: 1.8, }, { db: "JVNDB", id: "JVNDB-2018-012766", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201811-926", trust: 0.7, }, { db: "PACKETSTORM", id: "154385", trust: 0.7, }, { db: "PACKETSTORM", id: "152222", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.0990", trust: 0.6, }, { db: "BID", id: "106072", trust: 0.3, }, { db: "VULHUB", id: "VHN-128860", trust: 0.1, }, { db: "VULMON", id: "CVE-2018-18313", trust: 0.1, }, { db: "PACKETSTORM", id: "151001", trust: 0.1, }, { db: "PACKETSTORM", id: "151000", trust: 0.1, }, { db: "PACKETSTORM", id: "150523", trust: 0.1, }, { db: "PACKETSTORM", id: "150565", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-128860", }, { db: "VULMON", id: "CVE-2018-18313", }, { db: "BID", id: "106072", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "PACKETSTORM", id: "151001", }, { db: "PACKETSTORM", id: "151000", }, { db: "PACKETSTORM", id: "150523", }, { db: "PACKETSTORM", id: "154385", }, { db: "PACKETSTORM", id: "152222", }, { db: "PACKETSTORM", id: "150565", }, { db: "CNNVD", id: "CNNVD-201811-926", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, id: "VAR-201812-0273", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-128860", }, ], trust: 0.01, }, last_update_date: "2024-11-29T20:38:17.141000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "DSA-4347", trust: 0.8, url: "https://www.debian.org/security/2018/dsa-4347", }, { title: "regcomp.c: Convert some strchr to memchr", trust: 0.8, url: "https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, { title: "USN-3834-1", trust: 0.8, url: "https://usn.ubuntu.com/3834-1/", }, { title: "USN-3834-2", trust: 0.8, url: "https://usn.ubuntu.com/3834-2/", }, { title: "Perl Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87327", }, { title: "Red Hat: Important: rh-perl526-perl security and enhancement update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190001 - Security Advisory", }, { title: "Red Hat: Important: rh-perl524-perl security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190010 - Security Advisory", }, { title: "Ubuntu Security Notice: perl vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3834-2", }, { title: "Red Hat: CVE-2018-18313", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-18313", }, { title: "Ubuntu Security Notice: perl vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3834-1", }, { title: "Debian Security Advisories: DSA-4347-1 perl -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=9d703224274c60e23b97462e56895757", }, { title: "IBM: IBM Security Bulletin: IBM MQ Cloud Paks are vulnerable to multiple vulnerabilities in Perl (CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18311)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=48c2d25ee84d3c5c67f054df5e25d685", }, { title: "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=4ee609eeae78bbbd0d0c827f33a7f87f", }, { title: "IBM: IBM Security Bulletin: IBM API Connect has addressed multiple vulnerabilities in Developer Portal’s dependencies – Cumulative list from June 28, 2018 to December 13, 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=43da2cd72c1e378d8d94ecec029fcc61", }, { title: "", trust: 0.1, url: "https://github.com/D5n9sMatrix/perltoc ", }, { title: "", trust: 0.1, url: "https://github.com/imhunterand/hackerone-publicy-disclosed ", }, ], sources: [ { db: "VULMON", id: "CVE-2018-18313", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "CNNVD", id: "CNNVD-201811-926", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-125", trust: 1.9, }, ], sources: [ { db: "VULHUB", id: "VHN-128860", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.9, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1646738", }, { trust: 2.1, url: "https://github.com/perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62", }, { trust: 2, url: "https://access.redhat.com/errata/rhsa-2019:0001", }, { trust: 1.9, url: "https://security.gentoo.org/glsa/201909-01", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2019:0010", }, { trust: 1.9, url: "https://usn.ubuntu.com/3834-2/", }, { trust: 1.8, url: "https://seclists.org/bugtraq/2019/mar/42", }, { trust: 1.8, url: "https://metacpan.org/changes/release/shay/perl-5.26.3", }, { trust: 1.8, url: "https://rt.perl.org/ticket/display.html?id=133192", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20190221-0003/", }, { trust: 1.8, url: "https://support.apple.com/kb/ht209600", }, { trust: 1.8, url: "https://www.debian.org/security/2018/dsa-4347", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2019/mar/49", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1042181", }, { trust: 1.8, url: "https://usn.ubuntu.com/3834-1/", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18313", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rwqgeb543qn7ssbrkyjm6psoc3rlygsm/", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18313", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rwqgeb543qn7ssbrkyjm6psoc3rlygsm/", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18311", }, { trust: 0.6, url: "https://support.apple.com/en-au/ht209600", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/77806", }, { trust: 0.6, url: "https://support.apple.com/en-us/ht209600", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/152222/apple-security-advisory-2019-3-25-2.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/154385/gentoo-linux-security-advisory-201909-01.html", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2018-18313", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18312", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2018-18314", }, { trust: 0.3, url: "www.perl.org", }, { trust: 0.2, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-18311", }, { trust: 0.2, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-18312", }, { trust: 0.2, url: "https://bugzilla.redhat.com/):", }, { trust: 0.2, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.2, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-18314", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/125.html", }, { trust: 0.1, url: "https://tools.cisco.com/security/center/viewalert.x?alertid=59234", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://security-tracker.debian.org/tracker/perl", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-6913", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-6797", }, { trust: 0.1, url: "https://creativecommons.org/licenses/by-sa/2.5", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-6798", }, { trust: 0.1, url: "https://security.gentoo.org/", }, { trust: 0.1, url: "https://bugs.gentoo.org.", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8514", }, { trust: 0.1, url: "https://support.apple.com/kb/ht201222", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8511", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8519", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8502", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8516", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6239", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6237", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8540", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8526", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8527", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-12015", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8533", }, { trust: 0.1, url: "https://support.apple.com/downloads/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8520", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8517", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8521", }, { trust: 0.1, url: "https://www.apple.com/support/security/pgp/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-6207", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8504", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-7293", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8510", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8508", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8530", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8513", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8529", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8537", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-8507", }, { trust: 0.1, url: "https://usn.ubuntu.com/usn/usn-3834-2", }, { trust: 0.1, url: "https://usn.ubuntu.com/usn/usn-3834-1", }, ], sources: [ { db: "VULHUB", id: "VHN-128860", }, { db: "VULMON", id: "CVE-2018-18313", }, { db: "BID", id: "106072", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "PACKETSTORM", id: "151001", }, { db: "PACKETSTORM", id: "151000", }, { db: "PACKETSTORM", id: "150523", }, { db: "PACKETSTORM", id: "154385", }, { db: "PACKETSTORM", id: "152222", }, { db: "PACKETSTORM", id: "150565", }, { db: "CNNVD", id: "CNNVD-201811-926", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-128860", }, { db: "VULMON", id: "CVE-2018-18313", }, { db: "BID", id: "106072", }, { db: "JVNDB", id: "JVNDB-2018-012766", }, { db: "PACKETSTORM", id: "151001", }, { db: "PACKETSTORM", id: "151000", }, { db: "PACKETSTORM", id: "150523", }, { db: "PACKETSTORM", id: "154385", }, { db: "PACKETSTORM", id: "152222", }, { db: "PACKETSTORM", id: "150565", }, { db: "CNNVD", id: "CNNVD-201811-926", }, { db: "NVD", id: "CVE-2018-18313", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2018-12-07T00:00:00", db: "VULHUB", id: "VHN-128860", }, { date: "2018-12-07T00:00:00", db: "VULMON", id: "CVE-2018-18313", }, { date: "2018-11-05T00:00:00", db: "BID", id: "106072", }, { date: "2019-02-07T00:00:00", db: "JVNDB", id: "JVNDB-2018-012766", }, { date: "2019-01-03T02:57:52", db: "PACKETSTORM", id: "151001", }, { date: "2019-01-03T02:57:21", db: "PACKETSTORM", id: "151000", }, { date: "2018-11-30T15:01:16", db: "PACKETSTORM", id: "150523", }, { date: "2019-09-06T22:21:33", db: "PACKETSTORM", id: "154385", }, { date: "2019-03-26T14:40:53", db: "PACKETSTORM", id: "152222", }, { date: "2018-12-03T21:10:24", db: "PACKETSTORM", id: "150565", }, { date: "2018-11-30T00:00:00", db: "CNNVD", id: "CNNVD-201811-926", }, { date: "2018-12-07T21:29:00.717000", db: "NVD", id: "CVE-2018-18313", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-07-15T00:00:00", db: "VULHUB", id: "VHN-128860", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2018-18313", }, { date: "2018-11-05T00:00:00", db: "BID", id: "106072", }, { date: "2019-02-07T00:00:00", db: "JVNDB", id: "JVNDB-2018-012766", }, { date: "2021-10-29T00:00:00", db: "CNNVD", id: "CNNVD-201811-926", }, { date: "2024-11-21T03:55:41.177000", db: "NVD", id: "CVE-2018-18313", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201811-926", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Perl Vulnerable to out-of-bounds reading", sources: [ { db: "JVNDB", id: "JVNDB-2018-012766", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "buffer error", sources: [ { db: "CNNVD", id: "CNNVD-201811-926", }, ], trust: 0.6, }, }
var-201609-0068
Vulnerability from variot
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue. TLS is prone to security-bypass vulnerability. Successfully exploiting this issue may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. TLS (full name Transport Layer Security) protocol is a set of protocols used to provide confidentiality and data integrity between two communication applications. There are security holes in TLS protocol 1.2 and earlier versions
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201609-0068", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "host agent", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "solidfire \\& hci management node", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "transport layer security", scope: "lte", trust: 1, vendor: "ietf", version: "1.2", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "clustered data ontap antivirus connector", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "system setup", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "oncommand shift", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "plug-in for symantec netbackup", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "data ontap edge", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snapprotect", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snapmanager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snap creator framework", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "chrome", scope: null, trust: 0.8, vendor: "google", version: null, }, { model: "firefox", scope: null, trust: 0.8, vendor: "mozilla", version: null, }, { model: "opera", scope: null, trust: 0.8, vendor: "opera asa", version: null, }, { model: "safari", scope: null, trust: 0.8, vendor: "apple", version: null, }, { model: "internet explorer", scope: null, trust: 0.8, vendor: "microsoft", version: null, }, { model: "opera", scope: null, trust: 0.6, vendor: "opera", version: null, }, { model: "tls", scope: "eq", trust: 0.3, vendor: "ietf", version: "1.2", }, { model: "tls", scope: "eq", trust: 0.3, vendor: "ietf", version: "1.1", }, { model: "tls", scope: "eq", trust: 0.3, vendor: "ietf", version: "1.0", }, ], sources: [ { db: "BID", id: "93071", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:google:chrome", vulnerable: true, }, { cpe22Uri: "cpe:/a:mozilla:firefox", vulnerable: true, }, { cpe22Uri: "cpe:/a:opera:opera_browser", vulnerable: true, }, { cpe22Uri: "cpe:/a:apple:safari", vulnerable: true, }, { cpe22Uri: "cpe:/a:microsoft:internet_explorer", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2015-007257", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "RISE GmbH", sources: [ { db: "BID", id: "93071", }, ], trust: 0.3, }, cve: "CVE-2015-8960", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "CVE-2015-8960", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "VHN-86921", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "HIGH", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", exploitabilityScore: 2.2, id: "CVE-2015-8960", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "High", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 8.1, baseSeverity: "High", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2015-8960", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2015-8960", trust: 1, value: "HIGH", }, { author: "NVD", id: "CVE-2015-8960", trust: 0.8, value: "High", }, { author: "CNNVD", id: "CNNVD-201609-496", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-86921", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2015-8960", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-86921", }, { db: "VULMON", id: "CVE-2015-8960", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the \"Key Compromise Impersonation (KCI)\" issue. TLS is prone to security-bypass vulnerability. \nSuccessfully exploiting this issue may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. TLS (full name Transport Layer Security) protocol is a set of protocols used to provide confidentiality and data integrity between two communication applications. There are security holes in TLS protocol 1.2 and earlier versions", sources: [ { db: "NVD", id: "CVE-2015-8960", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "BID", id: "93071", }, { db: "VULHUB", id: "VHN-86921", }, { db: "VULMON", id: "CVE-2015-8960", }, ], trust: 2.07, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2015-8960", trust: 2.9, }, { db: "BID", id: "93071", trust: 2.1, }, { db: "OPENWALL", id: "OSS-SECURITY/2016/09/20/4", trust: 1.8, }, { db: "JVNDB", id: "JVNDB-2015-007257", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201609-496", trust: 0.7, }, { db: "VULHUB", id: "VHN-86921", trust: 0.1, }, { db: "VULMON", id: "CVE-2015-8960", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-86921", }, { db: "VULMON", id: "CVE-2015-8960", }, { db: "BID", id: "93071", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, id: "VAR-201609-0068", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-86921", }, ], trust: 0.01, }, last_update_date: "2024-11-23T22:30:57.799000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Google Chrome", trust: 0.8, url: "https://www.google.com/intl/ja/chrome/browser/features.html", }, { title: "Firefox", trust: 0.8, url: "https://www.mozilla.org/ja/firefox/desktop/", }, { title: "Opera", trust: 0.8, url: "http://www.opera.com/ja", }, { title: "Safari", trust: 0.8, url: "http://www.apple.com/jp/safari/", }, { title: "Internet Explorer", trust: 0.8, url: "https://support.microsoft.com/ja-jp/products/internet-explorer", }, { title: "TLS protocol Security vulnerabilities", trust: 0.6, url: "http://123.124.177.30/web/xxk/bdxqById.tag?id=64220", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-295", trust: 1.1, }, { problemtype: "CWE-310", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-86921", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.6, url: "http://twitter.com/matthew_d_green/statuses/630908726950674433", }, { trust: 2.6, url: "https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf", }, { trust: 1.9, url: "http://www.securityfocus.com/bid/93071", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20180626-0002/", }, { trust: 1.8, url: "https://kcitls.org", }, { trust: 1.8, url: "http://www.openwall.com/lists/oss-security/2016/09/20/4", }, { trust: 1.1, url: "https://kcitls.org/", }, { trust: 0.8, url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8960", }, { trust: 0.8, url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8960", }, { trust: 0.3, url: "http://seclists.org/oss-sec/2016/q3/576", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/310.html", }, { trust: 0.1, url: "https://nvd.nist.gov", }, ], sources: [ { db: "VULHUB", id: "VHN-86921", }, { db: "VULMON", id: "CVE-2015-8960", }, { db: "BID", id: "93071", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-86921", }, { db: "VULMON", id: "CVE-2015-8960", }, { db: "BID", id: "93071", }, { db: "JVNDB", id: "JVNDB-2015-007257", }, { db: "CNNVD", id: "CNNVD-201609-496", }, { db: "NVD", id: "CVE-2015-8960", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2016-09-21T00:00:00", db: "VULHUB", id: "VHN-86921", }, { date: "2016-09-21T00:00:00", db: "VULMON", id: "CVE-2015-8960", }, { date: "2016-09-19T00:00:00", db: "BID", id: "93071", }, { date: "2016-09-27T00:00:00", db: "JVNDB", id: "JVNDB-2015-007257", }, { date: "2016-09-21T00:00:00", db: "CNNVD", id: "CNNVD-201609-496", }, { date: "2016-09-21T02:59:00.133000", db: "NVD", id: "CVE-2015-8960", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-01-30T00:00:00", db: "VULHUB", id: "VHN-86921", }, { date: "2018-06-28T00:00:00", db: "VULMON", id: "CVE-2015-8960", }, { date: "2016-10-03T00:02:00", db: "BID", id: "93071", }, { date: "2016-09-27T00:00:00", db: "JVNDB", id: "JVNDB-2015-007257", }, { date: "2023-02-01T00:00:00", db: "CNNVD", id: "CNNVD-201609-496", }, { date: "2024-11-21T02:39:32.840000", db: "NVD", id: "CVE-2015-8960", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201609-496", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "TLS In the protocol TLS Vulnerability impersonating a server", sources: [ { db: "JVNDB", id: "JVNDB-2015-007257", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "trust management problem", sources: [ { db: "CNNVD", id: "CNNVD-201609-496", }, ], trust: 0.6, }, }
var-202202-0906
Vulnerability from variot
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. Apple is aware of a report that this issue may have been actively exploited. This was addressed with improved input validation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-03
https://security.gentoo.org/
Severity: High Title: libxml2: Multiple Vulnerabilities Date: October 16, 2022 Bugs: #833809, #842261, #865727 ID: 202210-03
Synopsis
Multiple vulnerabilities have been discovered in libxml2, the worst of which could result in arbitrary code execution.
