Vulnerability Summary for the Week of July 25, 2011
Released
Aug 02, 2011
Document ID
SB11-213
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| azeotech -- daqfactory | AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. | 2011-07-28 | 7.8 | CVE-2011-2956 |
| ca -- gateway_security | Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. | 2011-07-28 | 10.0 | CVE-2011-2667 |
| cisco -- sa500_software | The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. | 2011-07-28 | 9.0 | CVE-2011-2547 |
| cisco -- asr_9006_router | Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. | 2011-07-28 | 7.8 | CVE-2011-2549 |
| drupal -- drupal | Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. | 2011-07-26 | 7.5 | CVE-2011-2687 |
| gimp -- gimp | Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543. | 2011-07-26 | 7.5 | CVE-2011-1782 |
| google -- picasa | Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file. | 2011-07-28 | 9.3 | CVE-2011-2747 |
| ibm -- lotus_symphony | Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to "critical security vulnerability issues." | 2011-07-27 | 10.0 | CVE-2011-2884 |
| jan_wolter -- mod_authnz_external | SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. | 2011-07-28 | 7.5 | CVE-2011-2688 |
| nrl -- opie | Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. | 2011-07-26 | 7.2 | CVE-2011-2489 |
| nrl -- opie | opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. | 2011-07-26 | 7.2 | CVE-2011-2490 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| chyrp -- chyrp | upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/. | 2011-07-26 | 6.5 | CVE-2011-2745 |
| cisco -- sa500_software | SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. | 2011-07-28 | 5.0 | CVE-2011-2546 |
| debian -- apt | APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. | 2011-07-26 | 4.3 | CVE-2011-1829 |
| ecava -- integraxor | Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2011-07-28 | 4.3 | CVE-2011-2958 |
| fabfile -- fabric | Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/. | 2011-07-26 | 4.4 | CVE-2011-2185 |
| google -- search_appliance | Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2011-07-28 | 4.3 | CVE-2011-1339 |
| ibm -- lotus_symphony | IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. | 2011-07-27 | 4.3 | CVE-2011-2885 |
| ibm -- lotus_symphony | IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. | 2011-07-27 | 4.3 | CVE-2011-2886 |
| ibm -- lotus_symphony | IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. | 2011-07-27 | 4.3 | CVE-2011-2887 |
| ibm -- lotus_symphony | IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. | 2011-07-27 | 4.3 | CVE-2011-2888 |
| ibm -- lotus_symphony | The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. | 2011-07-27 | 4.3 | CVE-2011-2893 |
| joomla -- joomla! | Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. | 2011-07-27 | 5.0 | CVE-2011-2488 |
| joomla -- joomla! | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. | 2011-07-27 | 4.3 | CVE-2011-2509 |
| joomla -- joomla! | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. | 2011-07-27 | 4.3 | CVE-2011-2710 |
| joomla -- joomla! | templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. | 2011-07-27 | 5.0 | CVE-2011-2889 |
| joomla -- joomla! | The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. | 2011-07-27 | 5.0 | CVE-2011-2890 |
| joomla -- joomla! | Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. | 2011-07-27 | 5.0 | CVE-2011-2891 |
| joomla -- joomla! | Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | 2011-07-27 | 4.3 | CVE-2011-2892 |
| likewise -- likewise_open | SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors. | 2011-07-26 | 5.8 | CVE-2011-2467 |
| linux -- kernel | The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space. | 2011-07-28 | 4.9 | CVE-2011-2689 |
| linux -- kernel | Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. | 2011-07-28 | 4.9 | CVE-2011-2695 |
| mega-nerd -- libsndfile | Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. | 2011-07-26 | 6.8 | CVE-2011-2696 |
| redhat -- network_satellite_server | Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges. | 2011-07-26 | 6.8 | CVE-2009-4139 |
| redhat -- jboss_enterprise_application_platform | jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. | 2011-07-26 | 6.8 | CVE-2011-1484 |
| redhat -- jboss_enterprise_application_platform | jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. | 2011-07-26 | 6.8 | CVE-2011-2196 |
| rockwellautomation -- factorytalk_diagnostics_viewer | Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption. | 2011-07-28 | 6.9 | CVE-2011-2957 |
| videolan -- vlc_media_player | Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. | 2011-07-26 | 6.8 | CVE-2011-2587 |
| videolan -- vlc_media_player | Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. | 2011-07-26 | 6.8 | CVE-2011-2588 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| linux -- kernel | The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. | 2011-07-28 | 1.9 | CVE-2011-2492 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.