Vulnerability Summary for the Week of August 15, 2011
Released
Aug 23, 2011
Document ID
SB11-234
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe -- adobe_air | Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted SWF file, as demonstrated by "about 400 unique crash signatures." | 2011-08-15 | 9.3 | CVE-2011-2424 |
| apple -- quicktime | Integer overflow in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted track run atoms in a QuickTime movie file. | 2011-08-15 | 9.3 | CVE-2011-0256 |
| apple -- quicktime | Integer signedness error in Apple QuickTime before 7.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PnSize opcode in a PICT file that triggers a stack-based buffer overflow. | 2011-08-15 | 9.3 | CVE-2011-0257 |
| cisco -- ios | Cisco IOS 12.2(58)SE, when a login banner is configured, allows remote attackers to cause a denial of service (device reload) by establishing two SSH2 sessions, aka Bug ID CSCto62631. | 2011-08-18 | 7.8 | CVE-2011-1624 |
| citrix -- xen | Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping, allows guest OS users to gain host OS privileges by "using DMA to generate MSI interrupts by writing to the interrupt injection registers." | 2011-08-12 | 7.4 | CVE-2011-1898 |
| clusterresources -- torque_resource_manager | Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 3.0.1 and earlier allows remote attackers to bypass host-based authentication and submit arbitrary jobs via a modified PBS_O_HOST variable to the qsub program. | 2011-08-15 | 7.5 | CVE-2011-2907 |
| controlmicrosystems -- clearscada_2005 | Use-after-free vulnerability in Control Microsystems ClearSCADA 2005, 2007, and 2009 before R2.3 and R1.4, as used in SCX before 67 R4.5 and 68 R3.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified long strings that trigger heap memory corruption. | 2011-08-16 | 10.0 | CVE-2011-3143 |
| emc -- rsa_adaptive_authentication_on-premise | EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, SP1 Patch 3, SP2, SP2 Patch 1, and SP3 does not prevent reuse of authentication information during a session, which allows remote authenticated users to bypass intended access restrictions via vectors related to knowledge of the originally used authentication information and unspecified other session information. | 2011-08-18 | 7.5 | CVE-2011-2733 |
| ibm -- tivoli_federated_identity_manager | Unspecified vulnerability in the Runtime in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors. | 2011-08-12 | 10.0 | CVE-2011-3135 |
| ibm -- tivoli_federated_identity_manager | Unspecified vulnerability in the Management Console in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors, aka APAR IV03048. | 2011-08-12 | 10.0 | CVE-2011-3136 |
| ibm -- tivoli_federated_identity_manager | Unspecified vulnerability in the Management Console in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 has unknown impact and attack vectors, aka APAR IV03050. | 2011-08-12 | 10.0 | CVE-2011-3137 |
| invensys -- wonderware_inbatch | Buffer overflow in the InBatch BatchField ActiveX control for Invensys Wonderware InBatch 8.1 SP1, 9.0, and 9.0 SP1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. | 2011-08-16 | 9.3 | CVE-2011-3141 |
| isc -- dhcp | The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP packet. | 2011-08-15 | 7.8 | CVE-2011-2748 |
| isc -- dhcp | The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted BOOTP packet. | 2011-08-15 | 7.8 | CVE-2011-2749 |
| mozilla -- firefox | The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5, does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." | 2011-08-18 | 10.0 | CVE-2011-0084 |
| mozilla -- firefox | The appendChild function in Mozilla Firefox before 3.6.20 does not properly handle DOM objects, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to dereferencing of a "dangling pointer." | 2011-08-18 | 10.0 | CVE-2011-2378 |
| mozilla -- firefox | Untrusted search path vulnerability in the ThinkPadSensor::Startup function in Mozilla Firefox before 3.6.20 allows local users to gain privileges by leveraging write access in an unspecified directory to place a Trojan horse DLL that is loaded into the running Firefox process. | 2011-08-18 | 7.2 | CVE-2011-2980 |
| mozilla -- firefox | The event-management implementation in Mozilla Firefox before 3.6.20 does not properly select the context for script to run in, which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site. | 2011-08-18 | 9.3 | CVE-2011-2981 |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2011-08-18 | 10.0 | CVE-2011-2982 |
