CVE-2016-10200 Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2017-3605)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for unbreakable enterprise kernel to fix the vulnerabilities.

Affected Products:
Oracle Linux 7
Oracle Linux 6

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7
Oracle Linux 6

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-3605: Oracle Linux 7

ELSA-2017-3605: Oracle Linux 6

0daybank

CVE-2017-1000117 Oracle Enterprise Linux Security Update for git (ELSA-2017-2484)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for git to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-2484: Oracle Linux 7

0daybank

CVE-2017-7533 Oracle Enterprise Linux Security Update kernel (ELSA-2017-2473-1)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for kernel to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-2473-1: Oracle Linux 7

0daybank

CVE-2017-9802 Apache Sling Cross-Site-Scripting Vulnerability

漏洞类别:CGI

漏洞等级:

漏洞信息

Apache Sling is a web framework that uses a Java Content Repository, such as Apache Jackrabbit, to store and manage content.

The Javascript method Sling.evalString() uses the javascript ‘eval’ function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

Affected Version:
org.apache.sling.servlets.post bundle up to 2.3.21

Detection Logic:
This QID checks for Apache Sling installations running with default credentials and that have vulnerable versions of Apache Sling Servlet post authentication.

漏洞危害

An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary Javascript code on victim’s browser.

解决方案

Vendor has released an updated version org.apache.sling.servlets.post 2.3.22 to fix this issue. Refer to the SLING-7041 for more details on the vulnerability and patches.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SLING-7041

0daybank

CVE-2017-6923 Drupal Core Multiple Security Vulnerabilities (SA-CORE-2017-004)

漏洞类别:CGI

漏洞等级:

漏洞信息

Drupal is a free and open-source content management framework written in PHP and distributed under the GNU General Public License. It is also used for knowledge management and business collaboration.

Drupal contains the following security vulnerabilities:
CVE-2017-6923: When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.
CVE-2017-6924: When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
CVE-2017-6925: There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity..

Affected Versions:
Drupal core 8.x versions prior to 8.3.7

QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the Drupal installation as active attacks could potentially harm live installations.

漏洞危害

Depending on the vulnerability being exploited, an attacker could bypass security restrictions to post comments or view restricted content.

解决方案

Customers are advised to upgrade to Drupal 8.3.7 or later versions to remediate these vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Drupal 8.3.7

0daybank

CVE-2014-7975 Oracle Enterprise Linux Security Update for kernel (ELSA-2017-1842-1)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for kernel to fix the vulnerabilities.

Affected Product:
Oracle Linux 7

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-1842-1: Oracle Linux 7

0daybank

CVE-2017-12904 Debian Security Update for newsbeuter (DSA 3947-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for newsbeuter to fix the vulnerabilities.

漏洞危害

Successful exploitation of the vulnerability will allow a remote attacker to run an arbitrary shell command on the client machine.

解决方案

Refer to Debian security advisory DSA 3947-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3947-1: Debian

0daybank

CVE-2017-6419 Debian Security Update for libmspack (DSA 3946-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for libmspack to fix the vulnerabilities.

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Refer to Debian security advisory DSA 3946-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3946-1: Debian

0daybank

CVE-2017-3308 Debian Security Update for mariadb-10.0 (DSA 3944-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for mariadb-10.0 to fix the vulnerabilities.

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Refer to Debian security advisory DSA 3944-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3944-1: Debian

0daybank

CVE-2016-4397 HPE Network Node Manager i (NNMi) Local Code Execution Vulnerability

漏洞类别:Local

漏洞等级:

漏洞信息

A potential security vulnerability was identified in HPE Network Node Manager i (NNMi) Software. The vulnerability can result in local code execution

Affected Software:
HPE Network Node Manager i (NNMi) Software 10.00, 10.01, 10.10, 10.20.

漏洞危害

On successful exploitation it allows an attackers to execute arbitrary code on a targeted system.

解决方案

Customers are advised to refer to HPSBGN03657 for updates pertaining to this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

HPSBGN03657: Windows (Network Node Manager i 10.01)

HPSBGN03657: Windows (Network Node Manager i 10.10)

HPSBGN03657: Windows (Network Node Manager i 10.20)

0daybank