The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Juniper Junos Space Security Design

vulnerability announce CVE-2013-4316 CVE-2013-5860 CVE-2013-5881

MySQL: several vulnerabilities of January 2014

Synthesis of the vulnerability

Several vulnerabilities of MySQL were announced in January 2014.
Impacted products: Debian, BIG-IP Hardware, TMOS, Junos Space, MySQL Community, MySQL Enterprise, Solaris, Percona Server, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 19.
Creation date: 15/01/2014.
Identifiers: BID-64849, BID-64854, BID-64864, BID-64868, BID-64873, BID-64877, BID-64880, BID-64885, BID-64888, BID-64891, BID-64893, BID-64895, BID-64896, BID-64897, BID-64898, BID-64904, BID-64908, BID-65298, bulletinoct2015, CERTA-2014-AVI-033, CERTFR-2014-AVI-480, CERTFR-2015-AVI-431, CERTFR-2016-AVI-300, cpujan2014, CVE-2013-4316, CVE-2013-5860, CVE-2013-5881, CVE-2013-5882, CVE-2013-5891, CVE-2013-5894, CVE-2013-5908, CVE-2014-0001, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0427, CVE-2014-0430, CVE-2014-0431, CVE-2014-0433, CVE-2014-0437, DSA-2845-1, DSA-2848-1, DSA-2919-1, JSA10659, JSA10698, K16385, MDVSA-2014:028, MDVSA-2014:029, MDVSA-2015:091, RHSA-2014:0164-01, RHSA-2014:0173-01, RHSA-2014:0186-01, RHSA-2014:0189-01, SOL16385, SOL16389, SSA:2014-050-02, SUSE-SU-2014:0769-1, USN-2170-1, VIGILANCE-VUL-14092.

Description of the vulnerability

Several vulnerabilities were announced in MySQL.

An attacker can use a vulnerability of MySQL Enterprise Monitor, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-4316]

An attacker can use a vulnerability of GIS, in order to trigger a denial of service. [severity:3/4; BID-64864, CVE-2013-5860]

An attacker can use a vulnerability of Stored Procedure, in order to trigger a denial of service. [severity:3/4; BID-64854, CVE-2013-5882]

An attacker can use a vulnerability of Thread Pooling, in order to alter information. [severity:2/4; BID-64895, CVE-2014-0433]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-64873, CVE-2013-5894]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-64885, CVE-2013-5881]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-64880, CVE-2014-0412]

An attacker can use a vulnerability of Locking, in order to trigger a denial of service. [severity:2/4; BID-64908, CVE-2014-0402]

An attacker can use a vulnerability of Optimizer, in order to trigger a denial of service. [severity:2/4; BID-64904, CVE-2014-0386]

An attacker can use a vulnerability of Partition, in order to trigger a denial of service. [severity:2/4; BID-64891, CVE-2013-5891]

An attacker can use a vulnerability of Privileges, in order to trigger a denial of service. [severity:2/4; BID-64898, CVE-2014-0401]

An attacker can use a vulnerability of FTS, in order to trigger a denial of service. [severity:2/4; BID-64868, CVE-2014-0427]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-64897, CVE-2014-0431]

An attacker can use a vulnerability of Optimizer, in order to trigger a denial of service. [severity:2/4; BID-64849, CVE-2014-0437]

An attacker can use a vulnerability of InnoDB, in order to alter information. [severity:2/4; BID-64877, CVE-2014-0393]

An attacker can use a vulnerability of Performance Schema, in order to trigger a denial of service. [severity:1/4; BID-64893, CVE-2014-0430]

An attacker can use a vulnerability of Replication, in order to trigger a denial of service. [severity:1/4; BID-64888, CVE-2014-0420]

An attacker can use a vulnerability of Error Handling, in order to trigger a denial of service. [severity:1/4; BID-64896, CVE-2013-5908]

An attacker can generate a buffer overflow in client/mysql.cc, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; BID-65298, CVE-2014-0001]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-5870 CVE-2013-5878 CVE-2013-5884

