Posts Tagged ‘Java’

Oracle vows better Java security

Tuesday, June 4th, 2013

In light of recent vulnerabilities found in Java and ongoing concerns about the technology’s overall security, Oracle has promised—again—that it will fix the problems.

Oracle has already made some changes to Java and is working on new initiatives to improve security, Nandini Ramani, head of Java development at Oracle, wrote in a blog post on Friday. After a series of high-profile Web-based attacks targeted employees across various industries, Oracle pledged to address the underlying issues in the cross-platform environment.

Two of the changes outlined in Ramani’s post, including updates to the applet security model and the Java plugin’s default behavior, are already live. Others changes, such as how Java applications handle revoked certificates, implementing local security policies to create custom rules, and restricting libraries available to server-side applications, are currently in development. Ramani did not indicate when these updates would be available.

What About the Sandbox?
“Taken as a whole, this is good thing for Java, but these changes don’t solve the underlying problem with the Java sandbox itself,” HD Moore, chief research officer of Rapid7 and creator of the Metasploit penetration testing framework, said in an email to SecurityWatch.

The Java sandbox is a protected area where applications are executed, separate from the underlying system. The sandbox is supposed to catch malicious executables before they can take over the machine or hijack running processes. However, attackers have successfully exploited several vulnerabilities to bypass the Java sandbox.

“Until Oracle implements process-level sandboxing, such as that used by Adobe Reader and Google Chrome, a malicious applet with a valid signature can still abuse JRE security flaws to escape the sandbox and compromise the system,” Moore said.

The Changes So Far
Oracle updated the security model recently so users can run signed applets without granting additional privileges and block unsigned applets from running. This means just signing an applet no longer automatically gives the program the ability to break out of the sandbox.

“This is a good thing for security,” Moore said.

Another good thing is the fact the default plug-in security settings now prevent unsigned or self-signed applets from executing. The change now makes it possible to whitelist specific Web sites and centrally manage Java security policies in the enterprise, Moore noted.

And Coming Soon…
Currently, Java supports both Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) to verify whether a signed certificate is still valid. However, since the check is not performed by default, even if a certificate had been revoked, attackers would be able to keep using that bad certificatie. Oracle is planning an update which would enable checking by default.

The forthcoming Local Security Policy gives administrators additional control over policy settings, such as letting system administrators define which computers to run Java applets and which computers can’t.

Even though all of Java’s recent trials affected the applets running in the Web browser, Oracle is also exploring ways to make sure server-side applications remain secure, Ramani said. One change would be removing certain libraries that are not needed on server-side to reduce the attack surface.

New Schedule for Updates
Oracle is also going to update Java a bit more frequently. At the moment, Java is updated three times a year, following a separate update schedule from all other Oracle products. The quarterly Critical Patch Update will begin including Java fixes in October, Ramani said. Oracle will still release emergency updates, “out of band,” when necessary.

Considering that CPU is already a time-intensive effort for administrators, adding Java to the mix just makes for an even more gargantuan update. On the other hand, it means administrators don’t have to remember Java’s separate update schedule.

Source:  pcworld.com

Twitter also hacked this week, up to 250,000 accounts may have been compromised

Monday, February 4th, 2013

It’s been a rough week for security breaches, and Twitter has just announced it was a victim of attacks this week as well. In a blog post, the company states that during this past week it detected “unusual access patterns” that led it to uncover unauthorized attempts to access user’s data. Twitter even discovered one attack as it was happening, and was able to shut it down shortly thereafter. However, Twitter’s post-mortem revealed that the perpetrators of the attack may have had access to account information for approximately 250,000 different users. According to the company, “usernames, email addresses, session tokens and encrypted/salted versions of passwords” would have been available.

Twitter has reset the passwords and revoked session tokens for all such accounts; affected users should be receiving emails notifying them of the reset shortly. Users wil be required to create new passwords from scratch.