| mozilla -- firefox | Mozilla Firefox before 3.6.20 does not properly handle the dropping of a tab element, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by establishing a content area and registering for drop events. | 2011-08-18 | 10.0 | CVE-2011-2984 |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2011-08-18 | 10.0 | CVE-2011-2985 |
| mozilla -- firefox | Heap-based buffer overflow in Almost Native Graphics Layer Engine (ANGLE), as used in the WebGL implementation in Mozilla Firefox 4.x through 5, might allow remote attackers to execute arbitrary code via unspecified vectors. | 2011-08-18 | 10.0 | CVE-2011-2987 |
| mozilla -- firefox | Buffer overflow in an unspecified string class in the WebGL shader implementation in Mozilla Firefox 4.x through 5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long source-code block for a shader. | 2011-08-18 | 10.0 | CVE-2011-2988 |
| mozilla -- firefox | The browser engine in Mozilla Firefox 4.x through 5 does not properly implement WebGL, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | 2011-08-18 | 10.0 | CVE-2011-2989 |
| mozilla -- firefox | The browser engine in Mozilla Firefox 4.x through 5 does not properly implement JavaScript, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | 2011-08-18 | 10.0 | CVE-2011-2991 |
| mozilla -- firefox | The Ogg reader in the browser engine in Mozilla Firefox 4.x through 5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. | 2011-08-18 | 10.0 | CVE-2011-2992 |
| mozilla -- firefox | The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5 does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801. | 2011-08-18 | 9.3 | CVE-2011-2993 |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted SIPR stream. | 2011-08-18 | 9.3 | CVE-2011-2945 |
| realnetworks -- realplayer | Unspecified vulnerability in an ActiveX control in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5 allows remote attackers to execute arbitrary code via unknown vectors. | 2011-08-18 | 10.0 | CVE-2011-2946 |
| realnetworks -- realplayer | RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, RealPlayer Enterprise 2.0 through 2.1.5, and Mac RealPlayer 12.0.0.1569 do not properly handle DEFINEFONT fields in SWF files, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted file. | 2011-08-18 | 9.3 | CVE-2011-2948 |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5 allows remote attackers to execute arbitrary code via crafted ID3v2 tags in an MP3 file. | 2011-08-18 | 9.3 | CVE-2011-2949 |
| realnetworks -- realplayer | Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted QCP file. | 2011-08-18 | 9.3 | CVE-2011-2950 |
| realnetworks -- realplayer | Buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer 12.0.0.1569 allows remote attackers to execute arbitrary code via a crafted raw_data_frame field in an AAC file. | 2011-08-18 | 9.3 | CVE-2011-2951 |
| realnetworks -- realplayer | Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5 allows remote attackers to execute arbitrary code via vectors related to a dialog box. | 2011-08-18 | 9.3 | CVE-2011-2952 |
| realnetworks -- realplayer | An unspecified ActiveX control in the browser plugin in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5 allows remote attackers to execute arbitrary code via unknown vectors, related to an out-of-bounds condition. | 2011-08-18 | 10.0 | CVE-2011-2953 |
| realnetworks -- realplayer | Use-after-free vulnerability in the AutoUpdate feature in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5, when an Embedded RealPlayer is used, allows remote attackers to execute arbitrary code via unspecified vectors. | 2011-08-18 | 9.3 | CVE-2011-2954 |
| realnetworks -- realplayer | Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5, when an Embedded RealPlayer is used, allows remote attackers to execute arbitrary code via vectors related to a modal dialog. | 2011-08-18 | 9.3 | CVE-2011-2955 |
| wellintech -- kingview | Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in WellinTech KingView 6.52 and 6.53 allows remote attackers to execute arbitrary code via a long second argument to the ValidateUser method. | 2011-08-16 | 10.0 | CVE-2011-3142 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- tomcat | Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. | 2011-08-15 | 4.6 | CVE-2011-2481 |
| apache -- apache_commons_daemon | native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. | 2011-08-15 | 5.0 | CVE-2011-2729 |
| ca -- arcserve_d2d | BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors. | 2011-08-15 | 5.0 | CVE-2011-3011 |