Background
libxml2 is the XML C parser and toolkit developed for the GNOME project.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libxml2 < 2.10.2 >= 2.10.2
Description
Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All libxml2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.2"
References
[ 1 ] CVE-2022-23308 https://nvd.nist.gov/vuln/detail/CVE-2022-23308 [ 2 ] CVE-2022-29824 https://nvd.nist.gov/vuln/detail/CVE-2022-29824
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202210-03
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2022-05-16-2 macOS Monterey 12.4
macOS Monterey 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213257.
AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-26772: an anonymous researcher
AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2022-26741: ABC Research s.r.o CVE-2022-26742: ABC Research s.r.o CVE-2022-26749: ABC Research s.r.o CVE-2022-26750: ABC Research s.r.o CVE-2022-26752: ABC Research s.r.o CVE-2022-26753: ABC Research s.r.o CVE-2022-26754: ABC Research s.r.o
apache Available for: macOS Monterey Impact: Multiple issues in apache Description: Multiple issues were addressed by updating apache to version 2.4.53. CVE-2021-44224 CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721
AppleGraphicsControl Available for: macOS Monterey Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
AppleScript Available for: macOS Monterey Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro
AppleScript Available for: macOS Monterey Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read issue was addressed with improved bounds checking. CVE-2022-26698: Qi Sun of Trend Micro
AVEVideoEncoder Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26736: an anonymous researcher CVE-2022-26737: an anonymous researcher CVE-2022-26738: an anonymous researcher CVE-2022-26739: an anonymous researcher CVE-2022-26740: an anonymous researcher
Contacts Available for: macOS Monterey Impact: A plug-in may be able to inherit the application's permissions and access user data Description: This issue was addressed with improved checks. CVE-2022-26694: Wojciech Reguła (@_r3ggi) of SecuRing
CVMS Available for: macOS Monterey Impact: A malicious application may be able to gain root privileges Description: A memory initialization issue was addressed. CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori
DriverKit Available for: macOS Monterey Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)
ImageIO Available for: macOS Monterey Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow issue was addressed with improved input validation. CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative
ImageIO Available for: macOS Monterey Impact: Photo location information may persist after it is removed with Preview Inspector Description: A logic issue was addressed with improved state management. CVE-2022-26725: Andrew Williams and Avi Drissman of Google
Intel Graphics Driver Available for: macOS Monterey Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26720: Liu Long of Ant Security Light-Year Lab
Intel Graphics Driver Available for: macOS Monterey Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26769: Antonio Zekic (@antoniozekic)
Intel Graphics Driver Available for: macOS Monterey Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26770: Liu Long of Ant Security Light-Year Lab
Intel Graphics Driver Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative
Intel Graphics Driver Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-26756: Jack Dates of RET2 Systems, Inc
IOKit Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab
IOMobileFrameBuffer Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-26768: an anonymous researcher
Kernel Available for: macOS Monterey Impact: An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26743: Jordy Zomer (@pwningsystems)
Kernel Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved validation. CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs_sg)
Kernel Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-26757: Ned Williamson of Google Project Zero
Kernel Available for: macOS Monterey Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: A memory corruption issue was addressed with improved validation. CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)
Kernel Available for: macOS Monterey Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: A race condition was addressed with improved state handling. CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)
LaunchServices Available for: macOS Monterey Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions on third-party applications. CVE-2022-26706: Arsenii Kostromin (0x3c3e)
LaunchServices Available for: macOS Monterey Impact: A malicious application may be able to bypass Privacy preferences Description: The issue was addressed with additional permissions checks. CVE-2022-26767: Wojciech Reguła (@_r3ggi) of SecuRing
libresolv Available for: macOS Monterey Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@_mxms) of the Google Security Team CVE-2022-26708: Max Shavrick (@_mxms) of the Google Security Team
libresolv Available for: macOS Monterey Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow was addressed with improved input validation. CVE-2022-26775: Max Shavrick (@_mxms) of the Google Security Team
LibreSSL Available for: macOS Monterey Impact: Processing a maliciously crafted certificate may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2022-0778
libxml2 Available for: macOS Monterey Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2022-23308
OpenSSL Available for: macOS Monterey Impact: Processing a maliciously crafted certificate may lead to a denial of service Description: This issue was addressed with improved checks. CVE-2022-0778
PackageKit Available for: macOS Monterey Impact: A malicious application may be able to modify protected parts of the file system Description: This issue was addressed by removing the vulnerable code. CVE-2022-26712: Mickey Jin (@patch1t)
PackageKit Available for: macOS Monterey Impact: A malicious application may be able to modify protected parts of the file system Description: This issue was addressed with improved entitlements. CVE-2022-26727: Mickey Jin (@patch1t)
Preview Available for: macOS Monterey Impact: A plug-in may be able to inherit the application's permissions and access user data Description: This issue was addressed with improved checks. CVE-2022-26693: Wojciech Reguła (@_r3ggi) of SecuRing
Printing Available for: macOS Monterey Impact: A malicious application may be able to bypass Privacy preferences Description: This issue was addressed by removing the vulnerable code. CVE-2022-26746: @gorelics
Safari Private Browsing Available for: macOS Monterey Impact: A malicious website may be able to track users in Safari private browsing mode Description: A logic issue was addressed with improved state management. CVE-2022-26731: an anonymous researcher
Security Available for: macOS Monterey Impact: A malicious app may be able to bypass signature validation Description: A certificate parsing issue was addressed with improved checks. CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)
SMB Available for: macOS Monterey Impact: An application may be able to gain elevated privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs
SMB Available for: macOS Monterey Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs
SMB Available for: macOS Monterey Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26723: Felix Poulin-Belanger
SoftwareUpdate Available for: macOS Monterey Impact: A malicious application may be able to access restricted files Description: This issue was addressed with improved entitlements. CVE-2022-26728: Mickey Jin (@patch1t)
Spotlight Available for: macOS Monterey Impact: An app may be able to gain elevated privileges Description: A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks. CVE-2022-26704: an anonymous researcher
TCC Available for: macOS Monterey Impact: An app may be able to capture a user's screen Description: This issue was addressed with improved checks. CVE-2022-26726: an anonymous researcher
Tcl Available for: macOS Monterey Impact: A malicious application may be able to break out of its sandbox Description: This issue was addressed with improved environment sanitization. CVE-2022-26755: Arsenii Kostromin (0x3c3e)
WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to code execution Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 238178 CVE-2022-26700: ryuzaki
WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. WebKit Bugzilla: 236950 CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab WebKit Bugzilla: 237475 CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab WebKit Bugzilla: 238171 CVE-2022-26717: Jeonghoon Shin of Theori
WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 238183 CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab WebKit Bugzilla: 238699 CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech
WebRTC Available for: macOS Monterey Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call Description: A logic issue in the handling of concurrent media was addressed with improved state handling. WebKit Bugzilla: 237524 CVE-2022-22677: an anonymous researcher
Wi-Fi Available for: macOS Monterey Impact: A malicious application may disclose restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2022-26745: an anonymous researcher
Wi-Fi Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2022-26761: Wang Yu of Cyberserval
Wi-Fi Available for: macOS Monterey Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2022-26762: Wang Yu of Cyberserval
zip Available for: macOS Monterey Impact: Processing a maliciously crafted file may lead to a denial of service Description: A denial of service issue was addressed with improved state handling. CVE-2022-0530
zlib Available for: macOS Monterey Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2018-25032: Tavis Ormandy
zsh Available for: macOS Monterey Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed by updating to zsh version 5.8.1. CVE-2021-45444
Additional recognition
AppleMobileFileIntegrity We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance.
Bluetooth We would like to acknowledge Jann Horn of Project Zero for their assistance.
Calendar We would like to acknowledge Eugene Lim of Government Technology Agency of Singapore for their assistance.
FaceTime We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance.
FileVault We would like to acknowledge Benjamin Adolphi of Promon Germany GmbH for their assistance.
Login Window We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.
Photo Booth We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance.
System Preferences We would like to acknowledge Mohammad Tausif Siddiqui (@toshsiddiqui), an anonymous researcher for their assistance.
WebKit We would like to acknowledge James Lee, an anonymous researcher for their assistance.
Wi-Fi We would like to acknowledge Dana Morrison for their assistance.
macOS Monterey 12.4 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TUACgkQeC9qKD1p rhigoQ//cTnC2MOYau+vO6pv8PHMbeEWPPvtsGpemCNz4iChXRhVOHKxgMQAHEgg Ejpxvw5D1jg12wroXypL8ADOD1V20OA7u5A20Lip1NIDL145692jPfmGuNxqkRnI DyoykhUogRL8Yvzkd5P8D3Jlo0EzCa4ZhO4tqBwbrGQZRb7gHclMPtzlgt15ZIma mH42QGRkJcK8v4MWNIxvibnQPwx3we2k4T8FajBvoCxYinMOlg/j16hFREj8Src+ rQwKPV6JHiBBQ3LQpGeBlJrFLH72CyHbCu8IqWFYvvDXsT5Gr9JoagW7+g/9+8Wc 402HjkY4wOZrxIBtlaUlNFZuB1mtIv8amHn9AaVOK/7GALSP6MQzA+U3HUqd3hYV J23pw6iRWBTZZSmO31kdEGU/X9uDkDKJL6QxUfzVXPVmOs0VNMmOJUdTRKf3tdsa 5qnPcjowRONgltX8NqIP0q4aJPr1WigtFGyASIr3me/t9Ft7Kss4gJt7YLDsN6MZ opD8hTRHSAXAAYsA57omyo/DnmajHIbUGVEujzAh/DOEYxgT9aaaAHnkNuaQgIbs Z5g/dfhDaJodyk0q7BIeK+RPbkvrJvnoBWkRnAUaSgYMX14DQdExlBEvbpcPg71f LHzUlUewIuuP/57huTz/b4vEEke0JUwrWk6T1ACbndL3FsPIOX4= =jaCZ -----END PGP SIGNATURE-----
. Description:
Version 1.22.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10.
For more information, see the documentation linked in the Solution section. Bugs fixed (https://bugzilla.redhat.com/):
2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic 2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
- References:
https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-3999 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-41771 https://access.redhat.com/security/cve/CVE-2021-41772 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-21426 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21449 https://access.redhat.com/security/cve/CVE-2022-21476 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-23218 https://access.redhat.com/security/cve/CVE-2022-23219 https://access.redhat.com/security/cve/CVE-2022-23308 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 For details about the security issues see these CVE pages: * https://access.redhat.com/security/updates/classification/#low * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
- Summary:
The Migration Toolkit for Containers (MTC) 1.7.1 is now available. Description:
The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es) from Bugzilla:
-
golang: net/http: Limit growth of header canonicalization cache (CVE-2021-44716)
-
golang: debug/macho: Invalid dynamic symbol table command can cause panic (CVE-2021-41771)
-
golang: archive/zip: Reader.Open panics on empty string (CVE-2021-41772)
-
golang: syscall: Don't close fd 0 on ForkExec error (CVE-2021-44717)
-
opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Solution:
For details on how to install and use MTC, refer to:
https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html
- Bugs fixed (https://bugzilla.redhat.com/):
2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic 2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error 2040378 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [backend] 2057516 - [MTC UI] UI should not allow PVC mapping for Full migration 2060244 - [MTC] DIM registry route need to be exposed to create inter-cluster state migration plans 2060717 - [MTC] Registry pod goes in CrashLoopBackOff several times when MCG Nooba is used as the Replication Repository 2061347 - [MTC] Log reader pod is missing velero and restic pod logs. 2061653 - [MTC UI] Migration Resources section showing pods from other namespaces 2062682 - [MTC] Destination storage class non-availability warning visible in Intra-cluster source to source state-migration migplan. 2065837 - controller_config.yml.j2 merge type should be set to merge (currently using the default strategic) 2071000 - Storage Conversion: UI doesn't have the ability to skip PVC 2072036 - Migration plan for storage conversion cannot be created if there's no replication repository 2072186 - Wrong migration type description 2072684 - Storage Conversion: PersistentVolumeClaimTemplates in StatefulSets are not updated automatically after migration 2073496 - Errors in rsync pod creation are not printed in the controller logs 2079814 - [MTC UI] Intra-cluster state migration plan showing a warning on PersistentVolumes page
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes Advisory ID: RHSA-2022:1476-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:1476 Issue date: 2022-04-20 CVE Names: CVE-2021-0920 CVE-2021-3999 CVE-2021-4154 CVE-2021-23177 CVE-2021-23566 CVE-2021-31566 CVE-2021-41190 CVE-2021-43565 CVE-2021-45960 CVE-2021-46143 CVE-2022-0144 CVE-2022-0155 CVE-2022-0235 CVE-2022-0261 CVE-2022-0318 CVE-2022-0330 CVE-2022-0359 CVE-2022-0361 CVE-2022-0392 CVE-2022-0413 CVE-2022-0435 CVE-2022-0492 CVE-2022-0516 CVE-2022-0536 CVE-2022-0778 CVE-2022-0811 CVE-2022-0847 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-22942 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-24450 CVE-2022-24778 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-27191 =====================================================================
- Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.4.3 General Availability release images. This update provides security fixes, bug fixes, and updates the container images.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
- Description:
Red Hat Advanced Cluster Management for Kubernetes 2.4.3 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/
Security updates:
-
golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
-
nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450)
-
nanoid: Information disclosure via valueOf() function (CVE-2021-23566)
-
nodejs-shelljs: improper privilege management (CVE-2022-0144)
-
search-ui-container: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
-
node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
-
follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
-
openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
-
imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
-
golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
-
opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
Related bugs:
-
RHACM 2.4.3 image files (BZ #2057249)
-
Observability - dashboard name contains
/would cause error when generating dashboard cm (BZ #2032128) -
ACM application placement fails after renaming the application name (BZ
2033051)
-
Disable the obs metric collect should not impact the managed cluster upgrade (BZ #2039197)
-
Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard (BZ #2039820)
-
The value of name label changed from clusterclaim name to cluster name (BZ #2042223)
-
VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys (BZ
2048500)
-
clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI (BZ #2053211)
-
Application cluster status is not updated in UI after restoring (BZ
2053279)
-
OpenStack cluster creation is using deprecated floating IP config for 4.7+ (BZ #2056610)
-
The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift (BZ #2059039)
-
Subscriptions stop reconciling after channel secrets are recreated (BZ
2059954)
-
Placementrule is not reconciling on a new fresh environment (BZ #2074156)
-
The cluster claimed from clusterpool cannot auto imported (BZ #2074543)
-
Solution:
For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing
- Bugs fixed (https://bugzilla.redhat.com/):
2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2032128 - Observability - dashboard name contains / would cause error when generating dashboard cm
2033051 - ACM application placement fails after renaming the application name
2039197 - disable the obs metric collect should not impact the managed cluster upgrade
2039820 - Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard
2042223 - the value of name label changed from clusterclaim name to cluster name
2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048500 - VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys
2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account
2053211 - clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2053279 - Application cluster status is not updated in UI after restoring
2056610 - OpenStack cluster creation is using deprecated floating IP config for 4.7+
2057249 - RHACM 2.4.3 images
2059039 - The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift
2059954 - Subscriptions stop reconciling after channel secrets are recreated
2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
2074156 - Placementrule is not reconciling on a new fresh environment
2074543 - The cluster claimed from clusterpool can not auto imported
- References:
https://access.redhat.com/security/cve/CVE-2021-0920 https://access.redhat.com/security/cve/CVE-2021-3999 https://access.redhat.com/security/cve/CVE-2021-4154 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-23566 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-41190 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-0144 https://access.redhat.com/security/cve/CVE-2022-0155 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0261 https://access.redhat.com/security/cve/CVE-2022-0318 https://access.redhat.com/security/cve/CVE-2022-0330 https://access.redhat.com/security/cve/CVE-2022-0359 https://access.redhat.com/security/cve/CVE-2022-0361 https://access.redhat.com/security/cve/CVE-2022-0392 https://access.redhat.com/security/cve/CVE-2022-0413 https://access.redhat.com/security/cve/CVE-2022-0435 https://access.redhat.com/security/cve/CVE-2022-0492 https://access.redhat.com/security/cve/CVE-2022-0516 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-0811 https://access.redhat.com/security/cve/CVE-2022-0847 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-22942 https://access.redhat.com/security/cve/CVE-2022-23218 https://access.redhat.com/security/cve/CVE-2022-23219 https://access.redhat.com/security/cve/CVE-2022-23308 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-24450 https://access.redhat.com/security/cve/CVE-2022-24778 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/
Security updates:
-
nanoid: Information disclosure via valueOf() function (CVE-2021-23566)
-
nodejs-shelljs: improper privilege management (CVE-2022-0144)
-
follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
-
node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
-
follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
Bug fix:
-
RHACM 2.3.8 images (Bugzilla #2062316)
-
Bugs fixed (https://bugzilla.redhat.com/):
2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2062316 - RHACM 2.3.8 images
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202202-0906", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "h700s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "macos", scope: "gte", trust: 1, vendor: "apple", version: "12.0", }, { model: "mac os x", scope: "eq", trust: 1, vendor: "apple", version: "10.15.7", }, { model: "mac os x", scope: "lt", trust: 1, vendor: "apple", version: "10.15.7", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "34", }, { model: "bootstrap os", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core network repository function", scope: "eq", trust: 1, vendor: "oracle", version: "22.1.2", }, { model: "macos", scope: "gte", trust: 1, vendor: "apple", version: "11.6.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "solidfire \\& hci management node", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "clustered data ontap", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "libxml2", scope: "lt", trust: 1, vendor: "xmlsoft", version: "2.9.13", }, { model: "h300e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core network slice selection function", scope: "eq", trust: 1, vendor: "oracle", version: "22.1.1", }, { model: "zfs storage appliance kit", scope: "eq", trust: 1, vendor: "oracle", version: "8.8", }, { model: "macos", scope: "lt", trust: 1, vendor: "apple", version: "12.4", }, { model: "h700e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "mac os x", scope: "gte", trust: 1, vendor: "apple", version: "10.15.0", }, { model: "solidfire\\, enterprise sds \\& hci storage node", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "tvos", scope: "lt", trust: 1, vendor: "apple", version: "15.5", }, { model: "mysql workbench", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.29", }, { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core binding support function", scope: "eq", trust: 1, vendor: "oracle", version: "22.2.0", }, { model: "h410c", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core network repository function", scope: "eq", trust: 1, vendor: "oracle", version: "22.2.0", }, { model: "clustered data ontap antivirus connector", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "snapmanager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "active iq unified manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h500e", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core unified data repository", scope: "eq", trust: 1, vendor: "oracle", version: "22.2.0", }, { model: "watchos", scope: "lt", trust: 1, vendor: "apple", version: "8.6", }, { model: "manageability software development kit", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "h300s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ipados", scope: "lt", trust: 1, vendor: "apple", version: "15.5", }, { model: "h500s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "iphone os", scope: "lt", trust: 1, vendor: "apple", version: "15.5", }, { model: "macos", scope: "lt", trust: 1, vendor: "apple", version: "11.6.6", }, { model: "communications cloud native core network function cloud native environment", scope: "eq", trust: 1, vendor: "oracle", version: "22.1.0", }, { model: "h410s", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "ontap select deploy administration utility", scope: "eq", trust: 1, vendor: "netapp", version: null, }, ], sources: [ { db: "NVD", id: "CVE-2022-23308", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "167008", }, { db: "PACKETSTORM", id: "166976", }, { db: "PACKETSTORM", id: "166812", }, { db: "PACKETSTORM", id: "166516", }, ], trust: 0.4, }, cve: "CVE-2022-23308", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "CVE-2022-23308", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.1, vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "VHN-412332", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2022-23308", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2022-23308", trust: 1, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202202-1722", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-412332", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2022-23308", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-412332", }, { db: "VULMON", id: "CVE-2022-23308", }, { db: "CNNVD", id: "CNNVD-202202-1722", }, { db: "NVD", id: "CVE-2022-23308", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. Apple is aware of a report that this issue may\nhave been actively exploited. This was addressed with improved input\nvalidation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202210-03\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: libxml2: Multiple Vulnerabilities\n Date: October 16, 2022\n Bugs: #833809, #842261, #865727\n ID: 202210-03\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been discovered in libxml2, the worst of\nwhich could result in arbitrary code execution. \n\nBackground\n==========\n\nlibxml2 is the XML C parser and toolkit developed for the GNOME project. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-libs/libxml2 < 2.10.2 >= 2.10.2\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in libxml2. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll libxml2 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/libxml2-2.10.2\"\n\nReferences\n==========\n\n[ 1 ] CVE-2022-23308\n https://nvd.nist.gov/vuln/detail/CVE-2022-23308\n[ 2 ] CVE-2022-29824\n https://nvd.nist.gov/vuln/detail/CVE-2022-29824\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202210-03\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. \n\nLicense\n=======\n\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-05-16-2 macOS Monterey 12.4\n\nmacOS Monterey 12.4 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213257. \n\nAMD\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2022-26772: an anonymous researcher\n\nAMD\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2022-26741: ABC Research s.r.o\nCVE-2022-26742: ABC Research s.r.o\nCVE-2022-26749: ABC Research s.r.o\nCVE-2022-26750: ABC Research s.r.o\nCVE-2022-26752: ABC Research s.r.o\nCVE-2022-26753: ABC Research s.r.o\nCVE-2022-26754: ABC Research s.r.o\n\napache\nAvailable for: macOS Monterey\nImpact: Multiple issues in apache\nDescription: Multiple issues were addressed by updating apache to\nversion 2.4.53. \nCVE-2021-44224\nCVE-2021-44790\nCVE-2022-22719\nCVE-2022-22720\nCVE-2022-22721\n\nAppleGraphicsControl\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day\nInitiative\n\nAppleScript\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted AppleScript binary may\nresult in unexpected application termination or disclosure of process\nmemory\nDescription: An out-of-bounds read issue was addressed with improved\ninput validation. \nCVE-2022-26697: Qi Sun and Robert Ai of Trend Micro\n\nAppleScript\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted AppleScript binary may\nresult in unexpected application termination or disclosure of process\nmemory\nDescription: An out-of-bounds read issue was addressed with improved\nbounds checking. \nCVE-2022-26698: Qi Sun of Trend Micro\n\nAVEVideoEncoder\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2022-26736: an anonymous researcher\nCVE-2022-26737: an anonymous researcher\nCVE-2022-26738: an anonymous researcher\nCVE-2022-26739: an anonymous researcher\nCVE-2022-26740: an anonymous researcher\n\nContacts\nAvailable for: macOS Monterey\nImpact: A plug-in may be able to inherit the application's\npermissions and access user data\nDescription: This issue was addressed with improved checks. \nCVE-2022-26694: Wojciech Reguła (@_r3ggi) of SecuRing\n\nCVMS\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to gain root privileges\nDescription: A memory initialization issue was addressed. \nCVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori\nCVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori\n\nDriverKit\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: An out-of-bounds access issue was addressed with\nimproved bounds checking. \nCVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)\n\nImageIO\nAvailable for: macOS Monterey\nImpact: A remote attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: An integer overflow issue was addressed with improved\ninput validation. \nCVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend\nMicro Zero Day Initiative\n\nImageIO\nAvailable for: macOS Monterey\nImpact: Photo location information may persist after it is removed\nwith Preview Inspector\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2022-26725: Andrew Williams and Avi Drissman of Google\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2022-26720: Liu Long of Ant Security Light-Year Lab\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2022-26769: Antonio Zekic (@antoniozekic)\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: An out-of-bounds read issue was addressed with improved\ninput validation. \nCVE-2022-26770: Liu Long of Ant Security Light-Year Lab\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro\nZero Day Initiative\n\nIntel Graphics Driver\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-26756: Jack Dates of RET2 Systems, Inc\n\nIOKit\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A race condition was addressed with improved locking. \nCVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab\n\nIOMobileFrameBuffer\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2022-26768: an anonymous researcher\n\nKernel\nAvailable for: macOS Monterey\nImpact: An attacker that has already achieved code execution in macOS\nRecovery may be able to escalate to kernel privileges\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2022-26743: Jordy Zomer (@pwningsystems)\n\nKernel\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs\n(@starlabs_sg)\n\nKernel\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2022-26757: Ned Williamson of Google Project Zero\n\nKernel\nAvailable for: macOS Monterey\nImpact: An attacker that has already achieved kernel code execution\nmay be able to bypass kernel memory mitigations\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)\n\nKernel\nAvailable for: macOS Monterey\nImpact: A malicious attacker with arbitrary read and write capability\nmay be able to bypass Pointer Authentication\nDescription: A race condition was addressed with improved state\nhandling. \nCVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)\n\nLaunchServices\nAvailable for: macOS Monterey\nImpact: A sandboxed process may be able to circumvent sandbox\nrestrictions\nDescription: An access issue was addressed with additional sandbox\nrestrictions on third-party applications. \nCVE-2022-26706: Arsenii Kostromin (0x3c3e)\n\nLaunchServices\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to bypass Privacy\npreferences\nDescription: The issue was addressed with additional permissions\nchecks. \nCVE-2022-26767: Wojciech Reguła (@_r3ggi) of SecuRing\n\nlibresolv\nAvailable for: macOS Monterey\nImpact: An attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: This issue was addressed with improved checks. \nCVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@_mxms)\nof the Google Security Team\nCVE-2022-26708: Max Shavrick (@_mxms) of the Google Security Team\n\nlibresolv\nAvailable for: macOS Monterey\nImpact: An attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: An integer overflow was addressed with improved input\nvalidation. \nCVE-2022-26775: Max Shavrick (@_mxms) of the Google Security Team\n\nLibreSSL\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted certificate may lead to a\ndenial of service\nDescription: A denial of service issue was addressed with improved\ninput validation. \nCVE-2022-0778\n\nlibxml2\nAvailable for: macOS Monterey\nImpact: A remote attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2022-23308\n\nOpenSSL\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted certificate may lead to a\ndenial of service\nDescription: This issue was addressed with improved checks. \nCVE-2022-0778\n\nPackageKit\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to modify protected parts\nof the file system\nDescription: This issue was addressed by removing the vulnerable\ncode. \nCVE-2022-26712: Mickey Jin (@patch1t)\n\nPackageKit\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to modify protected parts\nof the file system\nDescription: This issue was addressed with improved entitlements. \nCVE-2022-26727: Mickey Jin (@patch1t)\n\nPreview\nAvailable for: macOS Monterey\nImpact: A plug-in may be able to inherit the application's\npermissions and access user data\nDescription: This issue was addressed with improved checks. \nCVE-2022-26693: Wojciech Reguła (@_r3ggi) of SecuRing\n\nPrinting\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to bypass Privacy\npreferences\nDescription: This issue was addressed by removing the vulnerable\ncode. \nCVE-2022-26746: @gorelics\n\nSafari Private Browsing\nAvailable for: macOS Monterey\nImpact: A malicious website may be able to track users in Safari\nprivate browsing mode\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2022-26731: an anonymous researcher\n\nSecurity\nAvailable for: macOS Monterey\nImpact: A malicious app may be able to bypass signature validation\nDescription: A certificate parsing issue was addressed with improved\nchecks. \nCVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)\n\nSMB\nAvailable for: macOS Monterey\nImpact: An application may be able to gain elevated privileges\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs\n\nSMB\nAvailable for: macOS Monterey\nImpact: An application may be able to gain elevated privileges\nDescription: An out-of-bounds read issue was addressed with improved\ninput validation. \nCVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs\n\nSMB\nAvailable for: macOS Monterey\nImpact: Mounting a maliciously crafted Samba network share may lead\nto arbitrary code execution\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2022-26723: Felix Poulin-Belanger\n\nSoftwareUpdate\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to access restricted\nfiles\nDescription: This issue was addressed with improved entitlements. \nCVE-2022-26728: Mickey Jin (@patch1t)\n\nSpotlight\nAvailable for: macOS Monterey\nImpact: An app may be able to gain elevated privileges\nDescription: A validation issue existed in the handling of symlinks\nand was addressed with improved validation of symlinks. \nCVE-2022-26704: an anonymous researcher\n\nTCC\nAvailable for: macOS Monterey\nImpact: An app may be able to capture a user's screen\nDescription: This issue was addressed with improved checks. \nCVE-2022-26726: an anonymous researcher\n\nTcl\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to break out of its\nsandbox\nDescription: This issue was addressed with improved environment\nsanitization. \nCVE-2022-26755: Arsenii Kostromin (0x3c3e)\n\nWebKit\nAvailable for: macOS Monterey\nImpact: Processing maliciously crafted web content may lead to code\nexecution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nWebKit Bugzilla: 238178\nCVE-2022-26700: ryuzaki\n\nWebKit\nAvailable for: macOS Monterey\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nWebKit Bugzilla: 236950\nCVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua\nwingtecher lab\nWebKit Bugzilla: 237475\nCVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua\nwingtecher lab\nWebKit Bugzilla: 238171\nCVE-2022-26717: Jeonghoon Shin of Theori\n\nWebKit\nAvailable for: macOS Monterey\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nWebKit Bugzilla: 238183\nCVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab\nWebKit Bugzilla: 238699\nCVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech\n\nWebRTC\nAvailable for: macOS Monterey\nImpact: Video self-preview in a webRTC call may be interrupted if the\nuser answers a phone call\nDescription: A logic issue in the handling of concurrent media was\naddressed with improved state handling. \nWebKit Bugzilla: 237524\nCVE-2022-22677: an anonymous researcher\n\nWi-Fi\nAvailable for: macOS Monterey\nImpact: A malicious application may disclose restricted memory\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2022-26745: an anonymous researcher\n\nWi-Fi\nAvailable for: macOS Monterey\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2022-26761: Wang Yu of Cyberserval\n\nWi-Fi\nAvailable for: macOS Monterey\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2022-26762: Wang Yu of Cyberserval\n\nzip\nAvailable for: macOS Monterey\nImpact: Processing a maliciously crafted file may lead to a denial of\nservice\nDescription: A denial of service issue was addressed with improved\nstate handling. \nCVE-2022-0530\n\nzlib\nAvailable for: macOS Monterey\nImpact: An attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2018-25032: Tavis Ormandy\n\nzsh\nAvailable for: macOS Monterey\nImpact: A remote attacker may be able to cause arbitrary code\nexecution\nDescription: This issue was addressed by updating to zsh version\n5.8.1. \nCVE-2021-45444\n\nAdditional recognition\n\nAppleMobileFileIntegrity\nWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing\nfor their assistance. \n\nBluetooth\nWe would like to acknowledge Jann Horn of Project Zero for their\nassistance. \n\nCalendar\nWe would like to acknowledge Eugene Lim of Government Technology\nAgency of Singapore for their assistance. \n\nFaceTime\nWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing\nfor their assistance. \n\nFileVault\nWe would like to acknowledge Benjamin Adolphi of Promon Germany GmbH\nfor their assistance. \n\nLogin Window\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive\nSecurity for their assistance. \n\nPhoto Booth\nWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing\nfor their assistance. \n\nSystem Preferences\nWe would like to acknowledge Mohammad Tausif Siddiqui\n(@toshsiddiqui), an anonymous researcher for their assistance. \n\nWebKit\nWe would like to acknowledge James Lee, an anonymous researcher for\ntheir assistance. \n\nWi-Fi\nWe would like to acknowledge Dana Morrison for their assistance. \n\nmacOS Monterey 12.4 may be obtained from the Mac App Store or Apple's\nSoftware Downloads web site: https://support.apple.com/downloads/\nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThis message is signed with Apple's Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TUACgkQeC9qKD1p\nrhigoQ//cTnC2MOYau+vO6pv8PHMbeEWPPvtsGpemCNz4iChXRhVOHKxgMQAHEgg\nEjpxvw5D1jg12wroXypL8ADOD1V20OA7u5A20Lip1NIDL145692jPfmGuNxqkRnI\nDyoykhUogRL8Yvzkd5P8D3Jlo0EzCa4ZhO4tqBwbrGQZRb7gHclMPtzlgt15ZIma\nmH42QGRkJcK8v4MWNIxvibnQPwx3we2k4T8FajBvoCxYinMOlg/j16hFREj8Src+\nrQwKPV6JHiBBQ3LQpGeBlJrFLH72CyHbCu8IqWFYvvDXsT5Gr9JoagW7+g/9+8Wc\n402HjkY4wOZrxIBtlaUlNFZuB1mtIv8amHn9AaVOK/7GALSP6MQzA+U3HUqd3hYV\nJ23pw6iRWBTZZSmO31kdEGU/X9uDkDKJL6QxUfzVXPVmOs0VNMmOJUdTRKf3tdsa\n5qnPcjowRONgltX8NqIP0q4aJPr1WigtFGyASIr3me/t9Ft7Kss4gJt7YLDsN6MZ\nopD8hTRHSAXAAYsA57omyo/DnmajHIbUGVEujzAh/DOEYxgT9aaaAHnkNuaQgIbs\nZ5g/dfhDaJodyk0q7BIeK+RPbkvrJvnoBWkRnAUaSgYMX14DQdExlBEvbpcPg71f\nLHzUlUewIuuP/57huTz/b4vEEke0JUwrWk6T1ACbndL3FsPIOX4=\n=jaCZ\n-----END PGP SIGNATURE-----\n\n\n. Description:\n\nVersion 1.22.0 of the OpenShift Serverless Operator is supported on Red Hat\nOpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10. \n\nFor more information, see the documentation linked in the Solution section. Bugs fixed (https://bugzilla.redhat.com/):\n\n2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic\n2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-25032\nhttps://access.redhat.com/security/cve/CVE-2021-3999\nhttps://access.redhat.com/security/cve/CVE-2021-23177\nhttps://access.redhat.com/security/cve/CVE-2021-31566\nhttps://access.redhat.com/security/cve/CVE-2021-41771\nhttps://access.redhat.com/security/cve/CVE-2021-41772\nhttps://access.redhat.com/security/cve/CVE-2021-45960\nhttps://access.redhat.com/security/cve/CVE-2021-46143\nhttps://access.redhat.com/security/cve/CVE-2022-0778\nhttps://access.redhat.com/security/cve/CVE-2022-21426\nhttps://access.redhat.com/security/cve/CVE-2022-21434\nhttps://access.redhat.com/security/cve/CVE-2022-21443\nhttps://access.redhat.com/security/cve/CVE-2022-21449\nhttps://access.redhat.com/security/cve/CVE-2022-21476\nhttps://access.redhat.com/security/cve/CVE-2022-21496\nhttps://access.redhat.com/security/cve/CVE-2022-22822\nhttps://access.redhat.com/security/cve/CVE-2022-22823\nhttps://access.redhat.com/security/cve/CVE-2022-22824\nhttps://access.redhat.com/security/cve/CVE-2022-22825\nhttps://access.redhat.com/security/cve/CVE-2022-22826\nhttps://access.redhat.com/security/cve/CVE-2022-22827\nhttps://access.redhat.com/security/cve/CVE-2022-23218\nhttps://access.redhat.com/security/cve/CVE-2022-23219\nhttps://access.redhat.com/security/cve/CVE-2022-23308\nhttps://access.redhat.com/security/cve/CVE-2022-23852\nhttps://access.redhat.com/security/cve/CVE-2022-25235\nhttps://access.redhat.com/security/cve/CVE-2022-25236\nhttps://access.redhat.com/security/cve/CVE-2022-25315\nFor\ndetails\nabout\nthe\nsecurity\nissues\nsee\nthese\nCVE\npages:\n*\nhttps://access.redhat.com/security/updates/classification/#low\n*\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index\n*\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index\n*\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index\n*\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index\n*\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index\n\n6. Summary:\n\nThe Migration Toolkit for Containers (MTC) 1.7.1 is now available. Description:\n\nThe Migration Toolkit for Containers (MTC) enables you to migrate\nKubernetes resources, persistent volume data, and internal container images\nbetween OpenShift Container Platform clusters, using