Vulnerability Summary for the Week of November 14, 2011

Released
Nov 21, 2011
Document ID
SB11-325

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2445
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.2011-11-1110.0CVE-2011-2450
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2451
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2452
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2452, CVE-2011-2454, CVE-2011-2455, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2453
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2455, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2454
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2459, and CVE-2011-2460.2011-11-1110.0CVE-2011-2455
adobe -- adobe_airBuffer overflow in Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code via unspecified vectors.2011-11-1110.0CVE-2011-2456
adobe -- adobe_airStack-based buffer overflow in Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code via unspecified vectors.2011-11-1110.0CVE-2011-2457
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, when Internet Explorer is used, allows remote attackers to bypass the cross-domain policy via a crafted web site.2011-11-119.3CVE-2011-2458
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, and CVE-2011-2460.2011-11-1110.0CVE-2011-2459
adobe -- adobe_airAdobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2445, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, and CVE-2011-2459.2011-11-1110.0CVE-2011-2460
apple -- mac_os_xThe nonet and nointernet sandbox profiles in Apple Mac OS X 10.5.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of launchctl to trigger the launchd daemon's execution of a script file, a related issue to CVE-2011-1516.2011-11-157.5CVE-2008-7303
apple -- mac_os_xThe kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303.2011-11-157.5CVE-2011-1516
apple -- iphone_osFreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font in a document.2011-11-119.3CVE-2011-3439
apple -- iphone_osThe kernel in Apple iOS before 5.0.1 does not ensure the validity of flag combinations for an mmap system call, which allows local users to execute arbitrary unsigned code via a crafted app.2011-11-117.2CVE-2011-3442
dell -- kace_k2000_systems_deployment_applianceThe Dell KACE K2000 System Deployment Appliance allows remote attackers to execute arbitrary commands by leveraging database write access.2011-11-119.3CVE-2011-4047
google -- chromeGoogle Chrome before 15.0.874.120, when Java Runtime Environment (JRE) 7 is used, does not request user confirmation before applet execution begins, which allows remote attackers to have an unspecified impact via a crafted applet.2011-11-117.5CVE-2011-3898
google -- chromeGoogle V8, as used in Google Chrome before 15.0.874.121, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write operation.2011-11-177.5CVE-2011-3900
hp -- centralized_management_console_softwareStack-based buffer overflow in hydra.exe in HP SAN/iQ before 9.5 on the HP StorageWorks P4000 Virtual SAN Appliance allows remote attackers to execute arbitrary code via a crafted login request.2011-11-1610.0CVE-2011-4157

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
apache -- tomcatorg/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.2011-11-114.4CVE-2011-3376
apple -- iphone_oslibinfo in Apple iOS before 5.0.1 does not properly formulate domain-name queries, which allows remote attackers to obtain sensitive information via a crafted DNS hostname.2011-11-114.3CVE-2011-3441
clamav -- clamavThe bytecode engine in ClamAV before 0.97.3 allows remote attackers to cause a denial of service (crash) via vectors related to "recursion level" and (1) libclamav/bytecode.c and (2) libclamav/bytecode_api.c.2011-11-174.3CVE-2011-3627
dell -- kace_k2000_systems_deployment_applianceThe Dell KACE K2000 System Deployment Appliance stores the recovery account password in cleartext within a PHP script, which allows context-dependent attackers to obtain sensitive information by examining script source code.2011-11-115.0CVE-2011-4046
dell -- kace_k2000_systems_deployment_applianceThe Dell KACE K2000 System Deployment Appliance has a default username and password for the read-only reporting account, which makes it easier for remote attackers to obtain sensitive information from the database by leveraging the default credentials.2011-11-114.3CVE-2011-4048
freebsd -- freebsdkcheckpass, as used in OpenPAM in FreeBSD 8.1 and possibly other operating systems, calls the pam_star function with raised privileges, which allows local users to load arbitrary DSOs and execute arbitrary code via a crafted service name.2011-11-176.9CVE-2011-4122
hp -- network_node_manager_iCross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4156.2011-11-164.3CVE-2011-4155
hp -- network_node_manager_iCross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4155.2011-11-164.3CVE-2011-4156
hp -- directories_support_for_proliant_management_processorsUnspecified vulnerability in HP Directories Support for ProLiant Management Processors 3.10 and 3.20 for Integrated Lights-Out iLO2 and iLO3 allows remote authenticated users to obtain sensitive information via unknown vectors.2011-11-164.0CVE-2011-4158
ibm -- aixIBM AIX 6.1 and 7.1 does not restrict the wpar_limits_config and wpar_limits_modify system calls, which allows local users to cause a denial of service (system crash) via a crafted call.2011-11-114.9CVE-2011-1375
ibm -- db2_tools_for_z/osThe web-server component in the Consolidation and Analysis Engine (CAE) Server in DB2 Query Monitor in IBM DB2 Tools 2.3.0 for z/OS does not prevent directory browsing, which allows remote attackers to obtain sensitive information via HTTP requests.2011-11-115.0CVE-2011-4435
mahara -- maharaMultiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed.2011-11-144.3CVE-2011-2771
mahara -- maharaThe get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image.2011-11-145.0CVE-2011-2772
mahara -- maharaCross-site request forgery (CSRF) vulnerability in Mahara before 1.4.1 allows remote attackers to hijack the authentication of administrators for requests that add a user to an institution.2011-11-146.8CVE-2011-2773
mahara -- maharaThe "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 allows remote authenticated users to read the messages of a different user via a modified replyto parameter.2011-11-144.0CVE-2011-2774
mahara -- maharaMahara before 1.4.1, when MNet (aka the Moodle network feature) is used, allows remote authenticated users to gain privileges via a jump to an XMLRPC target.2011-11-146.0CVE-2011-4118
openswan -- openswanOpenswan 2.6.29 through 2.6.35 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto IKE daemon crash) via an ISAKMP message with an invalid KEY_LENGTH attribute, which is not properly handled by the error handling function.2011-11-175.0CVE-2011-3380
openswan -- openswanUse-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions.2011-11-175.0CVE-2011-4073
phpmyadmin -- phpmyadminphpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message.2011-11-175.0CVE-2011-3646
phpmyadmin -- phpmyadminThe simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.2011-11-174.3CVE-2011-4107
robert_luberda -- man2htmlCross-site scripting (XSS) vulnerability in man2html.cgi.c in man2html 1.6, and possibly other version, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to error messages.2011-11-174.3CVE-2011-2770
squid -- squidThe idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.2011-11-175.0CVE-2011-4096

Back to top


Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
apple -- ipad2The Passcode Lock feature in Apple iOS before 5.0.1 on the iPad 2 does not properly implement the locked state, which allows physically proximate attackers to access data by opening a Smart Cover during power-off confirmation.2011-11-111.2CVE-2011-3440
dell -- kace_k2000_systems_deployment_applianceMultiple cross-site scripting (XSS) vulnerabilities in the administrative web interface on the Dell KACE K2000 System Deployment Appliance allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.2011-11-113.5CVE-2011-4436
microsoft -- windows_7Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 do not properly enforce AppLocker rules, which allows local users to bypass intended access restrictions via a (1) macro or (2) scripting feature in an application, as demonstrated by Microsoft Office applications and the SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL flags.2011-11-113.6CVE-2011-4434
owasp-java-html-sanitizer_project -- owasp-java-html-sanitizerOWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element.2011-11-172.6CVE-2011-4457

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.