Vulnerability Summary for the Week of January 25, 2010
Released
Feb 01, 2010
Document ID
SB10-032
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| a3malnet -- magic-portal | SQL injection vulnerability in home.php in magic-portal 2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2010-01-28 | 7.5 | CVE-2010-0457 XF MISC MISC |
| cisco -- unified_meetingplace | Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.2, and possibly 5 does not properly validate SQL commands, which allows remote attackers to create, modify, or delete data in a database via unspecified vectors, aka Bug ID CSCtc39691. | 2010-01-28 | 9.0 | CVE-2010-0139 CISCO |
| cisco -- unified_meetingplace | Multiple unspecified vulnerabilities in the web server in Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.3, and possibly 5 allow remote attackers to create (1) user or (2) administrator accounts via a crafted URL in a request to the internal interface, aka Bug IDs CSCtc59231 and CSCtd40661. | 2010-01-28 | 10.0 | CVE-2010-0140 CISCO |
| cisco -- unified_meetingplace | MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote authenticated users to gain privileges via a modified authentication sequence, aka Bug ID CSCsv66530. | 2010-01-28 | 8.5 | CVE-2010-0142 CISCO |
| embarcadero -- interbase_smp_2009 | Multiple stack-based buffer overflows in Embarcadero Technologies InterBase SMP 2009 9.0.3.437 allow remote attackers to execute arbitrary code via unknown vectors involving crafted packets. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-01-26 | 10.0 | CVE-2010-0391 BID SECUNIA OSVDB |
| fabricadigital -- publique | SQL injection vulnerability in cgi/cgilua.exe/sys/start.htm in Publique! 2.3 allows remote attackers to execute arbitrary SQL commands via the sid parameter. | 2010-01-28 | 7.5 | CVE-2010-0454 BUGTRAQ SECUNIA MISC OSVDB |
| indianpulses -- com_gameserver | SQL injection vulnerability in the indianpulse Game Server (com_gameserver) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the grp parameter in a gameserver action to index.php. | 2010-01-28 | 7.5 | CVE-2010-0456 XF BID BID MISC |
| intel -- e1000 linux -- kernel linux -- kernel | The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567. | 2010-01-26 | 7.1 | CVE-2010-0006 CONFIRM BID OSVDB MLIST CONFIRM CONFIRM SECUNIA SECUNIA MLIST FEDORA CONFIRM MISC CONFIRM |
| linux -- kernel redhat -- enterprise_linux | A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic. | 2010-01-27 | 7.8 | CVE-2009-4272 REDHAT CONFIRM XF MLIST MLIST CONFIRM CONFIRM CONFIRM |
| netart_media -- blog_system | Multiple SQL injection vulnerabilities in NetArt Media Blog System 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to index.php log.php and the (2) note parameter to b. | 2010-01-28 | 7.5 | CVE-2010-0458 XF BID MISC MISC |
| phpf1 -- max's_image_uploader | Unrestricted file upload vulnerability in maxImageUpload/index.php in PHP F1 Max's Image Uploader 1.0, when Apache is not configured to handle the mime-type for files with pjpeg or jpeg extensions, allows remote attackers to execute arbitrary code by uploading a file with a pjpeg or jpeg extension, then accessing it via a direct request to the file in original/. NOTE: some of these details are obtained from third party information. | 2010-01-26 | 9.3 | CVE-2010-0390 MISC SECUNIA OSVDB |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a file with invalid ASMRuleBook structures that trigger heap memory corruption. | 2010-01-25 | 9.3 | CVE-2009-4241 MISC VUPEN CONFIRM |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via a GIF file with crafted chunk sizes that trigger improper memory allocation. | 2010-01-25 | 9.3 | CVE-2009-4242 MISC VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to have an unspecified impact via a crafted media file that uses HTTP chunked transfer coding, related to an "overflow." | 2010-01-25 | 9.3 | CVE-2009-4243 VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via an SIPR codec field with a small length value that triggers incorrect memory allocation. | 2010-01-25 | 9.3 | CVE-2009-4244 MISC VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to have an unspecified impact via a compressed GIF file. | 2010-01-25 | 9.3 | CVE-2009-4245 VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Stack-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows user-assisted remote attackers to execute arbitrary code via a malformed .RJS skin file that contains a web.xmb file with crafted length values. | 2010-01-25 | 9.3 | CVE-2009-4246 MISC VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.x; RealPlayer SP 1.0.0 and 1.0.1; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, 11.0, and 11.0.1; Linux RealPlayer 10, 11.0.0, and 11.0.1; and Helix Player 10.x, 11.0.0, and 11.0.1 allow remote attackers to have an unspecified impact via a crafted ASM RuleBook, related to an "array overflow." | 2010-01-25 | 9.3 | CVE-2009-4247 VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to have an unspecified impact via a crafted RTSP SET_PARAMETER request. | 2010-01-25 | 9.3 | CVE-2009-4248 VUPEN CONFIRM SECTRACK |
| realnetworks -- helix_player realnetworks -- realplayer realnetworks -- realplayer_enterprise realnetworks -- realplayer_sp | Heap-based buffer overflow in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths. | 2010-01-25 | 9.3 | CVE-2009-4257 MISC VUPEN CONFIRM SECTRACK |
| sun -- java_system_web_server | Multiple heap-based buffer overflows in (1) webservd and (2) the admin server in Sun Java System Web Server 7.0 Update 7 allow remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long string in an "Authorization: Digest" HTTP header. | 2010-01-25 | 7.5 | CVE-2010-0387 XF BID SECTRACK MLIST MISC |
| sun -- java_system_web_server | Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request. | 2010-01-25 | 7.5 | CVE-2010-0388 XF BID MISC |
| sun -- change_manager | Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Management Center (SunMC) 3.0 on Solaris 8 and 9 on the sparc platform allows remote attackers to execute arbitrary code via unspecified vectors. | 2010-01-28 | 10.0 | CVE-2003-1576 SUNALERT CONFIRM |
| sun -- storedge_6130_arrays | Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) Controller Arrays allows remote attackers to delete data via unknown vectors. | 2010-01-28 | 7.5 | CVE-2005-4885 SUNALERT |
| systemtap -- systemtap | stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. | 2010-01-26 | 10.0 | CVE-2009-4273 CONFIRM FEDORA |
| thegreenbow -- ipsec_vpn_client | Stack-based buffer overflow in vpnconf.exe in TheGreenBow IPSec VPN Client 4.51.001, 4.65.003, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a long OpenScriptAfterUp parameter in a policy (.tgb) file, related to "phase 2." | 2010-01-26 | 9.3 | CVE-2010-0392 CONFIRM MISC |
| yoflash -- com_mochigames | SQL injection vulnerability in the Mochigames (com_mochigames) component 0.51 and possibly other versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. | 2010-01-28 | 7.5 | CVE-2010-0459 XF BID MISC MISC |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- tomcat | Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. | 2010-01-28 | 5.8 | CVE-2009-2693 VUPEN CONFIRM CONFIRM CONFIRM |
| apache -- tomcat | The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. | 2010-01-28 | 4.3 | CVE-2009-2901 VUPEN CONFIRM CONFIRM CONFIRM CONFIRM |
| apache -- tomcat | Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. | 2010-01-28 | 4.3 | CVE-2009-2902 XF BID BUGTRAQ SECTRACK SECUNIA |
| cisco -- unified_meetingplace | MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote attackers to discover usernames, passwords, and unspecified other data from the user database via a modified authentication sequence to the Audio Server, aka Bug ID CSCsv76935. | 2010-01-28 | 6.4 | CVE-2010-0141 CISCO |
| gnu -- gzip gzip -- gzip | The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression. | 2010-01-29 | 6.8 | CVE-2009-2624 CONFIRM VUPEN UBUNTU MANDRIVA DEBIAN SECUNIA SECUNIA SECUNIA SUSE CONFIRM CONFIRM MLIST |
| gnu -- gzip gzip -- gzip | Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. | 2010-01-29 | 6.8 | CVE-2010-0001 CONFIRM VUPEN UBUNTU REDHAT OSVDB MANDRIVA MANDRIVA DEBIAN SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA CONFIRM SUSE CONFIRM |
| hp -- openview_storage_data_protector | Unspecified vulnerability in HP OpenView Storage Data Protector 6.00 and 6.10 allows local users to obtain unspecified "access" via unknown vectors. | 2010-01-28 | 4.6 | CVE-2009-4183 VUPEN CONFIRM CONFIRM CONFIRM CONFIRM |
| ibm -- lotus_domino_server | The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. | 2010-01-25 | 4.3 | CVE-2008-7253 CERT-VN CONFIRM CONFIRM CONFIRM |
| ibm -- db2 | Heap-based buffer overflow in IBM DB2 9.7 and 9.7.1 on Linux allows remote authenticated users to have an unspecified impact via a SELECT statement that has a long column name generated with the REPEAT function. | 2010-01-28 | 6.5 | CVE-2010-0462 XF BID SECTRACK MISC |
| intel -- e1000 linux -- kernel linux -- kernel | The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address. | 2010-01-26 | 5.4 | CVE-2010-0003 CONFIRM MLIST MLIST CONFIRM SECUNIA CONFIRM FEDORA CONFIRM |
| joomla -- com_casino | SQL injection vulnerability in the casino (com_casino) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) category or (2) player action to index.php. | 2010-01-28 | 6.5 | CVE-2010-0461 XF BID MISC MISC |
| mozilla -- seamonkey mozilla -- thunderbird | Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird. | 2010-01-29 | 5.0 | CVE-2009-4629 MISC CONFIRM |
| mozilla -- seamonkey mozilla -- thunderbird | Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, performs DNS prefetching of domain names contained in links within local HTML documents, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests. NOTE: the vendor disputes the significance of this issue, stating "I don't think we necessarily need to worry about that case." | 2010-01-29 | 5.0 | CVE-2009-4630 MISC MISC |
| oracle -- database_server | Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 10.1.0.4 (10g) allows remote authenticated attackers to affect availability via unknown vectors, aka DB02. | 2010-01-25 | 6.8 | CVE-2005-4884 CONFIRM |
| punbb -- punbb | Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in PunBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the pid parameter. | 2010-01-28 | 4.3 | CVE-2010-0455 XF BID MISC |
| sun -- java_system_application_server | The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. | 2010-01-25 | 4.3 | CVE-2010-0386 SUNALERT |
| sun -- java_system_web_server | The admin server in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP request that lacks a method token. | 2010-01-25 | 5.0 | CVE-2010-0389 MISC |
| sun -- iplanet_messaging_server sun -- one_messaging_server | Cross-site scripting (XSS) vulnerability in Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. | 2010-01-28 | 4.3 | CVE-2004-2765 SUNALERT CONFIRM |
| sun -- iplanet_messaging_server sun -- one_messaging_server | Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5.2 before 5.2hf2.02 allows remote attackers to obtain unspecified "access" to e-mail via a crafted e-mail message, related to a "session hijacking" issue, a different vulnerability than CVE-2005-2022 and CVE-2006-5486. | 2010-01-28 | 4.3 | CVE-2004-2766 SUNALERT CONFIRM |
| symantec -- vxfs | VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patch 02 for Sun Solaris 2.5.1 through 9 does not properly implement inheritance of default ACLs in certain circumstances related to the characteristics of a directory inode, which allows local users to bypass intended file permissions by accessing a file on a VxFS filesystem. | 2010-01-28 | 4.6 | CVE-2003-1575 SUNALERT CONFIRM |
| tor -- tor | Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. | 2010-01-25 | 5.0 | CVE-2010-0383 BID SECUNIA MLIST MLIST MLIST MLIST |
| tor -- tor | Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query. | 2010-01-25 | 5.0 | CVE-2010-0385 BID OSVDB SECUNIA MLIST MLIST |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| kayako -- esupport kayako -- supportsuite | Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action. NOTE: some of these details are obtained from third party information. | 2010-01-28 | 3.5 | CVE-2010-0460 XF BID BUGTRAQ SECUNIA MISC OSVDB |
| linux -- kernel redhat -- enterprise_linux | A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files. | 2010-01-27 | 1.9 | CVE-2009-3556 REDHAT CONFIRM XF MLIST |
| tor -- tor | Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirror, does not prevent logging of the client IP address upon detection of erroneous client behavior, which might make it easier for local users to discover the identities of clients in opportunistic circumstances by reading log files. | 2010-01-25 | 2.1 | CVE-2010-0384 MLIST |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.