The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of QRadar SIEM

vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Impacted products: CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Cisco Unity ~ precise, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, IRAD, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, Domino, Notes, ePO, Mule ESB, Snap Creator Framework, SnapManager, NetIQ Sentinel, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Manager, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.
Severity: 3/4.
Creation date: 12/11/2015.
Identifiers: 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-5262

Apache HttpComponents HttpClient: denial of service via Timeout

Synthesis of the vulnerability

An attacker owning a malicious server can stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Impacted products: Apache HttpClient, Fedora, QRadar SIEM, Mule ESB, Ubuntu.
Severity: 2/4.
Creation date: 02/10/2015.
Identifiers: 1259892, 2015815, CVE-2015-5262, FEDORA-2015-15588, FEDORA-2015-15589, USN-2769-1, VIGILANCE-VUL-18023.

Description of the vulnerability

The Apache HttpComponents HttpClient product implements a web client

However, there is no timeout during the connection state to a server.

An attacker owning a malicious server can therefore stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-0176 CVE-2015-0189

WebSphere MQ 7.5: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere MQ.
Impacted products: QRadar SIEM, WebSphere MQ.
Severity: 2/4.
Creation date: 20/05/2015.
Identifiers: 1699549, 2015824, 7038184, CVE-2015-0176, CVE-2015-0189, IT03667, IT03865, IT05513, IT05869, VIGILANCE-VUL-16947.

Description of the vulnerability

Several vulnerabilities were announced in WebSphere MQ.

An unknown vulnerability was announced. [severity:2/4; IT03667]

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1699549, CVE-2015-0176, IT03865]

An unknown vulnerability was announced about mqtt which generates XR028002 and XR071003. [severity:2/4; IT05513]

An unknown vulnerability was announced. [severity:2/4; CVE-2015-0189, IT05869]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2015-3627 CVE-2015-3629 CVE-2015-3630

docker: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of docker.
Impacted products: QRadar SIEM, openSUSE.
Severity: 2/4.
Creation date: 19/05/2015.
Identifiers: 2004947, CVE-2015-3627, CVE-2015-3629, CVE-2015-3630, CVE-2015-3631, openSUSE-SU-2015:0905-1, VIGILANCE-VUL-16942.

Description of the vulnerability

Several vulnerabilities were announced in docker.

An attacker can bypass access restrictions, in order to read or alter data. [severity:2/4; CVE-2015-3630]

An attacker can bypass access restrictions, in order to read or alter data. [severity:2/4; CVE-2015-3631]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-3627]

A local attacker can create a symbolic link, in order to alter the pointed file, with privileges of the application. [severity:1/4; CVE-2015-3629]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2015-0176 CVE-2015-0189

WebSphere MQ 8.0: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere MQ.
Impacted products: QRadar SIEM, WebSphere MQ.
Severity: 2/4.
Creation date: 02/03/2015.
Revision date: 21/04/2015.
Identifiers: 1699549, 2015824, CVE-2015-0176, CVE-2015-0189, IT03865, IT05869, VIGILANCE-VUL-16290.

Description of the vulnerability

Several vulnerabilities were announced in WebSphere MQ.

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; 1699549, CVE-2015-0176, IT03865]

An unknown vulnerability was announced. [severity:2/4; CVE-2015-0189, IT05869]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2014-3625

Spring Framework: directory traversal of MVC ResourceHttpRequestHandler

Synthesis of the vulnerability

An attacker can traverse directories in MVC ResourceHttpRequestHandler.java of Spring Framework, in order to read a file outside the service root path.
Impacted products: QRadar SIEM.
Severity: 2/4.
Creation date: 12/11/2014.
Revision date: 21/11/2014.
Identifiers: 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, CVE-2014-3625, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0236-01, RHSA-2015:0720-01, SPR-12354, VIGILANCE-VUL-15633.

Description of the vulnerability

The org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java file of Spring Framework is used via "<mvc:resources>" for example.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories in MVC ResourceHttpRequestHandler.java of Spring Framework, in order to read a file outside the service root path.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2014-7975

Linux kernel: denial of service via do_umount

Synthesis of the vulnerability

An attacker can unmount a file system on the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, QRadar SIEM, Linux, MBS, openSUSE, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 09/10/2014.
Identifiers: 2011746, CERTFR-2014-AVI-495, CVE-2014-7975, FEDORA-2014-13020, FEDORA-2014-13045, MDVSA-2014:201, openSUSE-SU-2014:1677-1, RHSA-2017:1842-01, RHSA-2017:2077-01, USN-2415-1, USN-2416-1, USN-2417-1, USN-2418-1, USN-2419-1, USN-2420-1, USN-2421-1, VIGILANCE-VUL-15457.