Oracle Java: multiple vulnerabilities of January 2014

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: Avamar, BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, Domino, Notes, IRAD, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, Junos Space, Java OpenJDK, openSUSE, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 36.
Creation date: 15/01/2014.
Identifiers: 1663938, 1670264, 1671242, 1671245, 1674922, 1675938, 1679983, 4006386, 7014224, BID-64863, BID-64875, BID-64882, BID-64890, BID-64894, BID-64899, BID-64901, BID-64903, BID-64906, BID-64907, BID-64910, BID-64912, BID-64914, BID-64915, BID-64916, BID-64917, BID-64918, BID-64919, BID-64920, BID-64921, BID-64922, BID-64923, BID-64924, BID-64925, BID-64926, BID-64927, BID-64928, BID-64929, BID-64930, BID-64931, BID-64932, BID-64933, BID-64934, BID-64935, BID-64936, BID-64937, c04166777, c04166778, CERTA-2014-AVI-030, CERTFR-2014-AVI-199, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, cpujan2014, CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, ESA-2014-002, FEDORA-2014-0885, FEDORA-2014-0945, FEDORA-2014-1048, FEDORA-2014-2071, FEDORA-2014-2088, HPSBUX02972, HPSBUX02973, JSA10659, MDVSA-2014:011, openSUSE-SU-2014:0174-1, openSUSE-SU-2014:0177-1, openSUSE-SU-2014:0180-1, RHSA-2014:0026-01, RHSA-2014:0027-01, RHSA-2014:0030-01, RHSA-2014:0097-01, RHSA-2014:0134-01, RHSA-2014:0135-01, RHSA-2014:0136-01, RHSA-2014:0982-01, SOL17381, SSRT101454, SSRT101455, SUSE-SU-2014:0246-1, SUSE-SU-2014:0266-1, SUSE-SU-2014:0266-2, SUSE-SU-2014:0266-3, SUSE-SU-2014:0451-1, USN-2124-1, USN-2124-2, VIGILANCE-VUL-14087, ZDI-14-013, ZDI-14-038.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64915, CVE-2014-0410]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64899, CVE-2014-0415]

An attacker can use a vulnerability of 2D TTF Font Parsing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64894, CVE-2013-5907, ZDI-14-013, ZDI-14-038]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64935, CVE-2014-0428]

An attacker can use a vulnerability of JNDI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64921, CVE-2014-0422]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64901, CVE-2014-0385]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64931, CVE-2013-5889]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64910, CVE-2014-0408]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64863, CVE-2013-5893]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64932, CVE-2014-0417]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64882, CVE-2014-0387]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64919, CVE-2014-0424]

An attacker can use a vulnerability of Serviceability, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64922, CVE-2014-0373]

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64927, CVE-2013-5878]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64890, CVE-2013-5904]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64929, CVE-2013-5870]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64920, CVE-2014-0403]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64916, CVE-2014-0375]

An attacker can use a vulnerability of Beans, in order to obtain information, or to trigger a denial of service. [severity:2/4; BID-64914, CVE-2014-0423]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64934, CVE-2013-5905]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64903, CVE-2013-5906]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64923, CVE-2013-5902]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64917, CVE-2014-0418]

An attacker can use a vulnerability of Deployment, in order to trigger a denial of service. [severity:2/4; BID-64875, CVE-2013-5887]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-64928, CVE-2013-5899]

An attacker can use a vulnerability of CORBA, in order to trigger a denial of service. [severity:2/4; BID-64926, CVE-2013-5896]

An attacker can use a vulnerability of CORBA, in order to obtain information. [severity:2/4; BID-64924, CVE-2013-5884]

An attacker can use a vulnerability of JAAS, in order to alter information. [severity:2/4; BID-64937, CVE-2014-0416]

An attacker can use a vulnerability of JAXP, in order to alter information. [severity:2/4; BID-64907, CVE-2014-0376]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-64930, CVE-2014-0368]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-64933, CVE-2013-5910]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; BID-64906, CVE-2013-5895]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64925, CVE-2013-5888]

An attacker can use a vulnerability of JavaFX, in order to trigger a denial of service. [severity:2/4; BID-64936, CVE-2014-0382]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64912, CVE-2013-5898]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; BID-64918, CVE-2014-0411]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-1741 CVE-2013-2566 CVE-2013-5605

NSS: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NSS.
Impacted products: Debian, Fedora, Junos Space, Juniper SBR, Firefox, NSS, SeaMonkey, Thunderbird, openSUSE, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data flow, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 18/11/2013.
Revision date: 19/11/2013.
Identifiers: BID-58796, BID-63736, BID-63737, BID-63738, CERTA-2013-AVI-642, CERTFR-2014-AVI-318, CERTFR-2017-AVI-012, CERTFR-2019-AVI-325, cpuapr2017, cpujul2014, cpuoct2016, cpuoct2017, CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5606, DSA-2800-1, DSA-2994-1, DSA-3071-1, FEDORA-2013-22456, FEDORA-2013-22467, FEDORA-2013-23301, FEDORA-2013-23479, JSA10770, JSA10939, MFSA 2013-103, openSUSE-SU-2013:1730-1, openSUSE-SU-2013:1732-1, RHSA-2013:1791-01, RHSA-2013:1829-01, RHSA-2013:1840-01, RHSA-2013:1841-01, RHSA-2014:0041-01, SSA:2013-339-01, SSA:2013-339-02, SSA:2013-339-03, SUSE-SU-2013:1807-1, VIGILANCE-VUL-13789.

Description of the vulnerability

Several vulnerabilities were announced in NSS.

On a 64 bit computer, an attacker can generate the initialization of a large memory area, in order to trigger a denial of service. [severity:1/4; BID-63736, CVE-2013-1741]

An attacker can generate a buffer overflow in Null Cipher, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-63738, CVE-2013-5605]

When verifyLog is used, the return code of CERT_VerifyCert() is incorrect, so an invalid certificate may be accepted. [severity:2/4; BID-63737, CVE-2013-5606]

When an attacker has 2^30 RC4 encrypted messages with different keys, he can guess the clear text message (VIGILANCE-VUL-12530). [severity:1/4; BID-58796, CVE-2013-2566]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-2750 CVE-2013-2251 CVE-2013-3839

MySQL: several vulnerabilities of October 2013

Synthesis of the vulnerability

Several vulnerabilities of MySQL are fixed by the CPU of October 2013.
Impacted products: Debian, Fedora, Junos Space, Junos Space Network Management Platform, MySQL Community, MySQL Enterprise, Solaris, Percona Server, RHEL.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 8.
Creation date: 16/10/2013.
Identifiers: BID-63105, BID-63107, BID-63109, BID-63113, BID-63116, BID-63119, BID-63125, bulletinoct2015, CERTA-2013-AVI-589, cpuoct2013, CVE-2012-2750, CVE-2013-2251, CVE-2013-3839, CVE-2013-5767, CVE-2013-5770, CVE-2013-5786, CVE-2013-5793, CVE-2013-5807, DSA-2780-1, DSA-2818-1, FEDORA-2013-19648, FEDORA-2013-19654, MDVSA-2013:250, RHSA-2014:0173-01, RHSA-2014:0186-01, RHSA-2014:0189-01, VIGILANCE-VUL-13606.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of MySQL.

An attacker can use a vulnerability of Service Manager, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-2251]

An attacker can use a vulnerability of Replication, in order to obtain or alter information. [severity:2/4; BID-63105, CVE-2013-5807]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-63107, CVE-2013-5786]

An attacker can use a vulnerability of Optimizer, in order to trigger a denial of service. [severity:2/4; BID-63125, CVE-2012-2750]

An attacker can use a vulnerability of Optimizer, in order to trigger a denial of service. [severity:2/4; BID-63109, CVE-2013-3839]

An attacker can use a vulnerability of Optimizer, in order to trigger a denial of service. [severity:2/4; BID-63113, CVE-2013-5767]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-63116, CVE-2013-5793]

An attacker can use a vulnerability of Locking, in order to trigger a denial of service. [severity:1/4; BID-63119, CVE-2013-5770]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-5095 CVE-2013-5096 CVE-2013-5097

Junos Space: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Junos Space.
Impacted products: Junos Space, Junos Space Network Management Platform.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 19/08/2013.
Identifiers: BID-61791, BID-61794, BID-61795, CERTA-2013-AVI-508, CVE-2013-5095, CVE-2013-5096, CVE-2013-5097, JSA10585, PR 863804, PR 879462, PR 884469, VIGILANCE-VUL-13285.

Description of the vulnerability

Several vulnerabilities were announced in Junos Space.

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; BID-61791, CVE-2013-5095, PR 884469]

An attacker with read-only privileges can edit the configuration. [severity:2/4; BID-61794, CVE-2013-5096, PR 863804]

An attacker can obtain password hashes, and then use a brute force attack to retrieve them. [severity:2/4; BID-61795, CVE-2013-5097, PR 879462]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-2249

Apache HTTP Server: vulnerability of mod_session_dbd

Synthesis of the vulnerability

A vulnerability was announced in the mod_session_dbd module of Apache HTTP Server.
Impacted products: Apache httpd, Fedora, Junos Space, Slackware.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 22/07/2013.
Identifiers: BID-61379, CERTA-2013-AVI-435, CERTFR-2015-AVI-431, CERTFR-2016-AVI-300, CVE-2013-2249, FEDORA-2013-13922, FEDORA-2013-13994, JSA10698, SSA:2013-218-02, VIGILANCE-VUL-13151.

Description of the vulnerability

The mod_session_dbd module is used to store HTTP sessions in a database.

However, this module does not correctly process changed data ("dirty flag").
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-1861 CVE-2013-3783 CVE-2013-3793

MySQL: several vulnerabilities of July 2013

Synthesis of the vulnerability

Several vulnerabilities of MySQL are fixed by the CPU of July 2013.
Impacted products: Debian, Junos Space, Junos Space Network Management Platform, MySQL Community, MySQL Enterprise, openSUSE, Solaris, Percona Server, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 18.
Creation date: 17/07/2013.
Identifiers: BID-58511, BID-61210, BID-61214, BID-61222, BID-61227, BID-61233, BID-61235, BID-61238, BID-61244, BID-61249, BID-61252, BID-61256, BID-61260, BID-61264, BID-61269, BID-61272, BID-61274, bulletinoct2015, CERTA-2013-AVI-419, CERTA-2013-AVI-543, cpujuly2013, CVE-2013-1861, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3795, CVE-2013-3796, CVE-2013-3798, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3806, CVE-2013-3807, CVE-2013-3808, CVE-2013-3809, CVE-2013-3810, CVE-2013-3811, CVE-2013-3812, DSA-2818-1, JSA10601, MDVSA-2013:197, openSUSE-SU-2013:1335-1, openSUSE-SU-2013:1410-1, SUSE-SU-2013:1390-1, SUSE-SU-2013:1529-1, VIGILANCE-VUL-13132.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of MySQL.

An authenticated attacker can use a geometry query, in order to stop MySQL (VIGILANCE-VUL-12529). [severity:2/4; BID-58511, CVE-2013-1861]

An attacker can use a vulnerability of MemCached, in order to alter information, or to trigger a denial of service. [severity:2/4; BID-61274, CVE-2013-3798]

An attacker can use a vulnerability of Audit Log, in order to alter information. [severity:2/4; BID-61272, CVE-2013-3809]

An attacker can use a vulnerability of Data Manipulation Language, in order to trigger a denial of service. [severity:2/4; BID-61264, CVE-2013-3793]

An attacker can use a vulnerability of Data Manipulation Language, in order to trigger a denial of service. [severity:2/4; BID-61238, CVE-2013-3795]

An attacker can use a vulnerability of Full Text Search, in order to trigger a denial of service. [severity:2/4; BID-61244, CVE-2013-3802]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-61235, CVE-2013-3806]

An attacker can use a vulnerability of Prepared Statements, in order to trigger a denial of service. [severity:2/4; BID-61256, CVE-2013-3805]

An attacker can use a vulnerability of Server Optimizer, in order to trigger a denial of service. [severity:2/4; BID-61260, CVE-2013-3804]

An attacker can use a vulnerability of Server Optimizer, in order to trigger a denial of service. [severity:2/4; BID-61233, CVE-2013-3796]

An attacker can use a vulnerability of Server Options, in order to trigger a denial of service. [severity:2/4; BID-61227, CVE-2013-3808]

An attacker can use a vulnerability of Server Options, in order to trigger a denial of service. [severity:2/4; BID-61269, CVE-2013-3801]

An attacker can use a vulnerability of Server Parser, in order to trigger a denial of service. [severity:2/4; BID-61210, CVE-2013-3783]

An attacker can use a vulnerability of Server Partition, in order to trigger a denial of service. [severity:2/4; BID-61222, CVE-2013-3794]

An attacker can use a vulnerability of Server Privileges, in order to obtain or alter information. [severity:2/4; BID-61238, CVE-2013-3807]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-61252, CVE-2013-3811]

An attacker can use a vulnerability of Server Replication, in order to trigger a denial of service. [severity:2/4; BID-61249, CVE-2013-3812]

An attacker can use a vulnerability of XA Transactions, in order to trigger a denial of service. [severity:2/4; BID-61214, CVE-2013-3810]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-1896

Apache HTTP Server: denial of service via mod_dav

Synthesis of the vulnerability

An attacker can send a MERGE query for mod_dav of Apache HTTP Server, in order to trigger a denial of service.
Impacted products: Apache httpd, Fedora, HP-UX, Junos Space, Junos Space Network Management Platform, NSMXpress, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 15/07/2013.
Identifiers: BID-61129, c03922406, CERTA-2013-AVI-435, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2015-AVI-286, CVE-2013-1896, FEDORA-2013-13922, FEDORA-2013-13994, HPSBUX02927, JSA10685, MDVSA-2013:193, openSUSE-SU-2013:1337-1, openSUSE-SU-2013:1340-1, openSUSE-SU-2013:1341-1, openSUSE-SU-2014:1647-1, RHSA-2013:1133-01, RHSA-2013:1134-01, RHSA-2013:1156-01, RHSA-2013:1207-01, RHSA-2013:1208-01, RHSA-2013:1209-01, SSA:2013-218-02, SSRT101288, SUSE-SU-2014:1082-1, VIGILANCE-VUL-13117.

Description of the vulnerability

The mod_dav (DAV, Distributed Authoring and Versioning) module can be installed in Apache HTTP Server.

The MERGE command of mod_dav_svn applies differences between two Subversion information sources. However, if this command indicates an URI which is not configured for DAV, a segmentation fault occurs in mod_dav.

An attacker can therefore send a MERGE query for mod_dav of Apache HTTP Server, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-1862

Apache httpd 2.2: character injection via mod_rewrite

Synthesis of the vulnerability

An attacker can use special characters, which are not filtered by mod_rewrite of Apache httpd 2.2, in order to inject them in the log file.
Impacted products: Apache httpd, BIG-IP Hardware, TMOS, HP-UX, Junos Space, Junos Space Network Management Platform, NSMXpress, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 14/05/2013.
Identifiers: BID-59826, c03922406, CERTA-2013-AVI-332, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2014-AVI-502, CERTFR-2015-AVI-286, CVE-2013-1862, HPSBUX02927, JSA10685, MDVSA-2013:174, openSUSE-SU-2013:1337-1, openSUSE-SU-2013:1340-1, openSUSE-SU-2013:1341-1, openSUSE-SU-2014:1647-1, RHSA-2013:0815-01, RHSA-2013:1133-01, RHSA-2013:1134-01, RHSA-2013:1207-01, RHSA-2013:1208-01, RHSA-2013:1209-01, SOL15877, SSRT101288, SUSE-SU-2014:1082-1, VIGILANCE-VUL-12790.

Description of the vulnerability

The mod_rewrite module of Apache httpd is used to edit queries. The RewriteLog directive of Apache 2.2 indicates the filename where to log performed modifications.

However, special characters contained in the client name, the username and the free text are not filtered.

An attacker can therefore use special characters, which are not filtered by mod_rewrite of Apache httpd 2.2, in order to inject them in the log file.

If the attacker injects ANSI escape sequences, they are then interpreted when the administrator displays log files in a shell terminal.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-3497

Junos Space: password reading via the Web Interface

Synthesis of the vulnerability

An attacker, who can read administrator's screen, can see the password displayed on the Junos Space Web Interface, in order to authenticate on the product.
Impacted products: Junos Space, Junos Space Network Management Platform.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user console.
Creation date: 13/05/2013.
Identifiers: BID-59760, CVE-2013-3497, KB27374, PSN-2013-05-939, VIGILANCE-VUL-12775.

Description of the vulnerability

The Junos Space Web Interface allows the administrator to edit and to display the configuration.

However, some passwords are directly displayed on the screen, without being hidden by asterisks.

An attacker, who can read administrator's screen, can therefore see the password displayed on the Junos Space Web Interface, in order to authenticate on the product.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Juniper Junos Space Security Design: