| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
Oracle AS: several vulnerabilities of January 2009
Synthesis of the vulnerability
Several vulnerabilities are corrected by the CPU of January 2009.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/01/2009.
Revision date: 15/01/2009.
Identifiers: CERTA-2009-AVI-013, cpujan2009, CVE-2008-2623, CVE-2008-4014, CVE-2008-4017, CVE-2008-5438, DSECRG-09-001, VIGILANCE-VUL-8387.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.
An attacker (via LDAP, unauthenticated) can obtain information via a vulnerability of OC4J. [severity:3/4; CVE-2008-4017]
An attacker can use the BPELConsole/default/activities.jsp url to create a Cross Site Scripting in Oracle BPEL Process Manager. [severity:2/4; CVE-2008-4014, DSECRG-09-001]
An attacker (via HTTP, unauthenticated) can create a Cross Site Scripting in Oracle Portal. [severity:3/4; CVE-2008-5438]
An attacker (local, unauthenticated) can obtain information via a vulnerability of Oracle JDeveloper. [severity:2/4; CERTA-2009-AVI-013, CVE-2008-2623]
Full Vigil@nce bulletin... (Free trial) |
Oracle Database: several vulnerabilities of January 2009
Synthesis of the vulnerability
Several vulnerabilities are corrected by the CPU of January 2009.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/01/2009.
Revisions dates: 15/01/2009, 04/02/2009.
Identifiers: cpujan2009, CVE-2008-3973, CVE-2008-3974, CVE-2008-3978, CVE-2008-3979, CVE-2008-3997, CVE-2008-3999, CVE-2008-4015, CVE-2008-5436, CVE-2008-5437, CVE-2008-5439, NISR13012009, VIGILANCE-VUL-8386, ZDI-09-003, ZDI-09-004.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on DBMS_IJOB) can obtain or alter information via a vulnerability of Job Queue. [severity:2/4; CVE-2008-5437]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can alter information or create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-5436]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain or alter information via a vulnerability of Oracle Spatial. [severity:2/4; CVE-2008-3978]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain privileges of the MDSYS user via MDSYS.SDO_TOPO_DROP_FTBL of Oracle Spatial. [severity:2/4; CVE-2008-3979, NISR13012009]
An attacker (via Oracle Net, authenticated, with the Execute on SYS.DBMS_STREAMS_AUTH privilege) can obtain or alter information via a vulnerability of Oracle Streams. [severity:2/4; CVE-2008-4015]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can generate a buffer overflow in the SYS.OLAPIMPL_T.ODCITABLESTART procedure, in order to create a denial of service or to execute code. [severity:2/4; CVE-2008-3974]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.DBMS_XSOQ_ODBO) can aller a file via a vulnerability of Summary Advisor (Oracle OLAP). [severity:2/4; CVE-2008-3997]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-3999]
An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:2/4; CVE-2008-5439]
An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:1/4; CVE-2008-3973]
Other vulnerabilities impact Oracle Secure Backup, Oracle Forms, Oracle EBusiness Suite and Oracle TimesTen. [severity:1/4; ZDI-09-003, ZDI-09-004]
Full Vigil@nce bulletin... (Free trial) |
Windows: code execution via SMB
Synthesis of the vulnerability
Two vulnerabilities of SMB can be used by an attacker to execute code on the server.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 13/01/2009.
Revision date: 14/01/2009.
Identifiers: 958687, BID-33121, BID-33122, CVE-2008-4834, CVE-2008-4835, MS09-001, VIGILANCE-VUL-8385, ZDI-09-001, ZDI-09-002.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The SMB/CIFS protocol is used for resource sharing, and is listening on ports 139 and 445. This protocol can receive commands in a transaction, which were successively implemented in the "Transaction", "NT Trans" and "NT Trans2" packet formats. Two vulnerabilities are related to the handling of transaction packets.
An attacker can send a SMB NT Trans packet with a big field in order to generate a buffer overflow. [severity:3/4; BID-33121, CVE-2008-4834, ZDI-09-001]
An attacker can send a SMB NT Trans2 packet with a malicious message in order to generate a buffer overflow. [severity:3/4; BID-33122, CVE-2008-4835, ZDI-09-002]
A network attacker can use these vulnerabilities to execute code on the server with system privileges.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: privilege elevation via sys_remap_file_pages
Synthesis of the vulnerability
A local attacker can map a file in memory in order to create a denial of service and possibly to execute code.
Severity: 2/4.
Creation date: 13/01/2009.
Identifiers: BID-33211, CVE-2009-0024, VIGILANCE-VUL-8384.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The sys_remap_file_pages() function of mm/fremap.c is called when a file is mapped in memory.
The get_file() and fput() macros/functions atomically increment/decrement the number of users of a file. The sys_remap_file_pages() does not use them.
A local attacker can therefore use a mapped file in order to corrupt the memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial) |
BlackBerry ES: memory corruptions via PDF
Synthesis of the vulnerability
Four vulnerabilities of PDF Distiller can be used by an attacker to create a denial of service or to execute code in BlackBerry Enterprise Server.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 13/01/2009.
Revision date: 14/01/2009.
Identifiers: BID-33224, BID-33248, BID-33250, CVE-2009-0176, CVE-2009-0219, KB17118, KB17119, SDR 278003, SDR 278012, SDR 278031, SDR 278437, VIGILANCE-VUL-8383.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The BlackBerry Attachment Service service handles attachments for BlackBerry Enterprise Server and BlackBerry Unite. Four malformed PDF documents can corrupt the memory of PDF Distiller used in BlackBerry Attachment Service.
A PDF document containing a large symbol width (symWidths) creates a heap overflow. [severity:3/4; CVE-2009-0176]
A PDF document containing malformed bitmap objects creates an overflow. [severity:3/4; BID-33248, CVE-2009-0176]
When a data stream in a PDF document is parsed, an uninitialized memory area can be used, which leads to a free of pointers controlled by the attacker, and then to code execution. [severity:3/4; BID-33250, CVE-2009-0219]
A malicious PDF document can use an unknown vulnerability. [severity:3/4]
An attacker can therefore send a malicious PDF document via email in order to create a denial of service or to execute code. Note: these vulnerabilities are different from VIGILANCE-VUL-8382.
Full Vigil@nce bulletin... (Free trial) |
BlackBerry ES: memory corruption via PDF
Synthesis of the vulnerability
A vulnerability of PDF Distiller can be used by an attacker to create a denial of service or to execute code in BlackBerry Enterprise Server.
Severity: 3/4.
Creation date: 13/01/2009.
Identifiers: CVE-2008-3246, KB15766, KB15770, VIGILANCE-VUL-8382, VU#289235.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The BlackBerry Attachment Service service handles attachments for BlackBerry Enterprise Server and BlackBerry Unite.
A malformed PDF document can corrupt the memory of PDF Distiller used in BlackBerry Attachment Service.
An attacker can therefore send a malicious PDF document via email in order to create a denial of service or to execute code.
Note: this vulnerability was first announced in July 2008. The VIGILANCE-VUL-8383 bulletin describes new variants.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: denial of service via locks_remove_flock
Synthesis of the vulnerability
A local attacker can mount a NFS volume in order to stop the system.
Severity: 1/4.
Creation date: 13/01/2009.
Identifiers: 456282, BID-33237, CVE-2008-4307, DSA-1787-1, DSA-1794-1, RHSA-2009:0451-02, RHSA-2009:0459-01, RHSA-2009:0473-01, VIGILANCE-VUL-8381, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Local users can be allowed to mount NFS volumes located on a remote server.
The do_setlk() function of fs/nfs/file.c manages a lock on NFS. The locks_remove_flock() function remove file locks. When both functions are called in two threads, a fatal error occurs, and the kernel calls BUG() to stop.
A local attacker can therefore mount a NFS volume, and then interrupt the access to a file, in order to stop the system.
Full Vigil@nce bulletin... (Free trial) |
Solaris: denial of service via aio_suspend
Synthesis of the vulnerability
A local attacker can use the aio_suspend() function in order to stop the system.
Severity: 1/4.
Creation date: 12/01/2009.
Identifiers: 247986, 6748772, BID-33188, CVE-2009-0132, TKADV2009-001, VIGILANCE-VUL-8380.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The aio_suspend() function suspends execution of the current thread, waiting for an event:
aio_suspend(aiocb, nent, timeout);
It uses the SYS_kaio() system call, which calls the aiosuspend() function of /uts/common/os/aio.c.
The 32 bit mode, the aiosuspend() function multiplies "nent" by 4 (sizeof caddr32_t) before allocating a memory area. However, if "nent" is 0x3FFFFFFF, the size to allocate is zero, which panics vmem_xalloc().
A local attacker can therefore use the aio_suspend() function in order to stop the system.
Full Vigil@nce bulletin... (Free trial) |
Lasso: incorrect usage of OpenSSL DSA_verify
Synthesis of the vulnerability
The Lasso library incorrectly uses the DSA_verify() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Severity: 3/4.
Creation date: 12/01/2009.
Identifiers: CVE-2009-0050, DSA-1700-1, ocert-2008-016, VIGILANCE-VUL-8379.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The Lasso library implements Liberty Alliance standards related to identity management. Lasso is compiled with OpenSSL.
The DSA_verify() function returns:
- either +1 if the signature is valid
- either 0 if the signature is invalid
- either -1 if an unexpected error occurred
However, instead of using:
if (returnedvalue <= 0) error;
Lasso uses:
if (returnedvalue == 0) error;
Unexpected errors are thus handled as valid signatures.
An attacker can therefore setup a malicious identity server using an invalid signature.
This vulnerability is similar to VIGILANCE-VUL-8371.
Full Vigil@nce bulletin... (Free trial) |
Python: several overflows
Synthesis of the vulnerability
Several overflows of Python can lead to a denial of service or to code execution.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/01/2009.
Identifiers: BID-33187, CESA-2008-008, CVE-2008-4864, CVE-2008-5031, MDVSA-2009:003, MDVSA-2009:036, RHSA-2009:1176-01, RHSA-2009:1177-01, RHSA-2009:1178-02, SUSE-SR:2009:001, VIGILANCE-VUL-8378, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can create a malicious Python program or use special data in order to generate several overflows.
An attacker can generate an integer overflow in the audioop.ratecv() function. [severity:2/4]
An attacker can generate an integer overflow in the imageop.crop() function. [severity:2/4; CVE-2008-4864]
An attacker can generate an integer overflow in the imageop.crop() function, which is implemented in string_expandtabs() of Objects/stringobject.c or unicode_expandtabs() of Objects/unicodeobject.c. [severity:2/4; BID-33187, CVE-2008-5031]
An attacker can generate an integer overflow in the rgbimagemodule.c file. [severity:2/4]
These overflows can, depending on the context, lead to denials of service or to code execution.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page
1
21
41
61
81
101
121
141
161
181
201
221
241
261
281
301
321
341
361
381
401
421
441
461
481
501
521
541
561
581
601
621
641
661
681
701
721
741
761
781
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
821
841
861
881
901
921
941
961
981
1001
1021
1041
1061
1081
1101
1121
1141
1161
1181
1201
1221
1241
1261
1281
1301
1321
1341
1361
1381
1401
1421
1441
1461
1481
1501
1521
1541
1561
1581
1601
1621
1641
1661
1681
1701
1721
1741
1761
1781
1801
1821
1841
1861
1881
1901
1921
1941
1961
1981
2001
2021
2041
2061
2081
2101
2121
2141
2161
2181
2201
2221
2241
2261
2281
2301
2321
2341
2361
2381
2401
2421
2441
2461
2481
2501
2521
2541
2561
2581
2601
2621
2641
2661
2681
2701
2721
2741
2761
2781
2801
2821
2841
2861
2881
2901
2921
2927
|