Forum

Message Boards Message Boards

Announcements

Security Vulnerability Notification

Security Vulnerability Notification
Answer
22 December 2021 11:30
Dear CREODIAS Users,
 
In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org). Security vulnerabilities in software and hardware are very often used by cybercriminals to attack IT infrastructure and steal or destroy company's data, that is why companies are advice to fix those vulnerabilities as soon as possible.
 
ID: CVE-2021-42114
Title: Rowhammer attack variant on modern DRAM devices
Description: Dynamic Random-Access Memory (DRAM) is a type of semiconductor memory that is typically used for the data or program code needed by a computer processor to function. These devices are used in personal computers (PCs), workstations, and servers. Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Rowhammer is a security flaw in dynamic random-access memory (DRAM) that takes advantage of an unintended and undesirable side effect in which memory cells interact electrically between themselves by leaking their charges, potentially changing the contents of nearby memory rows that were not addressed in the original memory access. Because of the high cell density in the current DRAM, this circumvention of DRAM memory cell isolation can be triggered by specifically constructed memory access patterns that repeatedly activate the same memory rows.
 
ID: CVE-2021-1975
Title: Heap overflow in the Qualcomm chipsets
Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones. Possible heap overflow due to improper length check of domain while parsing the DNS response. This vulnerability is affecting the Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IoT, Snapdragon Industrial IoT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables.
 
ID: CVE-2021-30321
Title: Buffer overflow in the Qualcomm Snapdragon
Description: Qualcomm Snapdragon is a line of system-on-a-chip semiconductor products manufactured and marketed by Qualcomm Technologies Inc. for mobile smartphones. Due to the lack of a parameter length check during the MBSSID scan, there's a chance of a buffer overflow. Snapdragon Compute, Snapdragon Connectivity, and Snapdragon Consumer Electronics Connectivity all have IE parse.

ID: CVE-2021-41435
Title: Windows Kernel Elevation of Privilege Vulnerability
Description: A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.
 
ID: CVE-2021-41653
Title: IP Address privilege escalation vulnerability in the TP-Link TL-WR840N EU v5 router
Description: A flaw was discovered in the TP-LINK TL-WR840N EU V5 171211 router (Router Operating System). It has been given a critical rating. The use of an unknown input to manipulate the argument IP address results in an unknown flaw.

ID: CVE-2021-36308
Title: Authentication Bypass vulnerability in Dell Networking OS10
Description: Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.
 
ID: CVE-2021-44228
Title: Remote code execution vulnerability in Apache Log4j (Log4Shell)
Description: Log4j2 is a ubiquitous library used by millions for Java applications. In Apache Log4j2, attackers can create customized requests to execute remote code. When message lookup replacement is allowed, an attacker with control over log messages or log message parameters can run arbitrary code imported from LDAP servers.
All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability.
 
ID: CVE-2021-21954
Title: Command execution vulnerability Anker Eufy Homebase 2.1.6.9h
Description: Anker Eufy Homebase 2.1.6.9h was determined to have vulnerability. This has an impact on the component Network Packet Handler's function wifi country code update in the file home security. The privilege escalation vulnerability is created by manipulating an unknown input.

ID: CVE-2021-39065
Title: Arbitrary code execution vulnerability in the IBM Spectrum Copy Data Management 2.2.13
Description: The poor validation of user-supplied information by the Spectrum Copy Data Management Admin Console login and uploadcertificate function in IBM Spectrum Copy Data Management 2.2.13 and older versions could allow a remote malicious user to execute arbitrary commands on the system. A remote attacker might insert arbitrary shell commands into the system, which would be executed. 214958 is the IBM X-Force ID.

Best regards,

CREODIAS Team
 
 
 
0 (0 Votes)