While no explanation is given for how the vulnerability occurred, Twitter’s post does take a moment to “echo” the recent advisory given by the Department of Homeland Security for computer users to disable Java on their systems for optimal security.

This comes as just the latest in a series of high-profile security breachers that have been revealed this week. Both the Wall Street Journal and the New York Times revealed this week that they had been hacked, identifying hackers from China as the likely culprits. While Twitter does not directly make similar accusations, it does warn that “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter’s Director of Information Security, Bob Lord, writes in the company’s post. “For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Update: We just spoke with a Twitter representative that stressed that the company doesn’t have definitive evidence that the accounts were in fact compromised at this time, and that the steps being taken today are a preventative measure. Twitter’s investigation is ongoing.

Source:  theverge.com

Java’s new “very high” security mode can’t protect you from malware

Monday, January 28th, 2013

Fix that was supposed to make malware attacks harder can be easily circumvented

Security researchers have uncovered a newly discovered bug in Oracle’s Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

“Unfortunately, the above is only a theory,” security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. “In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel.”

Oracle representatives didn’t immediately respond to an e-mail seeking comment for this post. In addition to shoring up the quality of the Java code base, many security professionals have called on Oracle to communicate more quickly and effectively when it learns of new vulnerabilities in recent versions of its software.

As a result of the vulnerability, Gowdiak wrote in an e-mail posted to the Bugtraq mail list, “unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings.” He said Security Explorations, the Poland-based security firm he runs, has submitted proof-of-concept attack code to Oracle. It successfully overrides the protections on a fully patched Windows 7 machine that’s configured to run Java 7 Update 11 with the “very high” security setting.

Source:  arstechnica.com

Critical Java zero-day bug is being “massively exploited in the wild”

Friday, January 11th, 2013

Your fully patched installation of Java isn’t safe

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java’s browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don’t Need Coffee blog, prompting its author to say that the bug is being “massively exploited in the wild.” Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It’s not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

“There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem,” Kaspersky Lab expert Kurt Baumgartner wrote. “We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites.”

People who don’t use Java much should once again consider unplugging Java from their browser, while those who don’t use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Source:  arstechnica.com

Latest Java zero-day exploit renews calls to disable it

Thursday, November 29th, 2012

Oracle contributes to the problem by not working more closely with the security industry on Java defenses, one security expert said

A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.

The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the “five digits.”

The flaw was in the Java class “MidiDevice.Info,” a component that handles audio input and output, Krebs said. The seller claimed “code execution was very reliable” on Firefox, Microsoft Internet Explorer and Windows 7.

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mack OS X and Linux operating systems running a browser with a Java plug-in.

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. “Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward.”

Java is used in 3 billion devices worldwide, says its steward, Oracle. The platform’s ubiquity makes it a favorite hacker target, along with the fact that the platform often goes unpatched in people’s computers. Security company Rapid7 estimates that 65 percent of the installations today are unpatched.

“Many people don’t even know Java is installed on their computers and browsers, and that’s a huge problem,” said Andrew Storms, director of security operations at nCircle.

Oracle contributes to the problem by not working more closely with the security industry in building better defenses in Java, Storms said. The company shares very little information with security experts between patches.

[See also: Oracle knew about currently exploited Java vulnerabilities for months, researcher says]

“We could all benefit by Oracle stepping up the game to engage the community at large,” Storms said.

Experts recommend disabling Java in Web browsers, unless it is needed to access specific business applications. In the latter case, a separate browser should be dedicated for the sole purpose of accessing those applications.

“IT departments should really consider if users need to access Java for business critical applications, otherwise, they should get rid of it,” said Rob Rachwald, director of security strategy at Imperva.

Another option is to configure a client firewall to block a browser’s Java plug-in from accessing the Internet, unless the destination site is on a whitelist.

Source:  infoworld.com

Yet another Java flaw allows “complete” bypass of security sandbox

Monday, October 1st, 2012

Flaw in last three Java versions, 8 years worth, puts a billion users at risk.

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts “one billion users” at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X, Linux, or Solaris).

The bug lets attackers violate the “type safety” security system in the Java Virtual Machine. “A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a Web browser application,” Gowdiak told Computerworld. “An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”

Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.

Gowdiak reported today that he provided Oracle with a technical description of the latest flaw, as well as “source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7.”

We asked Oracle for comment this afternoon and have not heard back yet.

Source:  arstechnica.com

Rogue Microsoft Services Agreement emails lead to latest Java exploit

Monday, September 3rd, 2012

Hackers created a malicious version of a legitimate Microsoft email announcement

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploitto infect their computers with malware.

“We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences,” Russ McRee, security incident handler at the SANS Internet Storm Center, said Saturday in a blog post.

The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect Oct. 19.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.

Blackhole is a tool used by cybercriminals to launch Web-based attacks that exploit vulnerabilities in browser plug-ins like Java, Adobe Reader or Flash Player, in order to install malware on the computers of users who visit compromised or malicious websites.

This type of attack is known as a drive-by download and is very effective because it requires no user interaction to achieve its goal.

Blackhole was recently updated to include a new exploit for Java 7 that appeared online last Monday. The links in the rogue Microsoft Services Agreement notifications point to Blackhole-infected websites make use of the new Java exploit to install a variant of the Zeus financial malware, McRee said.

Oracle released Java 7 Update 7 on Thursday to address the vulnerabilities targeted by this exploit.

The malicious Java applet used in this attack is detected by only eight of the 42 anitivirus engines available on the VirusTotal file scanning service. The Zeus variant has a similarly low detection rate.

The technique of creating malicious versions of legitimate email messages sent by trusted companies is very old. However, its continued use by cybercriminals suggests that it is still efficient.

“This email is a legitimate announcement regarding updates to the Microsoft Services Agreement and Communication Preferences,” a Microsoft program manager for supporting mail technologies who identifies herself as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.

However, she later acknowledged the existence of reports about malicious emails that use the same template. “If you received an email regarding the Microsoft Services Agreement update and you’re reading your email through Hotmail or Outlook.com, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender,” she said. “If the email does not have a Green shield, you can mark the email as a Phishing scam.”

Hovering over the links in the legitimate version of the email should point to locations on the microsoft.com domain. Anything else should be treated as suspicious.

Reviewing the email headers can also offer clues whether the email is legitimate. For example, some samples of this rogue email message come from an IP address in China, McRee said.

Source:  computerworld.com

Attack targeting critical Java bug added to hack-by-numbers exploit kit

Wednesday, August 29th, 2012
http://cdn.arstechnica.net/wp-content/uploads/2012/08/code_comp-640x210.png

A comparison of code found in BlackHole and code published earlier as a proof-of-concept exploit.

Online attackers have wasted no time seizing on a critical vulnerability in Oracle’s Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux.

So far, all of the exploits reported to be in the wild attack Windows PCs, but according to Errata Security CTO David Maynor, it’s not hard exploit Mac and Linux machines that have the latest version of Java from Oracle installed. Neither platform has it installed by default, however. The vulnerability has nothing to do with JavaScript.

On Monday night, about 24 hours after the vulnerability became public, attack code exploiting it was added to BlackHole, an exploit kit sold in underground forums, security researchers said. A quick inspection of the BlackHole attack by antivirus provider F-Secure found it used many of the same coding conventions contained in a proof-of-concept exploit published earlier by security researcher Joshua Drake. It also added to the Metasploit exploit framework used by penetration testers and hackers.

“There being no latest patch against this, the only solution is to totally disable Java,” F-Secure researchers wrote. “Since this is the most successful exploit kit + zero-day… que [sic] horror. Please, for the love of your computer disable Java on your browser.”

Researchers from Symantec on Tuesday reported two websites that are actively wielding the exploit, up from the single site discovered on Sunday.