Description of the vulnerability

The umount() call is used to unmount a file system.

However, the do_umount() function of the fs/namespace.c file does not check if user has the CAP_SYS_ADMIN privilege before allowing the file system to be unmounted.

An attacker can therefore unmount a file system on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-7970

Linux kernel: infinite loop of pivot_root

Synthesis of the vulnerability

An attacker can generate an infinite loop in the pivot_root() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, QRadar SIEM, Linux, MBS, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 09/10/2014.
Identifiers: 2011746, CERTFR-2014-AVI-495, CERTFR-2014-AVI-528, CERTFR-2015-AVI-081, CVE-2014-7970, FEDORA-2014-13020, FEDORA-2014-13045, MDVSA-2014:230, RHSA-2017:1842-01, RHSA-2017:2077-01, SUSE-SU-2015:0581-1, SUSE-SU-2015:0736-1, USN-2419-1, USN-2420-1, USN-2447-1, USN-2447-2, USN-2448-1, USN-2448-2, USN-2513-1, USN-2514-1, VIGILANCE-VUL-15455.

Description of the vulnerability

The pivot_root() system call changes the file system root for the current process.

However, if it is called with pivot_root(".", "."), when located outside the chroot, a loop occurs.

An attacker can therefore generate an infinite loop in the pivot_root() function of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2014-3577

Apache HttpComponents HttpClient: erroneous certificate validation

Synthesis of the vulnerability

An attacker can create an SSL certificate which will be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Impacted products: Apache HttpClient, Fedora, HPE NNMi, QRadar SIEM, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, Ubuntu.
Severity: 1/4.
Creation date: 18/08/2014.
Identifiers: 2015815, 7036319, c05103564, CVE-2014-3577, FEDORA-2014-9539, FEDORA-2014-9581, FEDORA-2014-9617, FEDORA-2014-9629, HPSBMU03584, RHSA-2014:1082-01, RHSA-2014:1146-01, RHSA-2014:1162-01, RHSA-2014:1163-01, RHSA-2014:1166-01, RHSA-2014:1320-01, RHSA-2014:1321-01, RHSA-2014:1322-01, RHSA-2014:1323-01, RHSA-2014:1833-01, RHSA-2014:1834-01, RHSA-2014:1835-01, RHSA-2014:1836-01, RHSA-2014:1891-01, RHSA-2014:1892-01, RHSA-2014:1904-01, RHSA-2014:2019-01, RHSA-2014:2020-01, RHSA-2015:0125-01, RHSA-2015:0158-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:0850-01, RHSA-2015:0851-01, RHSA-2015:1009, RHSA-2015:1176-01, RHSA-2015:1177-01, RHSA-2016:1931-01, USN-2769-1, VIGILANCE-VUL-15198.

Description of the vulnerability

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, instead of looking the exact field subjectAltName or, for compatibility, the commonName field, the library looks fro a substring that matches the targeted server name.

This vulnerability is a variant of VIGILANCE-VUL-12182.

An attacker can therefore create an SSL certificate which will be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2014-1912

Python: buffer overflow of sock_recvfrom_into

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the sock_recvfrom_into() function of Python, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, Fedora, QRadar SIEM, MBS, MES, MariaDB ~ precise, MySQL Community, MySQL Enterprise, openSUSE, Solaris, Percona Server, XtraDB Cluster, Python, RHEL, Ubuntu.
Severity: 2/4.
Creation date: 14/02/2014.
Identifiers: 2004947, 20246, CERTFR-2014-AVI-244, cpujul2017, CVE-2014-1912, DSA-2880-1, FEDORA-2014-2394, FEDORA-2014-2418, MDVSA-2014:041, MDVSA-2015:075, MDVSA-2015:076, openSUSE-SU-2014:0380-1, openSUSE-SU-2014:0498-1, openSUSE-SU-2014:0518-1, openSUSE-SU-2014:0597-1, openSUSE-SU-2014:1734-1, RHSA-2015:1064-01, RHSA-2015:1330-01, USN-2125-1, VIGILANCE-VUL-14258.

Description of the vulnerability

The Python socket module provides the socket.recvfrom_into() function, which receives data from a network socket, and then stores them in an array.

However, if the size of network data is greater than the size of the storage array, an overflow occurs in the sock_recvfrom_into() function.

An attacker can therefore generate a buffer overflow in the sock_recvfrom_into() function of Python, in order to trigger a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about QRadar SIEM: