| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
Oracle AS: several vulnerabilities of January 2009
Synthesis of the vulnerability
Several vulnerabilities are corrected by the CPU of January 2009.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/01/2009.
Revision date: 15/01/2009.
Identifiers: CERTA-2009-AVI-013, cpujan2009, CVE-2008-2623, CVE-2008-4014, CVE-2008-4017, CVE-2008-5438, DSECRG-09-001, VIGILANCE-VUL-8387.
Description of the vulnerability
The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.
An attacker (via LDAP, unauthenticated) can obtain information via a vulnerability of OC4J. [severity:3/4; CVE-2008-4017]
An attacker can use the BPELConsole/default/activities.jsp url to create a Cross Site Scripting in Oracle BPEL Process Manager. [severity:2/4; CVE-2008-4014, DSECRG-09-001]
An attacker (via HTTP, unauthenticated) can create a Cross Site Scripting in Oracle Portal. [severity:3/4; CVE-2008-5438]
An attacker (local, unauthenticated) can obtain information via a vulnerability of Oracle JDeveloper. [severity:2/4; CERTA-2009-AVI-013, CVE-2008-2623]
Full Vigil@nce bulletin... (Free trial) |
Oracle Database: several vulnerabilities of January 2009
Synthesis of the vulnerability
Several vulnerabilities are corrected by the CPU of January 2009.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity: 2/4.
Consequences: privileged access/rights, data reading, data creation/edition.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/01/2009.
Revisions dates: 15/01/2009, 04/02/2009.
Identifiers: cpujan2009, CVE-2008-3973, CVE-2008-3974, CVE-2008-3978, CVE-2008-3979, CVE-2008-3997, CVE-2008-3999, CVE-2008-4015, CVE-2008-5436, CVE-2008-5437, CVE-2008-5439, NISR13012009, VIGILANCE-VUL-8386, ZDI-09-003, ZDI-09-004.
Description of the vulnerability
The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on DBMS_IJOB) can obtain or alter information via a vulnerability of Job Queue. [severity:2/4; CVE-2008-5437]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can alter information or create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-5436]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain or alter information via a vulnerability of Oracle Spatial. [severity:2/4; CVE-2008-3978]
An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain privileges of the MDSYS user via MDSYS.SDO_TOPO_DROP_FTBL of Oracle Spatial. [severity:2/4; CVE-2008-3979, NISR13012009]
An attacker (via Oracle Net, authenticated, with the Execute on SYS.DBMS_STREAMS_AUTH privilege) can obtain or alter information via a vulnerability of Oracle Streams. [severity:2/4; CVE-2008-4015]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can generate a buffer overflow in the SYS.OLAPIMPL_T.ODCITABLESTART procedure, in order to create a denial of service or to execute code. [severity:2/4; CVE-2008-3974]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.DBMS_XSOQ_ODBO) can aller a file via a vulnerability of Summary Advisor (Oracle OLAP). [severity:2/4; CVE-2008-3997]
An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-3999]
An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:2/4; CVE-2008-5439]
An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:1/4; CVE-2008-3973]
Other vulnerabilities impact Oracle Secure Backup, Oracle Forms, Oracle EBusiness Suite and Oracle TimesTen. [severity:1/4; ZDI-09-003, ZDI-09-004]
Full Vigil@nce bulletin... (Free trial) |
Windows: code execution via SMB
Synthesis of the vulnerability
Two vulnerabilities of SMB can be used by an attacker to execute code on the server.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows Vista, Windows XP.
Severity: 3/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 13/01/2009.
Revision date: 14/01/2009.
Identifiers: 958687, BID-33121, BID-33122, CVE-2008-4834, CVE-2008-4835, MS09-001, VIGILANCE-VUL-8385, ZDI-09-001, ZDI-09-002.
Description of the vulnerability
The SMB/CIFS protocol is used for resource sharing, and is listening on ports 139 and 445. This protocol can receive commands in a transaction, which were successively implemented in the "Transaction", "NT Trans" and "NT Trans2" packet formats. Two vulnerabilities are related to the handling of transaction packets.
An attacker can send a SMB NT Trans packet with a big field in order to generate a buffer overflow. [severity:3/4; BID-33121, CVE-2008-4834, ZDI-09-001]
An attacker can send a SMB NT Trans2 packet with a malicious message in order to generate a buffer overflow. [severity:3/4; BID-33122, CVE-2008-4835, ZDI-09-002]
A network attacker can use these vulnerabilities to execute code on the server with system privileges.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: privilege elevation via sys_remap_file_pages
Synthesis of the vulnerability
A local attacker can map a file in memory in order to create a denial of service and possibly to execute code.
Impacted products: Linux.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 13/01/2009.
Identifiers: BID-33211, CVE-2009-0024, VIGILANCE-VUL-8384.
Description of the vulnerability
The sys_remap_file_pages() function of mm/fremap.c is called when a file is mapped in memory.
The get_file() and fput() macros/functions atomically increment/decrement the number of users of a file. The sys_remap_file_pages() does not use them.
A local attacker can therefore use a mapped file in order to corrupt the memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial) |
BlackBerry ES: memory corruptions via PDF
Synthesis of the vulnerability
Four vulnerabilities of PDF Distiller can be used by an attacker to create a denial of service or to execute code in BlackBerry Enterprise Server.
Impacted products: BES.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 13/01/2009.
Revision date: 14/01/2009.
Identifiers: BID-33224, BID-33248, BID-33250, CVE-2009-0176, CVE-2009-0219, KB17118, KB17119, SDR 278003, SDR 278012, SDR 278031, SDR 278437, VIGILANCE-VUL-8383.
Description of the vulnerability
The BlackBerry Attachment Service service handles attachments for BlackBerry Enterprise Server and BlackBerry Unite. Four malformed PDF documents can corrupt the memory of PDF Distiller used in BlackBerry Attachment Service.
A PDF document containing a large symbol width (symWidths) creates a heap overflow. [severity:3/4; CVE-2009-0176]
A PDF document containing malformed bitmap objects creates an overflow. [severity:3/4; BID-33248, CVE-2009-0176]
When a data stream in a PDF document is parsed, an uninitialized memory area can be used, which leads to a free of pointers controlled by the attacker, and then to code execution. [severity:3/4; BID-33250, CVE-2009-0219]
A malicious PDF document can use an unknown vulnerability. [severity:3/4]
An attacker can therefore send a malicious PDF document via email in order to create a denial of service or to execute code. Note: these vulnerabilities are different from VIGILANCE-VUL-8382.
Full Vigil@nce bulletin... (Free trial) |
BlackBerry ES: memory corruption via PDF
Synthesis of the vulnerability
A vulnerability of PDF Distiller can be used by an attacker to create a denial of service or to execute code in BlackBerry Enterprise Server.
Impacted products: BES.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 13/01/2009.
Identifiers: CVE-2008-3246, KB15766, KB15770, VIGILANCE-VUL-8382, VU#289235.
Description of the vulnerability
The BlackBerry Attachment Service service handles attachments for BlackBerry Enterprise Server and BlackBerry Unite.
A malformed PDF document can corrupt the memory of PDF Distiller used in BlackBerry Attachment Service.
An attacker can therefore send a malicious PDF document via email in order to create a denial of service or to execute code.
Note: this vulnerability was first announced in July 2008. The VIGILANCE-VUL-8383 bulletin describes new variants.
Full Vigil@nce bulletin... (Free trial) |
Linux kernel: denial of service via locks_remove_flock
Synthesis of the vulnerability
A local attacker can mount a NFS volume in order to stop the system.
Impacted products: Debian, Linux, RHEL, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 13/01/2009.
Identifiers: 456282, BID-33237, CVE-2008-4307, DSA-1787-1, DSA-1794-1, RHSA-2009:0451-02, RHSA-2009:0459-01, RHSA-2009:0473-01, VIGILANCE-VUL-8381, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Description of the vulnerability
Local users can be allowed to mount NFS volumes located on a remote server.
The do_setlk() function of fs/nfs/file.c manages a lock on NFS. The locks_remove_flock() function remove file locks. When both functions are called in two threads, a fatal error occurs, and the kernel calls BUG() to stop.
A local attacker can therefore mount a NFS volume, and then interrupt the access to a file, in order to stop the system.
Full Vigil@nce bulletin... (Free trial) |
Solaris: denial of service via aio_suspend
Synthesis of the vulnerability
A local attacker can use the aio_suspend() function in order to stop the system.
Impacted products: OpenSolaris, Solaris, Trusted Solaris.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 12/01/2009.
Identifiers: 247986, 6748772, BID-33188, CVE-2009-0132, TKADV2009-001, VIGILANCE-VUL-8380.
Description of the vulnerability
The aio_suspend() function suspends execution of the current thread, waiting for an event:
aio_suspend(aiocb, nent, timeout);
It uses the SYS_kaio() system call, which calls the aiosuspend() function of /uts/common/os/aio.c.
The 32 bit mode, the aiosuspend() function multiplies "nent" by 4 (sizeof caddr32_t) before allocating a memory area. However, if "nent" is 0x3FFFFFFF, the size to allocate is zero, which panics vmem_xalloc().
A local attacker can therefore use the aio_suspend() function in order to stop the system.
Full Vigil@nce bulletin... (Free trial) |
Lasso: incorrect usage of OpenSSL DSA_verify
Synthesis of the vulnerability
The Lasso library incorrectly uses the DSA_verify() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet server.
Creation date: 12/01/2009.
Identifiers: CVE-2009-0050, DSA-1700-1, ocert-2008-016, VIGILANCE-VUL-8379.
Description of the vulnerability
The Lasso library implements Liberty Alliance standards related to identity management. Lasso is compiled with OpenSSL.
The DSA_verify() function returns:
- either +1 if the signature is valid
- either 0 if the signature is invalid
- either -1 if an unexpected error occurred
However, instead of using:
if (returnedvalue <= 0) error;
Lasso uses:
if (returnedvalue == 0) error;
Unexpected errors are thus handled as valid signatures.
An attacker can therefore setup a malicious identity server using an invalid signature.
This vulnerability is similar to VIGILANCE-VUL-8371.
Full Vigil@nce bulletin... (Free trial) |
Python: several overflows
Synthesis of the vulnerability
Several overflows of Python can lead to a denial of service or to code execution.
Impacted products: Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Python, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/01/2009.
Identifiers: BID-33187, CESA-2008-008, CVE-2008-4864, CVE-2008-5031, MDVSA-2009:003, MDVSA-2009:036, RHSA-2009:1176-01, RHSA-2009:1177-01, RHSA-2009:1178-02, SUSE-SR:2009:001, VIGILANCE-VUL-8378, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Description of the vulnerability
An attacker can create a malicious Python program or use special data in order to generate several overflows.
An attacker can generate an integer overflow in the audioop.ratecv() function. [severity:2/4]
An attacker can generate an integer overflow in the imageop.crop() function. [severity:2/4; CVE-2008-4864]
An attacker can generate an integer overflow in the imageop.crop() function, which is implemented in string_expandtabs() of Objects/stringobject.c or unicode_expandtabs() of Objects/unicodeobject.c. [severity:2/4; BID-33187, CVE-2008-5031]
An attacker can generate an integer overflow in the rgbimagemodule.c file. [severity:2/4]
These overflows can, depending on the context, lead to denials of service or to code execution.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2870
|