Security Vulnerabilities Notification

Security Vulnerabilities Notification
Answer
7/29/21 12:19 PM
Dear CREODIAS user, 

In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org). Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, that is why companies are advice to fix those vulnerabilities as soon as possible.  

ID: CVE-2020-14871  
Title: Remote Code Execution Vulnerability in Oracle Solaris Vendor: Oracle 
Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.   

ID: CVE-2020-14871  
Title: Buffer Overflow Vulnerability in Oracle Solaris Vendor: Oracle 
Description: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases.  

ID: CVE-2020-13927  
Title: Weak Authentication Vulnerability in Apache Airflow Vendor: Apache  
Description: The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/apache-airflow/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default  

ID: CVE-2017-5645 
Title: Deserialization Vulnerability in Apache Log4j Vendor: Apache, NetApp and Multiple Other Vendors 
Description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.  

ID: CVE-2021-33790  
Title: Remote Code Execution Vulnerability in RebornCore Library Vendor: Tech Reborn 
Description: The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. 

ID: CVE-2021-23017  
Title: Buffer Overflow Vulnerability in Ngnix Resolver Vendor: Nginx 
Description: A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.  

ID: CVE-2021-34527  
Title: Windows Print Spooler Remote Code Execution Vulnerability Vendor: Windows 
Description: The vulnerability allows remote code execution by a standard Microsoft Active Domain user by exploiting vulnerabilities in the print spooler process used by all Microsoft operating systems.  

ID: CVE-2021-26078  
Title: XSS Vulnerability in Jira Vendor: Atlassian 
Description: The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.  

ID: CVE-2020-35184  
Title: Weak Authentication Vulnerability in Official Docker Compose  Vendor: Docker 
Description: The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.  

ID: CVE-2021-34458  
Title: Windows Kernel Remote Code Execution Vulnerability Vendor: Windows 
Description: This issue allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server.  

Best regards, 
CREODIAS Team   

Sen4CAP ready to use solution on CREODIAS 

The Sen4CAP software is available on CREODIAS cloud environment as an easy to run image. When this image is installed on a CREODIAS Virtual Machine, any user can run the Sen4CAP software, benefitting both from direct access to the complete Copernicus Sentinel satellite data repository and dynamically scalable processing opportunities of the CREODIAS cloud computing environment.

In order to meet the needs of Paying Agencies and the companies supporting them, we advise in the choice of the size of the environment and support the substantive knowledge about Sen4CAP software itself and the use of satellite data in it. Thanks to customer support and constant contact during the use of our service, we consult with software manufacturers on all the information obtained in order to develop it continuously.

Contact with us and join to group of Sen4CAP users who have taken their agricultural crop monitoring to a higher level.
Send email to our Sales Department: sales@creodias.eu.

For more information please visit our Sen4CAP section and How to use Sen4CAP on CREODIAS tutorial.

PARTNERS

RELATED EO DIAS THIRD PARTIES