The vulnerability is breathtaking for the way it almost completely subverts the security “sandbox” that is supposed to prevent malicious Java code from accessing sensitive operating-system functions. Exploiting it allows attackers with an unsigned, unprivileged process to overwrite the Java security context token with reflection. According to Symantec: “The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the ‘getRuntime(0.exec()’ function.”

Immunity Inc. researcher Nico Waisman spectacular deep dive into the vulnerability is here. Researchers from Kaspersky Lab have additional details here about exploits being served in the wild.

Multiple reports claim it doesn’t affect Java 1.6 and earlier versions, but rolling back to an older release could create other security problems. KrebsonSecurity has useful suggestions for disabling or limiting Java use here.

Source:  arstechnica.com

Vulnerability Summary for the Week of July 25, 2011

Monday, August 1st, 2011

National Cyber Alert System
Cyber Security Bulletin SB11-213

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
azeotech — daqfactory AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. 2011-07-28 7.8 CVE-2011-2956
ca — gateway_security Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. 2011-07-28 10.0 CVE-2011-2667
cisco — sa500_software The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. 2011-07-28 9.0 CVE-2011-2547
cisco — asr_9006_router Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. 2011-07-28 7.8 CVE-2011-2549
drupal — drupal Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. 2011-07-26 7.5 CVE-2011-2687
gimp — gimp Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543. 2011-07-26 7.5 CVE-2011-1782
google — picasa Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file. 2011-07-28 9.3 CVE-2011-2747
ibm — lotus_symphony Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to “critical security vulnerability issues.” 2011-07-27 10.0 CVE-2011-2884
jan_wolter — mod_authnz_external SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. 2011-07-28 7.5 CVE-2011-2688
nrl — opie Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. 2011-07-26 7.2 CVE-2011-2489
nrl — opie opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. 2011-07-26 7.2 CVE-2011-2490
Back to top

Medium Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
chyrp — chyrp upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/. 2011-07-26 6.5 CVE-2011-2745
cisco — sa500_software SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. 2011-07-28 5.0 CVE-2011-2546
debian — apt APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. 2011-07-26 4.3 CVE-2011-1829
ecava — integraxor Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-2958
fabfile — fabric Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/. 2011-07-26 4.4 CVE-2011-2185
google — search_appliance Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-1339
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. 2011-07-27 4.3 CVE-2011-2885
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. 2011-07-27 4.3 CVE-2011-2886
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. 2011-07-27 4.3 CVE-2011-2887
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. 2011-07-27 4.3 CVE-2011-2888
ibm — lotus_symphony The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. 2011-07-27 4.3 CVE-2011-2893
joomla — joomla! Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. 2011-07-27 5.0 CVE-2011-2488
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. 2011-07-27 4.3 CVE-2011-2509
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. 2011-07-27 4.3 CVE-2011-2710
joomla — joomla! templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2889
joomla — joomla! The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2890
joomla — joomla! Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2891
joomla — joomla! Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. 2011-07-27 4.3 CVE-2011-2892
likewise — likewise_open SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors. 2011-07-26 5.8 CVE-2011-2467
linux — kernel The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space. 2011-07-28 4.9 CVE-2011-2689
linux — kernel Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. 2011-07-28 4.9 CVE-2011-2695
mega-nerd — libsndfile Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. 2011-07-26 6.8 CVE-2011-2696
redhat — network_satellite_server Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges. 2011-07-26 6.8 CVE-2009-4139
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. 2011-07-26 6.8 CVE-2011-1484
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. 2011-07-26 6.8 CVE-2011-2196
rockwellautomation — factorytalk_diagnostics_viewer Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption. 2011-07-28 6.9 CVE-2011-2957
videolan — vlc_media_player Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. 2011-07-26 6.8 CVE-2011-2587
videolan — vlc_media_player Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. 2011-07-26 6.8 CVE-2011-2588
Back to top

Low Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
linux — kernel The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. 2011-07-28 1.9 CVE-2011-2492

Source:  CERT.org