| cisco -- ios | Cisco IOS 12.2, 12.3, 12.4, 15.0, and 15.1, when the data-link switching (DLSw) feature is configured, allows remote attackers to cause a denial of service (device crash) by sending a sequence of malformed packets and leveraging a "narrow timing window," aka Bug ID CSCtf74999, a different vulnerability than CVE-2007-0199, CVE-2008-1152, and CVE-2009-0629. | 2011-08-18 | 5.4 | CVE-2011-1625 |
| citrix -- xen | Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allow local users to cause a denial of service and possibly execute arbitrary code via a crafted paravirtualised guest kernel image that triggers (1) a buffer overflow during a decompression loop or (2) an out-of-bounds read in the loader involving unspecified length fields. | 2011-08-12 | 6.9 | CVE-2011-1583 |
| controlmicrosystems -- clearscada_2005 | Cross-site scripting (XSS) vulnerability in Control Microsystems ClearSCADA 2005, 2007, and 2009 before R2.3 and R1.4, as used in SCX before 67 R4.5 and 68 R3.9, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2011-08-16 | 4.3 | CVE-2011-3144 |
| google -- android | Cross-application scripting vulnerability in the Browser URL loading functionality in Android 2.3.4 and 3.1 allows local applications to bypass the sandbox and execute arbitrary Javascript in arbitrary domains by (1) causing the MAX_TAB number of tabs to be opened, then loading a URI to the targeted domain into the current tab, or (2) two startActivity function calls beginning with the targeted domain's URI followed by the malicious Javascript while the UI focus is still associated with the targeted domain. | 2011-08-12 | 4.3 | CVE-2011-2357 |
| ibm -- tivoli_federated_identity_manager | The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. | 2011-08-12 | 5.0 | CVE-2011-3138 |
| ibm -- web_application_firewall | IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server. | 2011-08-15 | 5.0 | CVE-2011-3140 |
| mozilla -- firefox | Mozilla Firefox before 3.6.20 does not properly handle the RegExp.input property, which allows remote attackers to bypass the Same Origin Policy and read data from a different domain via a crafted web site. | 2011-08-18 | 4.3 | CVE-2011-2983 |
| mozilla -- firefox | Mozilla Firefox 4.x through 5, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. | 2011-08-18 | 5.0 | CVE-2011-2986 |
| mozilla -- firefox | The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5 does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects. | 2011-08-18 | 5.0 | CVE-2011-2990 |
| realnetworks -- realplayer | Cross-zone scripting vulnerability in the RealPlayer ActiveX control in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to inject arbitrary web script or HTML in the Local Zone via a local HTML document. | 2011-08-18 | 4.3 | CVE-2011-2947 |
| symantec -- endpoint_protection | Multiple cross-site scripting (XSS) vulnerabilities in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allow remote attackers to inject arbitrary web script or HTML via (1) the token parameter to portal/Help.jsp or (2) the URI in a console/apps/sepm request. | 2011-08-15 | 4.3 | CVE-2011-0550 |
| symantec -- endpoint_protection | Cross-site request forgery (CSRF) vulnerability in the Web Interface in the Endpoint Protection Manager in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.6300 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. | 2011-08-15 | 6.8 | CVE-2011-0551 |
| vmware -- tc_server | VMware vFabric tc Server (aka SpringSource tc Server) 2.0.x before 2.0.6.RELEASE and 2.1.x before 2.1.2.RELEASE accepts obfuscated passwords during JMX authentication, which makes it easier for context-dependent attackers to obtain access by leveraging an ability to read stored passwords. | 2011-08-15 | 5.0 | CVE-2011-0527 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- tivoli_federated_identity_manager | IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when com.tivoli.am.fim.infocard.delegates.InfoCardSTSDelegate tracing is enabled, creates a cleartext log entry containing a password, which might allow local users to obtain sensitive information by reading the log data. | 2011-08-12 | 1.9 | CVE-2009-5084 |
| ibm -- tivoli_federated_identity_manager | IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when configured as an OpenID provider, does not delete the site information cookie in response to a user's deletion of a relying-party trust entry, which allows user-assisted remote attackers to bypass intended trust restrictions via vectors that trigger absence of the consent-to-authenticate page. | 2011-08-12 | 2.6 | CVE-2009-5085 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.