The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SES

vulnerability note CVE-2017-8816 CVE-2017-8817 CVE-2017-8818

curl: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of curl.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Shibboleth SP, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 29/11/2017.
Identifiers: bulletinapr2018, bulletinoct2018, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, DLA-1195-1, DSA-4051-1, FEDORA-2017-0c062324cd, FEDORA-2017-45bdf4dace, HT208465, HT208692, JSA10874, openSUSE-SU-2018:0161-1, RHSA-2018:3558-01, STORM-2019-002, USN-3498-1, USN-3498-2, VIGILANCE-VUL-24564.

Description of the vulnerability

An attacker can use several vulnerabilities of curl.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-1000254

curl: out-of-bounds memory reading via FTP PWD

Synthesis of the vulnerability

An attacker can force a read at an invalid address via FTP PWD of curl, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, pfSense, RHEL, Slackware, Ubuntu, VxWorks.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: internet server.
Creation date: 04/10/2017.
Identifiers: 2011879, bulletinapr2018, CVE-2017-1000254, DLA-1121-1, DSA-3992-1, FEDORA-2017-601b4c20a4, HT208331, HT208394, JSA10874, K-511316, openSUSE-SU-2017:2880-1, RHSA-2018:3558-01, SSA:2017-279-01, STORM-2019-002, USN-3441-1, USN-3441-2, VIGILANCE-VUL-24018.

Description of the vulnerability

An attacker can force a read at an invalid address via FTP PWD of curl, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101

curl: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of curl.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Android OS, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Slackware, Ubuntu, VxWorks.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service, denial of service on client.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 09/08/2017.
Identifiers: 2011879, bulletinapr2018, CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101, DLA-1062-1, DSA-3992-1, FEDORA-2017-f1ffd18079, FEDORA-2017-f2df9d7772, HT208221, JSA10874, K-511316, openSUSE-SU-2017:2205-1, RHSA-2018:3558-01, SSA:2017-221-01, STORM-2019-002, USN-3441-1, USN-3441-2, VIGILANCE-VUL-23481.

Description of the vulnerability

Several vulnerabilities were announced in curl.

An attacker can force a read at an invalid address via Globbing, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-1000101]

An attacker can generate a buffer overflow via TFTP, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-1000100]

An attacker can force a read at an invalid address via FILE, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-1000099]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7679

Apache httpd: out-of-bounds memory reading via mod_mime

Synthesis of the vulnerability

An attacker can force a read at an invalid address via mod_mime of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: SES, Apache httpd, Mac OS X, Debian, NetWorker, BIG-IP Hardware, TMOS, Fedora, Junos Space, ePO, openSUSE Leap, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 20/06/2017.
Identifiers: APPLE-SA-2017-09-25-1, bulletinjul2017, cpuoct2017, CVE-2017-7679, DLA-1009-1, DSA-3896-1, FEDORA-2017-9ded7c5670, FEDORA-2017-cf9599a306, HT208144, HT208221, JSA10838, K75429050, openSUSE-SU-2017:1803-1, RHSA-2017:2478-01, RHSA-2017:2479-01, RHSA-2017:2483-01, RHSA-2017:3193-01, RHSA-2017:3194-01, RHSA-2017:3195-01, SB10206, SSA:2017-180-03, STORM-2017-003, USN-3340-1, USN-3373-1, VIGILANCE-VUL-23004.

Description of the vulnerability

An attacker can force a read at an invalid address via mod_mime of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7668

Apache httpd: out-of-bounds memory reading via ap_find_token

Synthesis of the vulnerability

An attacker can force a read at an invalid address via ap_find_token() of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: SES, Apache httpd, Mac OS X, Debian, Fedora, Junos Space, ePO, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 20/06/2017.
Identifiers: APPLE-SA-2017-09-25-1, bulletinjul2017, CERTFR-2017-AVI-218, cpuoct2017, CVE-2017-7668, DLA-1009-1, DSA-3896-1, FEDORA-2017-9ded7c5670, FEDORA-2017-cf9599a306, HT208144, HT208221, JSA10838, RHSA-2017:2479-01, RHSA-2017:2483-01, RHSA-2017:3193-01, RHSA-2017:3194-01, SB10206, SSA:2017-180-03, STORM-2017-003, USN-3340-1, USN-3373-1, VIGILANCE-VUL-23003.

