Dear CREODIAS users,
In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org
). Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, that is why companies are adviced to fix those vulnerabilities as soon as possible.
Title: Authentication Bypass Vulnerability in Juniper
Description: This issue is not applicable to NFX NextGen Software. On NFX Series devices the use of Hard-coded Credentials in Juniper Networks Junos OS allows an attacker to take over any instance of an NFX deployment. This issue is only exploitable through administrative interfaces. This issue affects: Juniper Networks Junos OS versions prior to 19.1R1 on NFX Series. No other platforms besides NFX Series devices are affected.
Title: Remote Code Execution in Oracle Global Desktop
Description: Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Gateway). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.
Title: Remote Code Execution in Oracle Storage Cloud
Description: Vulnerability in the Oracle Storage Cloud Software Appliance product of Oracle Storage Gateway (component: Management Console). The supported version that is affected is Prior to 126.96.36.199.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Storage Cloud Software Appliance. While the vulnerability is in Oracle Storage Cloud Software Appliance, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Storage Cloud Software Appliance. Note: Updating the Oracle Storage Cloud Software Appliance to version 188.8.131.52.2 or later will address these vulnerabilities.
Title: Authentication Bypass Vulnerability in Apache httpd
Vendor: Apache and multiple other vendors
Description: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Title: Deserialization Vulnerability in XStream Library
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Title: Privilege Escalation Vulnerability in Apache Unomi
Description: Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
Title: Authentication Bypass Vulnerability in Apache Shiro
Description: Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Title: SQL Injection Vulnerability in PHPSHE Mail System
Description: SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component.Best regards,