the MTC web console or\nthe Kubernetes API. \n\nSecurity Fix(es) from Bugzilla:\n\n* golang: net/http: Limit growth of header canonicalization cache\n(CVE-2021-44716)\n\n* golang: debug/macho: Invalid dynamic symbol table command can cause panic\n(CVE-2021-41771)\n\n* golang: archive/zip: Reader.Open panics on empty string (CVE-2021-41772)\n\n* golang: syscall: Don't close fd 0 on ForkExec error (CVE-2021-44717)\n\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. Solution:\n\nFor details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic\n2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string\n2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion\n2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache\n2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error\n2040378 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [backend]\n2057516 - [MTC UI] UI should not allow PVC mapping for Full migration\n2060244 - [MTC] DIM registry route need to be exposed to create inter-cluster state migration plans\n2060717 - [MTC] Registry pod goes in CrashLoopBackOff several times when MCG Nooba is used as the Replication Repository\n2061347 - [MTC] Log reader pod is missing velero and restic pod logs. \n2061653 - [MTC UI] Migration Resources section showing pods from other namespaces\n2062682 - [MTC] Destination storage class non-availability warning visible in Intra-cluster source to source state-migration migplan. \n2065837 - controller_config.yml.j2 merge type should be set to merge (currently using the default strategic)\n2071000 - Storage Conversion: UI doesn't have the ability to skip PVC\n2072036 - Migration plan for storage conversion cannot be created if there's no replication repository\n2072186 - Wrong migration type description\n2072684 - Storage Conversion: PersistentVolumeClaimTemplates in StatefulSets are not updated automatically after migration\n2073496 - Errors in rsync pod creation are not printed in the controller logs\n2079814 - [MTC UI] Intra-cluster state migration plan showing a warning on PersistentVolumes page\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes\nAdvisory ID: RHSA-2022:1476-01\nProduct: Red Hat ACM\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:1476\nIssue date: 2022-04-20\nCVE Names: CVE-2021-0920 CVE-2021-3999 CVE-2021-4154 \n CVE-2021-23177 CVE-2021-23566 CVE-2021-31566 \n CVE-2021-41190 CVE-2021-43565 CVE-2021-45960 \n CVE-2021-46143 CVE-2022-0144 CVE-2022-0155 \n CVE-2022-0235 CVE-2022-0261 CVE-2022-0318 \n CVE-2022-0330 CVE-2022-0359 CVE-2022-0361 \n CVE-2022-0392 CVE-2022-0413 CVE-2022-0435 \n CVE-2022-0492 CVE-2022-0516 CVE-2022-0536 \n CVE-2022-0778 CVE-2022-0811 CVE-2022-0847 \n CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 \n CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 \n CVE-2022-22942 CVE-2022-23218 CVE-2022-23219 \n CVE-2022-23308 CVE-2022-23852 CVE-2022-24450 \n CVE-2022-24778 CVE-2022-25235 CVE-2022-25236 \n CVE-2022-25315 CVE-2022-27191 \n=====================================================================\n\n1. Summary:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.3 General\nAvailability release images. This update provides security fixes, bug\nfixes, and updates the container images. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE links in the References section. \n\n2. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.3 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console—with security policy built in. \n\nThis advisory contains the container images for Red Hat Advanced Cluster\nManagement for Kubernetes, which provide some security fixes and bug fixes. \nSee the following Release Notes documentation, which will be updated\nshortly for this release, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/\n\nSecurity updates:\n\n* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)\n\n* nats-server: misusing the \"dynamically provisioned sandbox accounts\"\nfeature authenticated user can obtain the privileges of the System account\n(CVE-2022-24450)\n\n* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)\n\n* nodejs-shelljs: improper privilege management (CVE-2022-0144)\n\n* search-ui-container: follow-redirects: Exposure of Private Personal\nInformation to an Unauthorized Actor (CVE-2022-0155)\n\n* node-fetch: exposure of sensitive information to an unauthorized actor\n(CVE-2022-0235)\n\n* follow-redirects: Exposure of Sensitive Information via Authorization\nHeader leak (CVE-2022-0536)\n\n* openssl: Infinite loop in BN_mod_sqrt() reachable when parsing\ncertificates (CVE-2022-0778)\n\n* imgcrypt: Unauthorized access to encryted container image on a shared\nsystem due to missing check in CheckAuthorization() code path\n(CVE-2022-24778)\n\n* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)\n\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)\n\nRelated bugs:\n\n* RHACM 2.4.3 image files (BZ #2057249)\n\n* Observability - dashboard name contains `/` would cause error when\ngenerating dashboard cm (BZ #2032128)\n\n* ACM application placement fails after renaming the application name (BZ\n#2033051)\n\n* Disable the obs metric collect should not impact the managed cluster\nupgrade (BZ #2039197)\n\n* Observability - cluster list should only contain OCP311 cluster on OCP311\ndashboard (BZ #2039820)\n\n* The value of name label changed from clusterclaim name to cluster name\n(BZ #2042223)\n\n* VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys (BZ\n#2048500)\n\n* clusterSelector matchLabels spec are cleared when changing app\nname/namespace during creating an app in UI (BZ #2053211)\n\n* Application cluster status is not updated in UI after restoring (BZ\n#2053279)\n\n* OpenStack cluster creation is using deprecated floating IP config for\n4.7+ (BZ #2056610)\n\n* The value of Vendor reported by cluster metrics was Other even if the\nvendor label in managedcluster was Openshift (BZ #2059039)\n\n* Subscriptions stop reconciling after channel secrets are recreated (BZ\n#2059954)\n\n* Placementrule is not reconciling on a new fresh environment (BZ #2074156)\n\n* The cluster claimed from clusterpool cannot auto imported (BZ #2074543)\n\n3. Solution:\n\nFor Red Hat Advanced Cluster Management for Kubernetes, see the following\ndocumentation, which will be updated shortly for this release, for\nimportant\ninstructions on how to upgrade your cluster and fully apply this\nasynchronous\nerrata update:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2032128 - Observability - dashboard name contains `/` would cause error when generating dashboard cm\n2033051 - ACM application placement fails after renaming the application name\n2039197 - disable the obs metric collect should not impact the managed cluster upgrade\n2039820 - Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard\n2042223 - the value of name label changed from clusterclaim name to cluster name\n2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management\n2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor\n2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor\n2048500 - VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys\n2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function\n2052573 - CVE-2022-24450 nats-server: misusing the \"dynamically provisioned sandbox accounts\" feature authenticated user can obtain the privileges of the System account\n2053211 - clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI\n2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak\n2053279 - Application cluster status is not updated in UI after restoring\n2056610 - OpenStack cluster creation is using deprecated floating IP config for 4.7+\n2057249 - RHACM 2.4.3 images\n2059039 - The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift\n2059954 - Subscriptions stop reconciling after channel secrets are recreated\n2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates\n2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server\n2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path\n2074156 - Placementrule is not reconciling on a new fresh environment\n2074543 - The cluster claimed from clusterpool can not auto imported\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-0920\nhttps://access.redhat.com/security/cve/CVE-2021-3999\nhttps://access.redhat.com/security/cve/CVE-2021-4154\nhttps://access.redhat.com/security/cve/CVE-2021-23177\nhttps://access.redhat.com/security/cve/CVE-2021-23566\nhttps://access.redhat.com/security/cve/CVE-2021-31566\nhttps://access.redhat.com/security/cve/CVE-2021-41190\nhttps://access.redhat.com/security/cve/CVE-2021-43565\nhttps://access.redhat.com/security/cve/CVE-2021-45960\nhttps://access.redhat.com/security/cve/CVE-2021-46143\nhttps://access.redhat.com/security/cve/CVE-2022-0144\nhttps://access.redhat.com/security/cve/CVE-2022-0155\nhttps://access.redhat.com/security/cve/CVE-2022-0235\nhttps://access.redhat.com/security/cve/CVE-2022-0261\nhttps://access.redhat.com/security/cve/CVE-2022-0318\nhttps://access.redhat.com/security/cve/CVE-2022-0330\nhttps://access.redhat.com/security/cve/CVE-2022-0359\nhttps://access.redhat.com/security/cve/CVE-2022-0361\nhttps://access.redhat.com/security/cve/CVE-2022-0392\nhttps://access.redhat.com/security/cve/CVE-2022-0413\nhttps://access.redhat.com/security/cve/CVE-2022-0435\nhttps://access.redhat.com/security/cve/CVE-2022-0492\nhttps://access.redhat.com/security/cve/CVE-2022-0516\nhttps://access.redhat.com/security/cve/CVE-2022-0536\nhttps://access.redhat.com/security/cve/CVE-2022-0778\nhttps://access.redhat.com/security/cve/CVE-2022-0811\nhttps://access.redhat.com/security/cve/CVE-2022-0847\nhttps://access.redhat.com/security/cve/CVE-2022-22822\nhttps://access.redhat.com/security/cve/CVE-2022-22823\nhttps://access.redhat.com/security/cve/CVE-2022-22824\nhttps://access.redhat.com/security/cve/CVE-2022-22825\nhttps://access.redhat.com/security/cve/CVE-2022-22826\nhttps://access.redhat.com/security/cve/CVE-2022-22827\nhttps://access.redhat.com/security/cve/CVE-2022-22942\nhttps://access.redhat.com/security/cve/CVE-2022-23218\nhttps://access.redhat.com/security/cve/CVE-2022-23219\nhttps://access.redhat.com/security/cve/CVE-2022-23308\nhttps://access.redhat.com/security/cve/CVE-2022-23852\nhttps://access.redhat.com/security/cve/CVE-2022-24450\nhttps://access.redhat.com/security/cve/CVE-2022-24778\nhttps://access.redhat.com/security/cve/CVE-2022-25235\nhttps://access.redhat.com/security/cve/CVE-2022-25236\nhttps://access.redhat.com/security/cve/CVE-2022-25315\nhttps://access.redhat.com/security/cve/CVE-2022-27191\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing\n\n6. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. See the following\nRelease Notes documentation, which will be updated shortly for this\nrelease, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/\n\nSecurity updates:\n\n* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)\n\n* nodejs-shelljs: improper privilege management (CVE-2022-0144)\n\n* follow-redirects: Exposure of Private Personal Information to an\nUnauthorized Actor (CVE-2022-0155)\n\n* node-fetch: exposure of sensitive information to an unauthorized actor\n(CVE-2022-0235)\n\n* follow-redirects: Exposure of Sensitive Information via Authorization\nHeader leak (CVE-2022-0536)\n\nBug fix:\n\n* RHACM 2.3.8 images (Bugzilla #2062316)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management\n2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor\n2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor\n2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function\n2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak\n2062316 - RHACM 2.3.8 images\n\n5", sources: [ { db: "NVD", id: "CVE-2022-23308", }, { db: "VULHUB", id: "VHN-412332", }, { db: "VULMON", id: "CVE-2022-23308", }, { db: "PACKETSTORM", id: "167188", }, { db: "PACKETSTORM", id: "168719", }, { db: "PACKETSTORM", id: "167186", }, { db: "PACKETSTORM", id: "167008", }, { db: "PACKETSTORM", id: "166976", }, { db: "PACKETSTORM", id: "166812", }, { db: "PACKETSTORM", id: "166516", }, ], trust: 1.71, }, exploit_availability: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { reference: "https://www.scap.org.cn/vuln/vhn-412332", trust: 0.1, type: "unknown", }, ], sources: [ { db: "VULHUB", id: "VHN-412332", }, ], }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2022-23308", trust: 2.5, }, { db: "PACKETSTORM", id: "167008", trust: 0.8, }, { db: "PACKETSTORM", id: "168719", trust: 0.8, }, { db: "PACKETSTORM", id: "166437", trust: 0.7, }, { db: "PACKETSTORM", id: "167194", trust: 0.7, }, { db: "PACKETSTORM", id: "166304", trust: 0.7, }, { db: "PACKETSTORM", id: "166327", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2022.2569", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.1263", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.3732", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.1677", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.0927", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.1051", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.2411", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.4099", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.1073", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.5782", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.3672", trust: 0.6, }, { db: "PACKETSTORM", id: "166803", trust: 0.6, }, { db: "CS-HELP", id: "SB2022051708", trust: 0.6, }, { db: "CS-HELP", id: "SB2022031503", trust: 0.6, }, { db: "CS-HELP", id: "SB2022051713", trust: 0.6, }, { db: "CS-HELP", id: "SB2022042138", trust: 0.6, }, { db: "CS-HELP", id: "SB2022072710", trust: 0.6, }, { db: "CS-HELP", id: "SB2022072053", trust: 0.6, }, { db: "CS-HELP", id: "SB2022032843", trust: 0.6, }, { db: "CS-HELP", id: "SB2022072640", trust: 0.6, }, { db: "CS-HELP", id: "SB2022041523", trust: 0.6, }, { db: "CS-HELP", id: "SB2022051839", trust: 0.6, }, { db: "CS-HELP", id: "SB2022051326", trust: 0.6, }, { db: "CS-HELP", id: "SB2022030110", trust: 0.6, }, { db: "CS-HELP", id: "SB2022031620", trust: 0.6, }, { db: "CS-HELP", id: "SB2022031525", trust: 0.6, }, { db: "CS-HELP", id: "SB2022032445", trust: 0.6, }, { db: "CS-HELP", id: "SB2022053128", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202202-1722", trust: 0.6, }, { db: "PACKETSTORM", id: "167188", trust: 0.2, }, { db: "PACKETSTORM", id: "167186", trust: 0.2, }, { db: "PACKETSTORM", id: "166431", trust: 0.1, }, { db: "PACKETSTORM", id: "166433", trust: 0.1, }, { db: "PACKETSTORM", id: "167185", trust: 0.1, }, { db: "PACKETSTORM", id: "167189", trust: 0.1, }, { db: "PACKETSTORM", id: "167184", trust: 0.1, }, { db: "PACKETSTORM", id: "167193", trust: 0.1, }, { db: "VULHUB", id: "VHN-412332", trust: 0.1, }, { db: "ICS CERT", id: "ICSA-23-348-10", trust: 0.1, }, { db: "VULMON", id: "CVE-2022-23308", trust: 0.1, }, { db: "PACKETSTORM", id: "166976", trust: 0.1, }, { db: "PACKETSTORM", id: "166812", trust: 0.1, }, { db: "PACKETSTORM", id: "166516", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-412332", }, { db: "VULMON", id: "CVE-2022-23308", }, { db: "PACKETSTORM", id: "167188", }, { db: "PACKETSTORM", id: "168719", }, { db: "PACKETSTORM", id: "167186", }, { db: "PACKETSTORM", id: "167008", }, { db: "PACKETSTORM", id: "166976", }, { db: "PACKETSTORM", id: "166812", }, { db: "PACKETSTORM", id: "166516", }, { db: "CNNVD", id: "CNNVD-202202-1722", }, { db: "NVD", id: "CVE-2022-23308", }, ], }, id: "VAR-202202-0906", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-412332", }, ], trust: 0.01, }, last_update_date: "2024-11-29T19:45:14.785000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "libxml2 Remediation of resource management error vulnerabilities", trust: 0.6, url: "http://123.124.177.30/web/xxk/bdxqById.tag?id=184325", }, { title: "Debian CVElist Bug Report Logs: libxml2: CVE-2022-23308: Use-after-free of ID and IDREF attributes", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=9ebc8e6cd9474a4b501cffe479738815", }, { title: "Ubuntu Security Notice: USN-5422-1: libxml2 vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5422-1", }, { title: "Red Hat: Moderate: libxml2 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20220899 - Security Advisory", }, { title: "Amazon Linux 2: ALAS2-2022-1826", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2022-1826", }, { title: "Arch Linux Issues: ", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2022-23308", }, { title: "Google Chrome: Long Term Support Channel Update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=chrome_releases&qid=d941b22c6938f31887f0b0d1ec5e74d8", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221390 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221389 - Security Advisory", }, { title: "Amazon Linux 2022: ALAS2022-2022-198", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022&qid=ALAS2022-2022-198", }, { title: "Amazon Linux 2022: ALAS2022-2022-068", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022&qid=ALAS2022-2022-068", }, { title: "Google Chrome: Long Term Support Channel Update for ChromeOS", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=chrome_releases&qid=e0755e202be7c03d6f4e14fbc744c5b2", }, { title: "Red Hat: Important: Red Hat OpenShift GitOps security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221039 - Security Advisory", }, { title: "Amazon Linux AMI: ALAS-2023-1743", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2023-1743", }, { title: "Apple: watchOS 8.6", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=6bd411659b23f6a36cfd1c59cf69e092", }, { title: "Red Hat: Important: Red Hat OpenShift GitOps security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221041 - Security Advisory", }, { title: "Red Hat: Low: Release of OpenShift Serverless Version 1.22.0", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221747 - Security Advisory", }, { title: "Red Hat: Important: Red Hat OpenShift GitOps security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221042 - Security Advisory", }, { title: "Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.7.1 security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221734 - Security Advisory", }, { title: "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.3.8 security and container updates", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221083 - Security Advisory", }, { title: "Apple: iOS 15.5 and iPadOS 15.5", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=f66f27c9aed3f1df2b9271d627617604", }, { title: "Red Hat: Moderate: Gatekeeper Operator v0.2 security updates and bug fixes", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221081 - Security Advisory", }, { title: "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221476 - Security Advisory", }, { title: "Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.5.4 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20221396 - Security Advisory", }, { title: "Apple: macOS Monterey 12.4", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=73857ee26a600b1527481f1deacc0619", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-23305 ", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-RCE ", }, ], sources: [ { db: "VULMON", id: "CVE-2022-23308", }, { db: "CNNVD", id: "CNNVD-202202-1722", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-416", trust: 1.1, }, ], sources: [ { db: "VULHUB", id: "VHN-412332", }, { db: "NVD", id: "CVE-2022-23308", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.9, url: "https://security.gentoo.org/glsa/202210-03", }, { trust: 1.8, url: "https://github.com/gnome/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20220331-0008/", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213253", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213254", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213255", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213256", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213257", }, { trust: 1.8, url: "https://support.apple.com/kb/ht213258", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/34", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/38", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/35", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/33", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/36", }, { trust: 1.8, url: "http://seclists.org/fulldisclosure/2022/may/37", }, { trust: 1.8, url: "https://gitlab.gnome.org/gnome/libxml2/-/blob/v2.9.13/news", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { trust: 1.8, url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/la3mwwayzadwj5f6joubx65uzamqb7rf/", }, { trust: 1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23308", }, { trust: 1, url: "https://access.redhat.com/security/cve/cve-2022-23308", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/la3mwwayzadwj5f6joubx65uzamqb7rf/", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022051713", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.2569", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022072710", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022051839", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.1051", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.1073", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022072053", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.4099", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.5782", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/166803/red-hat-security-advisory-2022-1390-01.html", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/libxml2-five-vulnerabilities-37614", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022032843", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/166304/ubuntu-security-notice-usn-5324-1.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022053128", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/167194/apple-security-advisory-2022-05-16-6.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.2411", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022032445", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022051326", }, { trust: 0.6, url: "https://cxsecurity.com/cveshow/cve-2022-23308/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.1263", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022072640", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022051708", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.3732", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022042138", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022041523", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/168719/gentoo-linux-security-advisory-202210-03.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022030110", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0927", }, { trust: 0.6, url: "https://support.apple.com/en-us/ht213254", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.3672", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022031503", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022031525", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/167008/red-hat-security-advisory-2022-1747-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/166327/red-hat-security-advisory-2022-0899-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/166437/red-hat-security-advisory-2022-1039-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022031620", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.1677", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0778", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-31566", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-25236", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-23177", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-23177", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22825", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22827", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22823", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-3999", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-46143", }, { trust: 0.4, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-23218", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-25235", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-46143", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3999", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22824", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-45960", }, { trust: 0.4, url: "https://bugzilla.redhat.com/):", }, { trust: 0.4, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22826", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-22822", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-23852", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-23219", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2022-25315", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-31566", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22822", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-45960", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25032", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22825", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22823", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22824", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0778", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0361", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0392", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0318", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0261", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0359", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0413", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0359", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0413", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0361", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0261", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0392", }, { trust: 0.3, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0318", }, { trust: 0.2, url: "https://support.apple.com/downloads/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22721", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44790", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0530", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44224", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26698", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22719", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26697", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-45444", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22720", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26706", }, { trust: 0.2, url: "https://www.apple.com/support/security/pgp/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26712", }, { trust: 0.2, url: "https://support.apple.com/en-us/ht201222.", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23218", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22826", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-41772", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22827", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-41772", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-41771", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-41771", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-41190", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-41190", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0536", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0235", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0330", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0516", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0516", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0330", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-0920", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-22942", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0847", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0155", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-23566", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-0920", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0155", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0435", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0435", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0492", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4154", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-4154", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0144", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-23566", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0235", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0536", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0847", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0144", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0492", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/416.html", }, { trust: 0.1, url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006489", }, { trust: 0.1, url: "https://ubuntu.com/security/notices/usn-5422-1", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10", }, { trust: 0.1, url: "https://alas.aws.amazon.com/al2/alas-2022-1826.html", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-46059", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22589", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22663", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0128", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4187", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22674", }, { trust: 0.1, url: "https://support.apple.com/ht213256.", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4193", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4173", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4192", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4136", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22675", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22665", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4166", }, { trust: 0.1, url: "https://bugs.gentoo.org.", }, { trust: 0.1, url: "https://security.gentoo.org/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-29824", }, { trust: 0.1, url: "https://creativecommons.org/licenses/by-sa/2.5", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26701", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26708", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-22677", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26714", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26709", }, { trust: 0.1, url: "https://support.apple.com/ht213257.", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26694", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26700", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26693", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26710", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26715", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26704", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-26711", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21426", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21443", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21476", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#low", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23219", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1747", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21449", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21496", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25235", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21496", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23852", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21449", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21434", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21443", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21434", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25032", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21426", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21476", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1154", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44717", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44717", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44716", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1154", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44716", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25636", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1271", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-4028", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.10/migration_toolkit_for_containers/mtc-release-notes.html", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1734", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4028", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1271", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0811", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-27191", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1476", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24778", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24450", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-43565", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0811", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-43565", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1083", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/", }, ], sources: [ { db: "VULHUB", id: "VHN-412332", }, { db: "VULMON", id: "CVE-2022-23308", }, { db: "PACKETSTORM", id: "167188", }, { db: "PACKETSTORM", id: "168719", }, { db: "PACKETSTORM", id: "167186", }, { db: "PACKETSTORM", id: "167008", }, { db: "PACKETSTORM", id: "166976", }, { db: "PACKETSTORM", id: "166812", }, { db: "PACKETSTORM", id: "166516", }, { db: "CNNVD", id: "CNNVD-202202-1722", }, { db: "NVD", id: "CVE-2022-23308", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-412332", }, { db: "VULMON", id: "CVE-2022-23308", }, { db: "PACKETSTORM", id: "167188", }, { db: "PACKETSTORM", id: "168719", }, { db: "PACKETSTORM", id: "167186", }, { db: "PACKETSTORM", id: "167008", }, { db: "PACKETSTORM", id: "166976", }, { db: "PACKETSTORM", id: "166812", }, { db: "PACKETSTORM", id: "166516", }, { db: "CNNVD", id: "CNNVD-202202-1722", }, { db: "NVD", id: "CVE-2022-23308", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-02-26T00:00:00", db: "VULHUB", id: "VHN-412332", }, { date: "2022-02-26T00:00:00", db: "VULMON", id: "CVE-2022-23308", }, { date: "2022-05-17T16:59:42", db: "PACKETSTORM", id: "167188", }, { date: "2022-10-17T13:50:28", db: "PACKETSTORM", id: "168719", }, { date: "2022-05-17T16:58:15", db: "PACKETSTORM", id: "167186", }, { date: "2022-05-10T14:49:09", db: "PACKETSTORM", id: "167008", }, { date: "2022-05-05T17:35:22", db: "PACKETSTORM", id: "166976", }, { date: "2022-04-21T15:12:25", db: "PACKETSTORM", id: "166812", }, { date: "2022-03-29T15:53:19", db: "PACKETSTORM", id: "166516", }, { date: "2022-02-21T00:00:00", db: "CNNVD", id: "CNNVD-202202-1722", }, { date: "2022-02-26T05:15:08.280000", db: "NVD", id: "CVE-2022-23308", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-11-02T00:00:00", db: "VULHUB", id: "VHN-412332", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2022-23308", }, { date: "2023-06-30T00:00:00", db: "CNNVD", id: "CNNVD-202202-1722", }, { date: "2024-11-21T06:48:22.940000", db: "NVD", id: "CVE-2022-23308", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202202-1722", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "libxml2 Resource Management Error Vulnerability", sources: [ { db: "CNNVD", id: "CNNVD-202202-1722", }, ], trust: 0.6, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "resource management error", sources: [ { db: "CNNVD", id: "CNNVD-202202-1722", }, ], trust: 0.6, }, }
var-201902-0192
Vulnerability from variot
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). OpenSSL Contains an information disclosure vulnerability.Information may be obtained. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. A vulnerability in OpenSSL could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. An attacker who is able to perform man-in-the-middle attacks could exploit the vulnerability by persuading a user to access a link that submits malicious input to the affected software. A successful exploit could allow the malicious user to intercept and modify the browser requests and then observe the server behavior in order to conduct a padding oracle attack and decrypt sensitive information.
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018.
Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted.
Note
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.
References
URL for this Security Advisory: https://www.openssl.org/news/secadv/20190226.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . The appliance is available to download as an OVA file from the Customer Portal.
For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1.
For the detailed security status of openssl1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgkACgkQEMKTtsN8 TjZZCQ//UdQ3Bi/ZSQJ2yzW7MkbuaHla53iUhztTy2Zrype++NX4tXqqBl+xY9Eu 1D747Y1c2GZ949UaPbIvp8wLCvvxR5A4Tmx4sU3ZOOHXrlsZ5loYg66MslGUOMOU z7zaqXTg3as8wfD6ND5Zd4tP0iLyst8Vyi0W7PuFovLoPAc3/XcMaXghSwabs+JY 3KZuB4UlbOiEnO+6Mf5ghWQYBtN7y/QAVNWREfLmhpx2UY8F7Ia28bR9pXknxkl5 RuN9WH2BtXI4/JiL0TlkAua51NE+vXciPv+Dh4gkQNPWF/rfL9IL5AxjrgojysHf OhZaDcYpOPCXZmiA49JOXJOrIw73Zd9NZmgA1ZXQY1ECQDJ8dB9mSJj1KsUId+Id eTbRRbWwpzSQd5qc4h4NKjeIwA04a3JecDibD3pwf3+qn9sw8xQ/rfAl2byGRbEN FUDT65AIw4CFQDJeIE/vBZqCFhY2aIbRoibpZnp0XsROkw8xKQiH0Kgo7gjsoozT wHYK/rlvaZwbnLG7E8pUUj9Xr8OM9Wn/y7kzyHVekGUcDef3F1pPJ9CYsdppx+Zv MkoFNxc9GZ+Kn2i4l14I3hvwQ4Sy3owNjnTYFQ28yd+MRZoMw+nyXW1i7OCu+KFH 7OQkd5qNDh8iotsaUKT0DQOOL74UDgEPv2x02ahujRl+I3YDDdM=NRWo -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-4376-2 July 09, 2020
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
Cesar Pereida Garc\xeda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. A remote attacker could possibly use this issue to decrypt data. (CVE-2019-1559)
Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. (CVE-2019-1563)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.04 ESM: libssl1.0.0 1.0.1f-1ubuntu2.27+esm1
Ubuntu 12.04 ESM: libssl1.0.0 1.0.1-4ubuntu5.44
After a standard system update you need to reboot your computer to make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-10
https://security.gentoo.org/
Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: March 14, 2019 Bugs: #673056, #678564 ID: 201903-10
Synopsis
Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.2r >= 1.0.2r
Description
Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding.
A local attacker could run a malicious process next to legitimate processes using the architectureas parallel thread running capabilities to leak encrypted data from the CPU's internal processes.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2r"
References
[ 1 ] CVE-2018-5407 https://nvd.nist.gov/vuln/detail/CVE-2018-5407 [ 2 ] CVE-2019-1559 https://nvd.nist.gov/vuln/detail/CVE-2019-1559
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201903-10
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . 6) - i386, x86_64
- Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security and bug fix update Advisory ID: RHSA-2019:2304-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2304 Issue date: 2019-08-06 CVE Names: CVE-2018-0734 CVE-2019-1559 ==================================================================== 1. Summary:
An update for openssl is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
-
openssl: 0-byte record padding oracle (CVE-2019-1559)
-
openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 1649568 - openssl: microarchitectural and timing side channel padding oracle attack against RSA 1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
ppc64: openssl-1.0.2k-19.el7.ppc64.rpm openssl-debuginfo-1.0.2k-19.el7.ppc.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64.rpm openssl-devel-1.0.2k-19.el7.ppc.rpm openssl-devel-1.0.2k-19.el7.ppc64.rpm openssl-libs-1.0.2k-19.el7.ppc.rpm openssl-libs-1.0.2k-19.el7.ppc64.rpm
ppc64le: openssl-1.0.2k-19.el7.ppc64le.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm openssl-devel-1.0.2k-19.el7.ppc64le.rpm openssl-libs-1.0.2k-19.el7.ppc64le.rpm
s390x: openssl-1.0.2k-19.el7.s390x.rpm openssl-debuginfo-1.0.2k-19.el7.s390.rpm openssl-debuginfo-1.0.2k-19.el7.s390x.rpm openssl-devel-1.0.2k-19.el7.s390.rpm openssl-devel-1.0.2k-19.el7.s390x.rpm openssl-libs-1.0.2k-19.el7.s390.rpm openssl-libs-1.0.2k-19.el7.s390x.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: openssl-debuginfo-1.0.2k-19.el7.ppc.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64.rpm openssl-perl-1.0.2k-19.el7.ppc64.rpm openssl-static-1.0.2k-19.el7.ppc.rpm openssl-static-1.0.2k-19.el7.ppc64.rpm
ppc64le: openssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm openssl-perl-1.0.2k-19.el7.ppc64le.rpm openssl-static-1.0.2k-19.el7.ppc64le.rpm
s390x: openssl-debuginfo-1.0.2k-19.el7.s390.rpm openssl-debuginfo-1.0.2k-19.el7.s390x.rpm openssl-perl-1.0.2k-19.el7.s390x.rpm openssl-static-1.0.2k-19.el7.s390.rpm openssl-static-1.0.2k-19.el7.s390x.rpm
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-0734 https://access.redhat.com/security/cve/CVE-2019-1559 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXUl3otzjgjWX9erEAQgZQQ//XNcjRJGLVmjAzbVGiwxEqfFUvDVNiu97 fW0vLXuV9TnQTveOVqOAWmmMv2iShkVIRPDvzlOfUsYrrDEYHKr0N38R/fhDEZsM WQrJh54WK9IjEGNevLTCePKMhVuII1WnHrLDwZ6hxYGdcap/sJrf+N428b5LvHbM B39vWl3vqJYXoiI5dmIYL8ko2SfLms5Cg+dR0hLrNohf9gK2La+jhWb/j2xw6X6q /LXw5+hi/G+USbnNFfjt9G0fNjMMZRX2bukUvY6UWJRYTOXpIUOFqqp5w9zgM7tZ uX7TMTC9xe6te4mBCAFDdt+kYYLYSHfSkFlFq+S7V0MY8DmnIzqBJE4lJIDTVp9F JbrMIPs9G5jdnzPUKZw/gH9WLgka8Q8AYI+KA2xSxFX9VZ20Z+EDDC9/4uwj3i0A gLeIB68OwD70jn4sjuQqizr7TCviQhTUoKVd/mTBAxSEFZLcE8Sy/BEYxLPm81z0 veL16l6pmfg9uLac4V576ImfYNWlBEnJspA5E9K5CqQRPuZpCQFov7/D17Qm8v/x IcVKUaXiGquBwzHmIsD5lTCpl7CrGoU1PfNJ6Y/4xrVFOh1DLA4y6nnfysyO9eZx zBfuYS2VmfIq/tp1CjagI/DmJC4ezXeE4Phq9jm0EBASXtnLzVmc5j7kkqWjCcfm BtpJTAdr1kE=7kKR -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). Bugs fixed (https://bugzilla.redhat.com/):
1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions
1658366 - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled
1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
1687920 - RHVH fails to reinstall if required size is exceeding the available disk space due to anaconda bug
1694065 - CVE-2019-0161 edk2: stack overflow in XHCI causing denial of service
1702223 - Rebase RHV-H on RHEL 7.7
1709829 - CVE-2019-10139 cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment
1718388 - CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
1720156 - RHVH 4.3.4 version info is incorrect in plymouth and "/etc/os-release"
1720160 - RHVH 4.3.4: Incorrect info in /etc/system-release-cpe
1720310 - RHV-H post-installation scripts failing, due to existing tags
1720434 - RHVH 7.7 brand is wrong in Anaconda GUI.
1720435 - Failed to install RHVH 7.7
1720436 - RHVH 7.7 should based on RHEL 7.7 server but not workstation.
1724044 - Failed dependencies occur during install systemtap package.
1726534 - dhclient fails to load libdns-export.so.1102 after upgrade if the user installed library is not persisted on the new layer
1727007 - Update RHVH 7.7 branding with new Red Hat logo
1727859 - Failed to boot after upgrading a host with a custom kernel
1728998 - "nodectl info" displays error after RHVH installation
1729023 - The error message is inappropriate when run imgbase layout --init on current layout
Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz: Upgraded. Go into the error state if a fatal alert is sent or received. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559 ( Security fix ) patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz: Upgraded. +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated packages for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz
Updated packages for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2r-x86_64-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz
MD5 signatures: +-------------+
Slackware 14.2 packages: b23a71963648d515630497f203eefab8 openssl-1.0.2r-i586-1_slack14.2.txz 8b04a9be9b78052791f02428be44a639 openssl-solibs-1.0.2r-i586-1_slack14.2.txz
Slackware x86_64 14.2 packages: c183c2ad507a65020f13c0dc154c0b11 openssl-1.0.2r-x86_64-1_slack14.2.txz d656915855edd6365636ac558b8180cb openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz
Installation instructions: +------------------------+
Upgrade the packages as root:
upgradepkg openssl-1.0.2r-i586-1_slack14.2.txz openssl-solibs-1.0.2r-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201902-0192", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "big-ip global traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "communications session border controller", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.0", }, { model: "big-ip domain name system", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip webaccelerator", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip edge gateway", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "a320", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux server", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "big-ip local traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-ip webaccelerator", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "jd edwards world security", scope: "eq", trust: 1, vendor: "oracle", version: "a9.4", }, { model: "big-ip fraud protection service", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 1, vendor: "oracle", version: "8.2", }, { model: "service processor", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip policy enforcement manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip access policy manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-ip domain name system", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "communications diameter signaling router", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.0", }, { model: "big-ip advanced firewall manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "6.0.0", }, { model: "big-ip access policy manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "node.js", scope: "lt", trust: 1, vendor: "nodejs", version: "6.17.0", }, { model: "snapprotect", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "data exchange layer", scope: "lt", trust: 1, vendor: "mcafee", version: "6.0.0", }, { model: "big-ip application acceleration manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip analytics", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "node.js", scope: "lt", trust: 1, vendor: "nodejs", version: "8.15.1", }, { model: "communications diameter signaling router", scope: "eq", trust: 1, vendor: "oracle", version: "8.1", }, { model: "clustered data ontap antivirus connector", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip analytics", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip global traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip link controller", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-ip webaccelerator", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip application security manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.04", }, { model: "big-ip edge gateway", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip global traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "leap", scope: "eq", trust: 1, vendor: "opensuse", version: "15.0", }, { model: "communications session router", scope: "eq", trust: 1, vendor: "oracle", version: "8.2", }, { model: "big-ip local traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "fas2720", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "mysql", scope: "gte", trust: 1, vendor: "oracle", version: "5.7.0", }, { model: "big-ip fraud protection service", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip advanced firewall manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip access policy manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip application acceleration manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip advanced firewall manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 1, vendor: "oracle", version: "8.4", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.5.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.0.0.0", }, { model: "nessus", scope: "lte", trust: 1, vendor: "tenable", version: "8.2.3", }, { model: "oncommand unified manager core package", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip analytics", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "enterprise linux server", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "big-ip domain name system", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "communications session router", scope: "eq", trust: 1, vendor: "oracle", version: "8.1", }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.14", }, { model: "big-ip global traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip local traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "data exchange layer", scope: "gte", trust: 1, vendor: "mcafee", version: "4.0.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.56", }, { model: "big-ip webaccelerator", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "big-ip link controller", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.57", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.4.0", }, { model: "traffix signaling delivery controller", scope: "eq", trust: 1, vendor: "f5", version: "4.4.0", }, { model: "big-ip analytics", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "big-ip edge gateway", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip advanced firewall manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip link controller", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip fraud protection service", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "jboss enterprise web server", scope: "eq", trust: 1, vendor: "redhat", version: "5.0.0", }, { model: "big-ip application acceleration manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "enterprise linux desktop", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "oncommand insight", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications unified session manager", scope: "eq", trust: 1, vendor: "oracle", version: "8.2.5", }, { model: "mysql enterprise monitor", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0", }, { model: "solidfire", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip global traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "a800", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip global traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "5.7.25", }, { model: "smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "30", }, { model: "virtualization host", scope: "eq", trust: 1, vendor: "redhat", version: "4.0", }, { model: "openssl", scope: "gte", trust: 1, vendor: "openssl", version: "1.0.2", }, { model: "big-ip domain name system", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip local traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "snapdrive", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip application acceleration manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "mysql workbench", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.16", }, { model: "openssl", scope: "lt", trust: 1, vendor: "openssl", version: "1.0.2r", }, { model: "altavault", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "threat intelligence exchange server", scope: "gte", trust: 1, vendor: "mcafee", version: "2.0.0", }, { model: "big-ip global traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "16.04", }, { model: "big-ip link controller", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip policy enforcement manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.15", }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "9.0.0", }, { model: "pan-os", scope: "lt", trust: 1, vendor: "paloaltonetworks", version: "8.0.20", }, { model: "communications session border controller", scope: "eq", trust: 1, vendor: "oracle", version: "8.3", }, { model: "big-ip edge gateway", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "ontap select deploy", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip local traffic manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "agent", scope: "gte", trust: 1, vendor: "mcafee", version: "5.6.0", }, { model: "big-ip policy enforcement manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-iq centralized management", scope: "gte", trust: 1, vendor: "f5", version: "7.0.0", }, { model: "api gateway", scope: "eq", trust: 1, vendor: "oracle", version: "11.1.2.4.0", }, { model: "pan-os", scope: "lt", trust: 1, vendor: "paloaltonetworks", version: "9.0.2", }, { model: "big-ip access policy manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "big-ip webaccelerator", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "fas2750", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "8.9.0", }, { model: "big-ip advanced firewall manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "active iq unified manager", scope: "gte", trust: 1, vendor: "netapp", version: "9.5", }, { model: "big-ip webaccelerator", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 1, vendor: "oracle", version: "8.3", }, { model: "big-ip link controller", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "big-ip access policy manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip fraud protection service", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "big-ip link controller", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "8.0.0", }, { model: "big-ip application security manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "web gateway", scope: "gte", trust: 1, vendor: "mcafee", version: "7.0.0", }, { model: "node.js", scope: "lte", trust: 1, vendor: "nodejs", version: "8.8.1", }, { model: "active iq unified manager", scope: "gte", trust: 1, vendor: "netapp", version: "7.3", }, { model: "enterprise linux desktop", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "snapcenter", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip link controller", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "big-iq centralized management", scope: "lte", trust: 1, vendor: "f5", version: "6.1.0", }, { model: "business intelligence", scope: "eq", trust: 1, vendor: "oracle", version: "11.1.1.9.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "8.0", }, { model: "secure global desktop", scope: "eq", trust: 1, vendor: "oracle", version: "5.4", }, { model: "cloud backup", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip analytics", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip policy enforcement manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "big-ip webaccelerator", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip fraud protection service", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "steelstore cloud integrated storage", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "4.0.8", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.55", }, { model: "storagegrid", scope: "gte", trust: 1, vendor: "netapp", version: "9.0.0", }, { model: "big-ip access policy manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "leap", scope: "eq", trust: 1, vendor: "opensuse", version: "42.3", }, { model: "c190", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip domain name system", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "31", }, { model: "big-ip application acceleration manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip edge gateway", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "communications session border controller", scope: "eq", trust: 1, vendor: "oracle", version: "8.1.0", }, { model: "communications session router", scope: "eq", trust: 1, vendor: "oracle", version: "8.3", }, { model: "enterprise linux workstation", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "node.js", scope: "gte", trust: 1, vendor: "nodejs", version: "6.9.0", }, { model: "oncommand unified manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "services tools bundle", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "7.1.0", }, { model: "a220", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "business intelligence", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "communications session border controller", scope: "eq", trust: 1, vendor: "oracle", version: "7.4", }, { model: "big-ip access policy manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "big-ip application security manager", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "communications performance intelligence center", scope: "eq", trust: 1, vendor: "oracle", version: "10.4.0.2", }, { model: "big-ip analytics", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-ip advanced firewall manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "pan-os", scope: "lt", trust: 1, vendor: "paloaltonetworks", version: "7.1.15", }, { model: "big-ip local traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "mysql", scope: "lte", trust: 1, vendor: "oracle", version: "5.6.43", }, { model: "big-ip analytics", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "pan-os", scope: "lt", trust: 1, vendor: "paloaltonetworks", version: "8.1.8", }, { model: "big-ip fraud protection service", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "hci compute node", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "big-iq centralized management", scope: "lte", trust: 1, vendor: "f5", version: "7.1.0", }, { model: "hyper converged infrastructure", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip edge gateway", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip advanced firewall manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip global traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "big-ip application acceleration manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "communications session border controller", scope: "eq", trust: 1, vendor: "oracle", version: "8.2", }, { model: "jd edwards world security", scope: "eq", trust: 1, vendor: "oracle", version: "a9.3", }, { model: "storage automation store", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "virtualization", scope: "eq", trust: 1, vendor: "redhat", version: "4.0", }, { model: "big-ip domain name system", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "threat intelligence exchange server", scope: "lt", trust: 1, vendor: "mcafee", version: "3.0.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.0.0.0", }, { model: "storagegrid", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip domain name system", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "big-ip fraud protection service", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "communications session router", scope: "eq", trust: 1, vendor: "oracle", version: "8.0", }, { model: "big-ip local traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip policy enforcement manager", scope: "lte", trust: 1, vendor: "f5", version: "12.1.5", }, { model: "traffix signaling delivery controller", scope: "lte", trust: 1, vendor: "f5", version: "5.1.0", }, { model: "big-ip application security manager", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "communications unified session manager", scope: "eq", trust: 1, vendor: "oracle", version: "7.3.5", }, { model: "active iq unified manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip application acceleration manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "big-ip analytics", scope: "lte", trust: 1, vendor: "f5", version: "15.1.0", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "29", }, { model: "big-ip edge gateway", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip advanced firewall manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip policy enforcement manager", scope: "gte", trust: 1, vendor: "f5", version: "14.0.0", }, { model: "traffix signaling delivery controller", scope: "gte", trust: 1, vendor: "f5", version: "5.0.0", }, { model: "cn1610", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip webaccelerator", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "enterprise linux workstation", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "communications session router", scope: "eq", trust: 1, vendor: "oracle", version: "7.4", }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "8.1.0", }, { model: "node.js", scope: "lte", trust: 1, vendor: "nodejs", version: "6.8.1", }, { model: "big-ip policy enforcement manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "santricity smi-s provider", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip fraud protection service", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "big-ip link controller", scope: "gte", trust: 1, vendor: "f5", version: "12.1.0", }, { model: "hci management node", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip local traffic manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "agent", scope: "lte", trust: 1, vendor: "mcafee", version: "5.6.4", }, { model: "business intelligence", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "endeca server", scope: "eq", trust: 1, vendor: "oracle", version: "7.7.0", }, { model: "mysql", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0", }, { model: "big-ip domain name system", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "ontap select deploy administration utility", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-ip edge gateway", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "element software", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "big-iq centralized management", scope: "gte", trust: 1, vendor: "f5", version: "6.0.0", }, { model: "web gateway", scope: "lt", trust: 1, vendor: "mcafee", version: "9.0.0", }, { model: "jd edwards world security", scope: "eq", trust: 1, vendor: "oracle", version: "a9.3.1", }, { model: "jd edwards enterpriseone tools", scope: "eq", trust: 1, vendor: "oracle", version: "9.2", }, { model: "big-ip application security manager", scope: "lte", trust: 1, vendor: "f5", version: "13.1.3", }, { model: "ubuntu linux", scope: "eq", trust: 1, vendor: "canonical", version: "18.10", }, { model: "big-ip policy enforcement manager", scope: "gte", trust: 1, vendor: "f5", version: "15.0.0", }, { model: "big-ip application acceleration manager", scope: "lte", trust: 1, vendor: "f5", version: "14.1.2", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.3", }, { model: "mysql", scope: "gte", trust: 1, vendor: "oracle", version: "5.6.0", }, { model: "storagegrid", scope: "lte", trust: 1, vendor: "netapp", version: "9.0.4", }, { model: "big-ip access policy manager", scope: "gte", trust: 1, vendor: "f5", version: "13.0.0", }, { model: "leap", scope: "eq", trust: 1, vendor: "opensuse", version: "15.1", }, { model: "pan-os", scope: "gte", trust: 1, vendor: "paloaltonetworks", version: "8.0.0", }, { model: "jp1/snmp system observer", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "steelstore cloud integrated storage", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "oncommand workflow automation", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "jp1/operations analytics", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "job management system partern 1/automatic job management system 3", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "storagegrid webscale", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "nessus", scope: null, trust: 0.8, vendor: "tenable", version: null, }, { model: "ucosminexus service architect", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "leap", scope: null, trust: 0.8, vendor: "opensuse", version: null, }, { model: "jp1/automatic job management system 3", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "traffix sdc", scope: null, trust: 0.8, vendor: "f5", version: null, }, { model: "jp1/data highway", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "openssl", scope: null, trust: 0.8, vendor: "openssl", version: null, }, { model: "ucosminexus primary server", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "ucosminexus developer", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "ubuntu", scope: null, trust: 0.8, vendor: "canonical", version: null, }, { model: "ucosminexus service platform", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "santricity smi-s provider", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "gnu/linux", scope: null, trust: 0.8, vendor: "debian", version: null, }, { model: "ontap select deploy administration utility", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "jp1/it desktop management 2", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "jp1/performance management", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "ontap select deploy", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "snapdrive", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "oncommand unified manager", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "jp1/automatic operation", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "cosminexus http server", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "hyper converged infrastructure", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "element software", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "ucosminexus application server", scope: null, trust: 0.8, vendor: "日立", version: null, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt,Red Hat,Slackware Security Team,Juraj Somorovsky", sources: [ { db: "CNNVD", id: "CNNVD-201902-956", }, ], trust: 0.6, }, cve: "CVE-2019-1559", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "CVE-2019-1559", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", exploitabilityScore: 8.6, id: "VHN-147651", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:P/I:N/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "HIGH", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", exploitabilityScore: 2.2, id: "CVE-2019-1559", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, { attackComplexity: "High", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 5.9, baseSeverity: "Medium", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2019-1559", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2019-1559", trust: 1, value: "MEDIUM", }, { author: "NVD", id: "CVE-2019-1559", trust: 0.8, value: "Medium", }, { author: "CNNVD", id: "CNNVD-201902-956", trust: 0.6, value: "MEDIUM", }, { author: "VULHUB", id: "VHN-147651", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2019-1559", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-147651", }, { db: "VULMON", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "CNNVD", id: "CNNVD-201902-956", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). OpenSSL Contains an information disclosure vulnerability.Information may be obtained. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. A vulnerability in OpenSSL could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. An attacker who is able to perform man-in-the-middle attacks could exploit the vulnerability by persuading a user to access a link that submits malicious input to the affected software. A successful exploit could allow the malicious user to intercept and modify the browser requests and then observe the server behavior in order to conduct a padding oracle attack and decrypt sensitive information. \n\nThis issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,\nwith additional investigation by Steven Collison and Andrew Hourselt. It was\nreported to OpenSSL on 10th December 2018. \n\nNote: Advisory updated to make it clearer that AEAD ciphersuites are not impacted. \n\nNote\n====\n\nOpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support\nfor 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th\nSeptember 2019. Users of these versions should upgrade to OpenSSL 1.1.1. \n\nReferences\n==========\n\nURL for this Security Advisory:\nhttps://www.openssl.org/news/secadv/20190226.txt\n\nNote: the online version of the advisory may be updated with additional details\nover time. \n\nFor details of OpenSSL severity classifications please see:\nhttps://www.openssl.org/policies/secpolicy.html\n. The appliance is available\nto download as an OVA file from the Customer Portal. \n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 1.0.2r-1~deb9u1. \n\nFor the detailed security status of openssl1.0 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openssl1.0\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgkACgkQEMKTtsN8\nTjZZCQ//UdQ3Bi/ZSQJ2yzW7MkbuaHla53iUhztTy2Zrype++NX4tXqqBl+xY9Eu\n1D747Y1c2GZ949UaPbIvp8wLCvvxR5A4Tmx4sU3ZOOHXrlsZ5loYg66MslGUOMOU\nz7zaqXTg3as8wfD6ND5Zd4tP0iLyst8Vyi0W7PuFovLoPAc3/XcMaXghSwabs+JY\n3KZuB4UlbOiEnO+6Mf5ghWQYBtN7y/QAVNWREfLmhpx2UY8F7Ia28bR9pXknxkl5\nRuN9WH2BtXI4/JiL0TlkAua51NE+vXciPv+Dh4gkQNPWF/rfL9IL5AxjrgojysHf\nOhZaDcYpOPCXZmiA49JOXJOrIw73Zd9NZmgA1ZXQY1ECQDJ8dB9mSJj1KsUId+Id\neTbRRbWwpzSQd5qc4h4NKjeIwA04a3JecDibD3pwf3+qn9sw8xQ/rfAl2byGRbEN\nFUDT65AIw4CFQDJeIE/vBZqCFhY2aIbRoibpZnp0XsROkw8xKQiH0Kgo7gjsoozT\nwHYK/rlvaZwbnLG7E8pUUj9Xr8OM9Wn/y7kzyHVekGUcDef3F1pPJ9CYsdppx+Zv\nMkoFNxc9GZ+Kn2i4l14I3hvwQ4Sy3owNjnTYFQ28yd+MRZoMw+nyXW1i7OCu+KFH\n7OQkd5qNDh8iotsaUKT0DQOOL74UDgEPv2x02ahujRl+I3YDDdM=NRWo\n-----END PGP SIGNATURE-----\n. ==========================================================================\nUbuntu Security Notice USN-4376-2\nJuly 09, 2020\n\nopenssl vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 14.04 ESM\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in OpenSSL. This update provides\nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. \n\nOriginal advisory details:\n\n Cesar Pereida Garc\\xeda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,\n Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL\n incorrectly handled ECDSA signatures. An attacker could possibly use this\n issue to perform a timing side-channel attack and recover private ECDSA\n keys. A remote attacker could possibly use this issue to decrypt\n data. (CVE-2019-1559)\n\n Bernd Edlinger discovered that OpenSSL incorrectly handled certain\n decryption functions. (CVE-2019-1563)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 14.04 ESM:\n libssl1.0.0 1.0.1f-1ubuntu2.27+esm1\n\nUbuntu 12.04 ESM:\n libssl1.0.0 1.0.1-4ubuntu5.44\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201903-10\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenSSL: Multiple vulnerabilities\n Date: March 14, 2019\n Bugs: #673056, #678564\n ID: 201903-10\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple Information Disclosure vulnerabilities in OpenSSL allow\nattackers to obtain sensitive information. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-libs/openssl < 1.0.2r >= 1.0.2r \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenSSL. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker to obtain sensitive information, caused by the\nfailure to immediately close the TCP connection after the hosts\nencounter a zero-length record with valid padding. \n\nA local attacker could run a malicious process next to legitimate\nprocesses using the architectureas parallel thread running capabilities\nto leak encrypted data from the CPU's internal processes. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenSSL users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/openssl-1.0.2r\"\n\nReferences\n==========\n\n[ 1 ] CVE-2018-5407\n https://nvd.nist.gov/vuln/detail/CVE-2018-5407\n[ 2 ] CVE-2019-1559\n https://nvd.nist.gov/vuln/detail/CVE-2019-1559\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201903-10\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2019 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. 6) - i386, x86_64\n\n3. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nTomcat Servlet container, JBoss HTTP Connector (mod_cluster), the\nPicketLink Vault extension for Apache Tomcat, and the Tomcat Native\nlibrary. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: openssl security and bug fix update\nAdvisory ID: RHSA-2019:2304-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:2304\nIssue date: 2019-08-06\nCVE Names: CVE-2018-0734 CVE-2019-1559\n====================================================================\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nSecurity Fix(es):\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* openssl: timing side channel attack in the DSA signature algorithm\n(CVE-2018-0734)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm\n1649568 - openssl: microarchitectural and timing side channel padding oracle attack against RSA\n1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nppc64:\nopenssl-1.0.2k-19.el7.ppc64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64.rpm\nopenssl-devel-1.0.2k-19.el7.ppc.rpm\nopenssl-devel-1.0.2k-19.el7.ppc64.rpm\nopenssl-libs-1.0.2k-19.el7.ppc.rpm\nopenssl-libs-1.0.2k-19.el7.ppc64.rpm\n\nppc64le:\nopenssl-1.0.2k-19.el7.ppc64le.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm\nopenssl-devel-1.0.2k-19.el7.ppc64le.rpm\nopenssl-libs-1.0.2k-19.el7.ppc64le.rpm\n\ns390x:\nopenssl-1.0.2k-19.el7.s390x.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390x.rpm\nopenssl-devel-1.0.2k-19.el7.s390.rpm\nopenssl-devel-1.0.2k-19.el7.s390x.rpm\nopenssl-libs-1.0.2k-19.el7.s390.rpm\nopenssl-libs-1.0.2k-19.el7.s390x.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nopenssl-debuginfo-1.0.2k-19.el7.ppc.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64.rpm\nopenssl-perl-1.0.2k-19.el7.ppc64.rpm\nopenssl-static-1.0.2k-19.el7.ppc.rpm\nopenssl-static-1.0.2k-19.el7.ppc64.rpm\n\nppc64le:\nopenssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm\nopenssl-perl-1.0.2k-19.el7.ppc64le.rpm\nopenssl-static-1.0.2k-19.el7.ppc64le.rpm\n\ns390x:\nopenssl-debuginfo-1.0.2k-19.el7.s390.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390x.rpm\nopenssl-perl-1.0.2k-19.el7.s390x.rpm\nopenssl-static-1.0.2k-19.el7.s390.rpm\nopenssl-static-1.0.2k-19.el7.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-0734\nhttps://access.redhat.com/security/cve/CVE-2019-1559\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUl3otzjgjWX9erEAQgZQQ//XNcjRJGLVmjAzbVGiwxEqfFUvDVNiu97\nfW0vLXuV9TnQTveOVqOAWmmMv2iShkVIRPDvzlOfUsYrrDEYHKr0N38R/fhDEZsM\nWQrJh54WK9IjEGNevLTCePKMhVuII1WnHrLDwZ6hxYGdcap/sJrf+N428b5LvHbM\nB39vWl3vqJYXoiI5dmIYL8ko2SfLms5Cg+dR0hLrNohf9gK2La+jhWb/j2xw6X6q\n/LXw5+hi/G+USbnNFfjt9G0fNjMMZRX2bukUvY6UWJRYTOXpIUOFqqp5w9zgM7tZ\nuX7TMTC9xe6te4mBCAFDdt+kYYLYSHfSkFlFq+S7V0MY8DmnIzqBJE4lJIDTVp9F\nJbrMIPs9G5jdnzPUKZw/gH9WLgka8Q8AYI+KA2xSxFX9VZ20Z+EDDC9/4uwj3i0A\ngLeIB68OwD70jn4sjuQqizr7TCviQhTUoKVd/mTBAxSEFZLcE8Sy/BEYxLPm81z0\nveL16l6pmfg9uLac4V576ImfYNWlBEnJspA5E9K5CqQRPuZpCQFov7/D17Qm8v/x\nIcVKUaXiGquBwzHmIsD5lTCpl7CrGoU1PfNJ6Y/4xrVFOh1DLA4y6nnfysyO9eZx\nzBfuYS2VmfIq/tp1CjagI/DmJC4ezXeE4Phq9jm0EBASXtnLzVmc5j7kkqWjCcfm\nBtpJTAdr1kE=7kKR\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. These packages include redhat-release-virtualization-host,\novirt-node, and rhev-hypervisor. RHVH features a Cockpit user\ninterface for monitoring the host's resources and performing administrative\ntasks. \n\nThe following packages have been upgraded to a later upstream version:\nimgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host\n(4.3.5), redhat-virtualization-host (4.3.5). Bugs fixed (https://bugzilla.redhat.com/):\n\n1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions\n1658366 - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled\n1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle\n1687920 - RHVH fails to reinstall if required size is exceeding the available disk space due to anaconda bug\n1694065 - CVE-2019-0161 edk2: stack overflow in XHCI causing denial of service\n1702223 - Rebase RHV-H on RHEL 7.7\n1709829 - CVE-2019-10139 cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment\n1718388 - CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc\n1720156 - RHVH 4.3.4 version info is incorrect in plymouth and \"/etc/os-release\"\n1720160 - RHVH 4.3.4: Incorrect info in /etc/system-release-cpe\n1720310 - RHV-H post-installation scripts failing, due to existing tags\n1720434 - RHVH 7.7 brand is wrong in Anaconda GUI. \n1720435 - Failed to install RHVH 7.7\n1720436 - RHVH 7.7 should based on RHEL 7.7 server but not workstation. \n1724044 - Failed dependencies occur during install systemtap package. \n1726534 - dhclient fails to load libdns-export.so.1102 after upgrade if the user installed library is not persisted on the new layer\n1727007 - Update RHVH 7.7 branding with new Red Hat logo\n1727859 - Failed to boot after upgrading a host with a custom kernel\n1728998 - \"nodectl info\" displays error after RHVH installation\n1729023 - The error message is inappropriate when run `imgbase layout --init` on current layout\n\n6. \n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n+--------------------------+\npatches/packages/openssl-1.0.2r-i586-1_slack14.2.txz: Upgraded. \n Go into the error state if a fatal alert is sent or received. \n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559\n (* Security fix *)\npatches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz: Upgraded. \n+--------------------------+\n\n\nWhere to find the new packages:\n+-----------------------------+\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you. \n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2r-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz\n\n\nMD5 signatures:\n+-------------+\n\nSlackware 14.2 packages:\nb23a71963648d515630497f203eefab8 openssl-1.0.2r-i586-1_slack14.2.txz\n8b04a9be9b78052791f02428be44a639 openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 packages:\nc183c2ad507a65020f13c0dc154c0b11 openssl-1.0.2r-x86_64-1_slack14.2.txz\nd656915855edd6365636ac558b8180cb openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz\n\n\nInstallation instructions:\n+------------------------+\n\nUpgrade the packages as root:\n# upgradepkg openssl-1.0.2r-i586-1_slack14.2.txz openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\n\n+-----+\n\nSlackware Linux Security Team\nhttp://slackware.com/gpg-key\nsecurity@slackware.com\n\n+------------------------------------------------------------------------+\n| To leave the slackware-security mailing list: |\n+------------------------------------------------------------------------+\n| Send an email to majordomo@slackware.com with this text in the body of |\n| the email message: |\n| |\n| unsubscribe slackware-security |\n| |\n| You will get a confirmation message back containing instructions to |\n| complete the process. Please do not reply to this email address", sources: [ { db: "NVD", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "VULHUB", id: "VHN-147651", }, { db: "VULMON", id: "CVE-2019-1559", }, { db: "PACKETSTORM", id: "169635", }, { db: "PACKETSTORM", id: "154009", }, { db: "PACKETSTORM", id: "151918", }, { db: "PACKETSTORM", id: "158377", }, { db: "PACKETSTORM", id: "152084", }, { db: "PACKETSTORM", id: "154042", }, { db: "PACKETSTORM", id: "155415", }, { db: "PACKETSTORM", id: "153932", }, { db: "PACKETSTORM", id: "154008", }, { db: "PACKETSTORM", id: "151886", }, ], trust: 2.7, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2019-1559", trust: 3.6, }, { db: "TENABLE", id: "TNS-2019-03", trust: 1.8, }, { db: "TENABLE", id: "TNS-2019-02", trust: 1.8, }, { db: "MCAFEE", id: "SB10282", trust: 1.8, }, { db: "BID", id: "107174", trust: 1.8, }, { db: "PACKETSTORM", id: "151886", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2019-002098", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201902-956", trust: 0.7, }, { db: "PACKETSTORM", id: "158377", trust: 0.7, }, { db: "PACKETSTORM", id: "155415", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.4479.2", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3729", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0102", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2383", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.3462", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0487", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.4083", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.0620", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.0751.2", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.4558", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.0696", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0192", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.4479", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.0032", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.4255", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.4297", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.0666", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.4405", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2019.3390.4", trust: 0.6, }, { db: "PULSESECURE", id: "SA44019", trust: 0.6, }, { db: "PACKETSTORM", id: "151918", trust: 0.2, }, { db: "PACKETSTORM", id: "154042", trust: 0.2, }, { db: "PACKETSTORM", id: "151885", trust: 0.1, }, { db: "VULHUB", id: "VHN-147651", trust: 0.1, }, { db: "VULMON", id: "CVE-2019-1559", trust: 0.1, }, { db: "PACKETSTORM", id: "169635", trust: 0.1, }, { db: "PACKETSTORM", id: "154009", trust: 0.1, }, { db: "PACKETSTORM", id: "152084", trust: 0.1, }, { db: "PACKETSTORM", id: "153932", trust: 0.1, }, { db: "PACKETSTORM", id: "154008", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-147651", }, { db: "VULMON", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "PACKETSTORM", id: "169635", }, { db: "PACKETSTORM", id: "154009", }, { db: "PACKETSTORM", id: "151918", }, { db: "PACKETSTORM", id: "158377", }, { db: "PACKETSTORM", id: "152084", }, { db: "PACKETSTORM", id: "154042", }, { db: "PACKETSTORM", id: "155415", }, { db: "PACKETSTORM", id: "153932", }, { db: "PACKETSTORM", id: "154008", }, { db: "PACKETSTORM", id: "151886", }, { db: "CNNVD", id: "CNNVD-201902-956", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, id: "VAR-201902-0192", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-147651", }, ], trust: 0.3990740766666666, }, last_update_date: "2024-11-29T21:28:53.683000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "hitachi-sec-2019-132 Software product security information", trust: 0.8, url: "https://usn.ubuntu.com/3899-1/", }, { title: "OpenSSL Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89673", }, { title: "Red Hat: Moderate: openssl security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192304 - Security Advisory", }, { title: "Red Hat: Moderate: openssl security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192471 - Security Advisory", }, { title: "Ubuntu Security Notice: openssl, openssl1.0 vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3899-1", }, { title: "Debian Security Advisories: DSA-4400-1 openssl1.0 -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=675a6469b3fad3c9a56addc922ae8d9d", }, { title: "Red Hat: Moderate: rhvm-appliance security, bug fix, and enhancement update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192439 - Security Advisory", }, { title: "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193929 - Security Advisory", }, { title: "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193931 - Security Advisory", }, { title: "Red Hat: Important: Red Hat Virtualization security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192437 - Security Advisory", }, { title: "Red Hat: CVE-2019-1559", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2019-1559", }, { title: "Arch Linux Advisories: [ASA-201903-2] openssl-1.0: information disclosure", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201903-2", }, { title: "Arch Linux Advisories: [ASA-201903-6] lib32-openssl-1.0: information disclosure", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201903-6", }, { title: "Arch Linux Issues: ", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-1559", }, { title: "Amazon Linux AMI: ALAS-2019-1188", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1188", }, { title: "Amazon Linux 2: ALAS2-2019-1362", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1362", }, { title: "Amazon Linux 2: ALAS2-2019-1188", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1188", }, { title: "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=884ffe1be805ead0a804f06f7c14072c", }, { title: "IBM: IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1092f7b64100b0110232688947fb97ed", }, { title: "IBM: IBM Security Bulletin: Guardium StealthBits Integration is affected by an OpenSSL vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6b4ff04f16b62df96980d37251dc9ae0", }, { title: "IBM: IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=7856a174f729c96cf2ba970cfef5f604", }, { title: "IBM: IBM Security Bulletin: OpenSSL vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=04a72ac59f1cc3a5b02c155d941c5cfd", }, { title: "IBM: IBM Security Bulletin: IBM DataPower Gateway is affected by a padding oracle vulnerability (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=9c55c211aa2410823d4d568143afa117", }, { title: "IBM: Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c233af3070d7248dcbafadb6b367e2a1", }, { title: "IBM: IBM Security Bulletin: IBM QRadar Network Security is affected by openssl vulnerabilities (CVE-2019-1559, CVE-2018-0734)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=7ceb7cf440b088f91358d1c597d5a414", }, { title: "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c0b11f80d1ecd798a97f3bda2b68f830", }, { title: "IBM: IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=12860155d0bf31ea6e2e3ffcef7ea7e0", }, { title: "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2019-1559) Security Bulletin", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2709308a62e1e2fafc2e4989ef440aa3", }, { title: "IBM: IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1b873a45dce8bb56ff011908a9402b67", }, { title: "IBM: IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE’s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=aae1f2192c5cf9375ed61f7a27d08f64", }, { title: "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private (CVE-2019-5739 CVE-2019-5737 CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=8b00742d4b57e0eaab4fd3f9a2125634", }, { title: "IBM: IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 and LCM8 & LCM16 KVM Switch Firmware (CVE-2018-0732 CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=ca67e77b9edd2ad304d2f2da1853223f", }, { title: "IBM: IBM Security Bulletin: Vulnerabilities in GNU OpenSSL (1.0.2 series) affect IBM Netezza Analytics", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=ac5ccbde4e4ddbcabd10cacf82487a11", }, { title: "IBM: Security Bulletin: Vulnerabities in SSL in IBM DataPower Gateway", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=5fc1433ca504461e3bbb1d30e408592c", }, { title: "Hitachi Security Advisories: Vulnerability in Cosminexus HTTP Server", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2019-112", }, { title: "Hitachi Security Advisories: Vulnerability in JP1", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2019-132", }, { title: "IBM: IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=e59d7f075c856823d6f7370dea35e662", }, { title: "Debian CVElist Bug Report Logs: mysql-5.7: Security fixes from the April 2019 CPU", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=5f1bd0287d0770973261ab8500c6982b", }, { title: "IBM: IBM Security Bulletin: Vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1a7cb34592ef045ece1d2b32c150f2a2", }, { title: "IBM: IBM Security Bulletin: Secure Gateway is affected by multiple vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=28830011b173eee360fbb2a55c68c9d3", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=8db7a9036f52f1664d12ac73d7a3506f", }, { title: "IBM: IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6b74f45222d8029af7ffef49314f6056", }, { title: "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=4ee609eeae78bbbd0d0c827f33a7f87f", }, { title: "Tenable Security Advisories: [R1] Nessus Agent 7.4.0 Fixes One Third-party Vulnerability", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2019-03", }, { title: "Forcepoint Security Advisories: CVE-2018-0734 and CVE-2019-1559 (OpenSSL)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=forcepoint_security_advisories&qid=b508c983da563a8786bf80c360afb887", }, { title: "Hitachi Security Advisories: Multiple Vulnerabilities in JP1/Automatic Job Management System 3 - Web Operation Assistant", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2021-121", }, { title: "Palo Alto Networks Security Advisory: ", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory&qid=217c2f4028735d91500e325e8ba1cbba", }, { title: "Palo Alto Networks Security Advisory: CVE-2019-1559 OpenSSL vulnerability CVE-2019-1559 has been resolved in PAN-OS", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory&qid=a16107c1f899993837417057168db200", }, { title: "IBM: IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=00b8bc7d11e5484e8721f3f62ec2ce87", }, { title: "IBM: Security Bulletin: Vulnerabilities have been identified in OpenSSL and the Kernel shipped with the DS8000 Hardware Management Console (HMC)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=423d1da688755122eb2591196e4cc160", }, { title: "IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM Watson Assistant for IBM Cloud Pak for Data", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1e6142e07a3e9637110bdfa17e331459", }, { title: "IBM: IBM Security Bulletin: Multiple Vulnerabilities in Watson Openscale (Liberty, Java, node.js)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=a47e10150b300f15d2fd55b9cdaed12d", }, { title: "Tenable Security Advisories: [R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2019-02", }, { title: "IBM: IBM Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-16839, CVE-2018-16842, CVE-2018-16840, CVE-2019-3823, CVE-2019-3822, CVE-2018-16890, CVE-2019-4011, CVE-2018-2005, CVE-2019-4058, CVE-2019-1559)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=0b05dc856c1be71db871bcea94f6fa8d", }, { title: "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in IBM Security Access Manager Appliance", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=800337bc69aa7ad92ac88a2adcc7d426", }, { title: "IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Releases 1801-w and 1801-y", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=bf3f2299a8658b7cd3984c40e7060666", }, { title: "Siemens Security Advisories: Siemens Security Advisory", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d", }, { title: "", trust: 0.1, url: "https://github.com/Live-Hack-CVE/CVE-2019-1559 ", }, { title: "Centos-6-openssl-1.0.1e-58.pd1trfir", trust: 0.1, url: "https://github.com/daTourist/Centos-6-openssl-1.0.1e-58.pd1trfir ", }, { title: "", trust: 0.1, url: "https://github.com/tls-attacker/TLS-Padding-Oracles ", }, { title: "TLS-Padding-Oracles", trust: 0.1, url: "https://github.com/RUB-NDS/TLS-Padding-Oracles ", }, { title: "vyger", trust: 0.1, url: "https://github.com/mrodden/vyger ", }, { title: "", trust: 0.1, url: "https://github.com/vincent-deng/veracode-container-security-finding-parser ", }, ], sources: [ { db: "VULMON", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "CNNVD", id: "CNNVD-201902-956", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-203", trust: 1.1, }, { problemtype: "information leak (CWE-200) [NVD Evaluation ]", trust: 0.8, }, { problemtype: "CWE-200", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-147651", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 3.6, url: "http://www.securityfocus.com/bid/107174", }, { trust: 2.5, url: "https://access.redhat.com/errata/rhsa-2019:3929", }, { trust: 2.4, url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { trust: 2.4, url: "https://access.redhat.com/errata/rhsa-2019:3931", }, { trust: 2.4, url: "https://nvd.nist.gov/vuln/detail/cve-2019-1559", }, { trust: 2, url: "https://access.redhat.com/errata/rhsa-2019:2304", }, { trust: 1.9, url: "https://www.openssl.org/news/secadv/20190226.txt", }, { trust: 1.9, url: "https://security.gentoo.org/glsa/201903-10", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2019:2437", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2019:2439", }, { trust: 1.9, url: "https://access.redhat.com/errata/rhsa-2019:2471", }, { trust: 1.9, url: "https://usn.ubuntu.com/3899-1/", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20190301-0001/", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20190301-0002/", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20190423-0002/", }, { trust: 1.8, url: "https://www.tenable.com/security/tns-2019-02", }, { trust: 1.8, url: "https://www.tenable.com/security/tns-2019-03", }, { trust: 1.8, url: "https://www.debian.org/security/2019/dsa-4400", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.8, url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { trust: 1.8, url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", }, { trust: 1.8, url: "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html", }, { trust: 1.8, url: "https://usn.ubuntu.com/4376-2/", }, { trust: 1.7, url: "https://kc.mcafee.com/corporate/index?page=content&id=sb10282", }, { trust: 1.2, url: "https://support.f5.com/csp/article/k18549143", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ewc42uxl5ghtu5g77vkbf6jyuungshom/", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zbev5qgdrfuzdmnecfxusn5fmyozde4v/", }, { trust: 1.1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/y3ivfgserazlnjck35tem2r4726xih3z/", }, { trust: 1.1, url: "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { trust: 1.1, url: "https://support.f5.com/csp/article/k18549143?utm_source=f5support&%3butm_medium=rss", }, { trust: 0.7, url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zbev5qgdrfuzdmnecfxusn5fmyozde4v/", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/y3ivfgserazlnjck35tem2r4726xih3z/", }, { trust: 0.7, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ewc42uxl5ghtu5g77vkbf6jyuungshom/", }, { trust: 0.6, url: "http://aix.software.ibm.com/aix/efixes/security/openssl_advisory30.asc", }, { trust: 0.6, url: "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44019/?l=en_us&atype=sa&fs=search&pn=1&atype=sa", }, { trust: 0.6, url: "https://www.oracle.com/technetwork/topics/security/bulletinapr2019-5462008.html", }, { trust: 0.6, url: "https://github.com/rub-nds/tls-padding-oracles", }, { trust: 0.6, url: "http://openssl.org/", }, { trust: 0.6, url: "https://support.f5.com/csp/article/k18549143?utm_source=f5support&utm_medium=rss", }, { trust: 0.6, url: "https://support.symantec.com/us/en/article.symsa1490.html", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170328", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170340", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170334", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170322", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170352", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1170346", }, { trust: 0.6, url: "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/", }, { trust: 0.6, url: "https://www.suse.com/support/update/announcement/2019/suse-su-20190572-1/", }, { trust: 0.6, url: "https://usn.ubuntu.com/4212-1/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1115655", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1115649", }, { trust: 0.6, url: "https://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/ hitachi-sec-2019-132/index.html", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/2016771", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/2020677", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/2027745", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1126581", }, { trust: 0.6, url: "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-132/index.html", }, { trust: 0.6, url: "http://www.ubuntu.com/usn/usn-3899-1", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/76438", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-cve-2018-5407cve-2020-1967cve-2018-0734cve-2019-1563cve-2019/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.4405/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1116357", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.4558/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.4479/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3729/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/76230", }, { trust: 0.6, url: "https://www.oracle.com/security-alerts/cpujan2020verbose.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0032/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0487/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1115643", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/openssl-1-0-2-information-disclosure-via-0-byte-record-padding-oracle-28600", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/3517185", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1167202", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qradar-siem-is-missing-a-required-cryptographic-step-cve-2019-1559/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0192/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.3390.4/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.4479.2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.3462/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.4083", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/155415/red-hat-security-advisory-2019-3929-01.html", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6520674", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0696", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-openssl-and-the-kernel-shipped-with-the-ds8000-hardware-management-console-hmc/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/76782", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-the-following-opensll-vulnerability/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2383/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.4255/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.4297/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.0102/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1143442", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-openssh-and-openssl-shipped-with-ibm-security-access-manager-appliance-cve-2018-15473-cve-2019-1559/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1105965", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/158377/ubuntu-security-notice-usn-4376-2.html", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/1106553", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerability-from-openssl-affect-ibm-netezza-host-management/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/151886/slackware-security-advisory-openssl-updates.html", }, { trust: 0.5, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.5, url: "https://bugzilla.redhat.com/):", }, { trust: 0.5, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2019-1559", }, { trust: 0.5, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.4, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.3, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://access.redhat.com/articles/2974891", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-16881", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16881", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-5407", }, { trust: 0.1, url: "https://kc.mcafee.com/corporate/index?page=content&id=sb10282", }, { trust: 0.1, url: "https://support.f5.com/csp/article/k18549143?utm_source=f5support&amp;utm_medium=rss", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/203.html", }, { trust: 0.1, url: "https://github.com/live-hack-cve/cve-2019-1559", }, { trust: 0.1, url: "https://tools.cisco.com/security/center/viewalert.x?alertid=59697", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://www.openssl.org/policies/secpolicy.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-3888", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-3888", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://security-tracker.debian.org/tracker/openssl1.0", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-1547", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-1563", }, { trust: 0.1, url: "https://usn.ubuntu.com/4376-1", }, { trust: 0.1, url: "https://usn.ubuntu.com/4376-2", }, { trust: 0.1, url: "https://bugs.gentoo.org.", }, { trust: 0.1, url: "https://creativecommons.org/licenses/by-sa/2.5", }, { trust: 0.1, url: "https://security.gentoo.org/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-10072", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-0221", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-10072", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-5407", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.2/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-0221", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-0734", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-0734", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-10160", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-0161", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-16838", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-10160", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-16838", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-0161", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-10139", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-10139", }, { trust: 0.1, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1559", }, { trust: 0.1, url: "http://slackware.com", }, { trust: 0.1, url: "http://osuosl.org)", }, { trust: 0.1, url: "http://slackware.com/gpg-key", }, ], sources: [ { db: "VULHUB", id: "VHN-147651", }, { db: "VULMON", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "PACKETSTORM", id: "169635", }, { db: "PACKETSTORM", id: "154009", }, { db: "PACKETSTORM", id: "151918", }, { db: "PACKETSTORM", id: "158377", }, { db: "PACKETSTORM", id: "152084", }, { db: "PACKETSTORM", id: "154042", }, { db: "PACKETSTORM", id: "155415", }, { db: "PACKETSTORM", id: "153932", }, { db: "PACKETSTORM", id: "154008", }, { db: "PACKETSTORM", id: "151886", }, { db: "CNNVD", id: "CNNVD-201902-956", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-147651", }, { db: "VULMON", id: "CVE-2019-1559", }, { db: "JVNDB", id: "JVNDB-2019-002098", }, { db: "PACKETSTORM", id: "169635", }, { db: "PACKETSTORM", id: "154009", }, { db: "PACKETSTORM", id: "151918", }, { db: "PACKETSTORM", id: "158377", }, { db: "PACKETSTORM", id: "152084", }, { db: "PACKETSTORM", id: "154042", }, { db: "PACKETSTORM", id: "155415", }, { db: "PACKETSTORM", id: "153932", }, { db: "PACKETSTORM", id: "154008", }, { db: "PACKETSTORM", id: "151886", }, { db: "CNNVD", id: "CNNVD-201902-956", }, { db: "NVD", id: "CVE-2019-1559", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2019-02-27T00:00:00", db: "VULHUB", id: "VHN-147651", }, { date: "2019-02-27T00:00:00", db: "VULMON", id: "CVE-2019-1559", }, { date: "2019-04-02T00:00:00", db: "JVNDB", id: "JVNDB-2019-002098", }, { date: "2019-02-26T12:12:12", db: "PACKETSTORM", id: "169635", }, { date: "2019-08-12T17:13:13", db: "PACKETSTORM", id: "154009", }, { date: "2019-03-01T14:06:40", db: "PACKETSTORM", id: "151918", }, { date: "2020-07-09T18:42:27", db: "PACKETSTORM", id: "158377", }, { date: "2019-03-14T16:23:47", db: "PACKETSTORM", id: "152084", }, { date: "2019-08-13T17:44:04", db: "PACKETSTORM", id: "154042", }, { date: "2019-11-20T20:44:44", db: "PACKETSTORM", id: "155415", }, { date: "2019-08-06T21:09:19", db: "PACKETSTORM", id: "153932", }, { date: "2019-08-12T17:13:02", db: "PACKETSTORM", id: "154008", }, { date: "2019-02-27T19:22:00", db: "PACKETSTORM", id: "151886", }, { date: "2019-02-26T00:00:00", db: "CNNVD", id: "CNNVD-201902-956", }, { date: "2019-02-27T23:29:00.277000", db: "NVD", id: "CVE-2019-1559", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-08-19T00:00:00", db: "VULHUB", id: "VHN-147651", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2019-1559", }, { date: "2021-07-15T06:04:00", db: "JVNDB", id: "JVNDB-2019-002098", }, { date: "2022-03-25T00:00:00", db: "CNNVD", id: "CNNVD-201902-956", }, { date: "2024-11-21T04:36:48.960000", db: "NVD", id: "CVE-2019-1559", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "169635", }, { db: "CNNVD", id: "CNNVD-201902-956", }, ], trust: 0.7, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "OpenSSL Information Disclosure Vulnerability", sources: [ { db: "JVNDB", id: "JVNDB-2019-002098", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "information disclosure", sources: [ { db: "CNNVD", id: "CNNVD-201902-956", }, ], trust: 0.6, }, }