Description of the vulnerability

An attacker can force a read at an invalid address via ap_find_token() of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-3169

Apache httpd: NULL pointer dereference via mod_ssl

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via mod_ssl of Apache httpd, in order to trigger a denial of service.
Impacted products: SES, Apache httpd, Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, ePO, openSUSE Leap, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 20/06/2017.
Identifiers: APPLE-SA-2017-09-25-1, bulletinjul2017, CERTFR-2017-AVI-218, cpuoct2017, CVE-2017-3169, DLA-1009-1, DSA-3896-1, FEDORA-2017-9ded7c5670, FEDORA-2017-cf9599a306, HT208144, HT208221, JSA10838, K83043359, openSUSE-SU-2017:1803-1, RHSA-2017:2478-01, RHSA-2017:2479-01, RHSA-2017:2483-01, RHSA-2017:3193-01, RHSA-2017:3194-01, RHSA-2017:3195-01, SB10206, SSA:2017-180-03, STORM-2017-003, USN-3340-1, USN-3373-1, VIGILANCE-VUL-23001.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via mod_ssl of Apache httpd, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-7468

libcurl: TLS session resume even if the certificate changed

Synthesis of the vulnerability

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, pfSense, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: user account.
Creation date: 19/04/2017.
Identifiers: APPLE-SA-2017-07-19-2, CVE-2017-7468, HT207922, STORM-2019-002, USN-3262-1, VIGILANCE-VUL-22500.

Description of the vulnerability

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-2629

curl: Man-in-the-Middle with SSL_VERIFYSTATUS

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on curl with CURLOPT_SSL_VERIFYSTATUS, in order to read or write data in the session.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, pfSense.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 22/02/2017.
Identifiers: APPLE-SA-2017-07-19-2, CVE-2017-2629, HT207922, STORM-2019-002, VIGILANCE-VUL-21925.

Description of the vulnerability

The curl product uses the TLS protocol, in order to create secure sessions.

However, the X.509 certificate and the service identity are not correctly checked during the usage of CURLOPT_SSL_VERIFYSTATUS (OCSP Stapling, TLS Certificate Status Request).

An attacker can therefore act as a Man-in-the-Middle on curl with CURLOPT_SSL_VERIFYSTATUS, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-9586 CVE-2016-9952 CVE-2016-9953

cURL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of cURL.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Ubuntu.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/12/2016.
Identifiers: APPLE-SA-2017-07-19-2, cpuoct2018, CVE-2016-9586, CVE-2016-9952, CVE-2016-9953, DLA-1568-1, DLA-767-1, FEDORA-2016-86d2b5aefb, FEDORA-2016-edbb33ab2e, HT207615, HT207922, JSA10874, openSUSE-SU-2017:1105-1, RHSA-2018:3558-01, STORM-2019-002, USN-3441-1, USN-3441-2, VIGILANCE-VUL-21435.

Description of the vulnerability

Several vulnerabilities were announced in cURL.

An attacker can generate a buffer overflow via float numbers, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-9586]

On WinCE platforms, an attacker can tamper with X.501 names in the X.509 certificate validation process, in order to spoof a server. [severity:2/4; CVE-2016-9952]

On WinCE platforms, an attacker can raise a read only buffer overflow in the X.509 certificate validation process, in order to read the server process memory or crash it. [severity:2/4; CVE-2016-9953]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-8615 CVE-2016-8616 CVE-2016-8617

Curl: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Curl.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, BIG-IP Hardware, TMOS, Fedora, IBM System x Server, Tivoli Workload Scheduler, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Shibboleth SP, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 02/11/2016.
Identifiers: 2001818, 2009692, bulletinapr2018, cpuoct2018, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, DLA-711-1, DSA-3705-1, FEDORA-2016-e8e8cdb4ed, HT207423, JSA10874, K01006862, K10196624, K26899353, K44503763, K46123931, K52828640, MIGR-5099570, openSUSE-SU-2016:2768-1, RHSA-2018:3558-01, SSA:2016-308-01, STORM-2019-002, SUSE-SU-2016:2699-1, SUSE-SU-2016:2714-1, USN-3123-1, VIGILANCE-VUL-20989.

Description of the vulnerability

Several vulnerabilities were announced in Curl.

An attacker can bypass access restrictions via Cookie Injection, in order to read or alter data. [severity:2/4; CVE-2016-8615]

An attacker can bypass security features via Case Insensitive Password Comparison, in order to escalate his privileges. [severity:2/4; CVE-2016-8616]

An attacker can generate a memory corruption via Multiplication, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8617]

An attacker can force the usage of a freed memory area via curl_maprintf(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8618]

An attacker can force the usage of a freed memory area via krb5, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8619]

An attacker can generate a buffer overflow via Glob Parser, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8620]

An attacker can force a read at an invalid address via Curl_getdate, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-8621]

An attacker can generate an integer overflow via URL Unescape, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8622]

An attacker can force the usage of a freed memory area via Shared Cookies, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-8623]

An attacker can bypass security features via URL Parsing, in order to obtain sensitive information. [severity:2/4; CVE-2016-8624]

An attacker can bypass security features via IDNA 2003, in order to obtain sensitive information. [severity:2/4; CVE-2016-8625]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SES: