U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Bulletin (SB16-039)

Vulnerability Summary for the Week of February 1, 2016

Original release date: March 11, 2016 | Last revised: March 22, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
apache -- camelThe camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.2016-02-037.5CVE-2015-5344
apple -- apple_tvThe Disk Images component in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1717
apple -- apple_tvThe IOHIDFamily API in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1719
apple -- apple_tvIOKit in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1720
apple -- apple_tvThe kernel in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1721
apple -- apple_tvsyslog in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1722
apple -- mac_os_xUntrusted search path vulnerability in OSA Scripts in Apple OS X before 10.11.3 allows attackers to load arbitrary script libraries via a quarantined application.2016-02-017.5CVE-2016-1729
apple -- mac_os_xAppleGraphicsPowerManagement in Apple OS X before 10.11.3 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-017.2CVE-2016-1716
apple -- safariWebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1725 and CVE-2016-1726.2016-02-019.3CVE-2016-1723
apple -- safariWebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1727.2016-02-019.3CVE-2016-1724
apple -- safariWebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1726.2016-02-019.3CVE-2016-1725
apple -- safariWebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725.2016-02-019.3CVE-2016-1726
apple -- safariWebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1724.2016-02-019.3CVE-2016-1727
cisco -- prime_security_managerThe RBAC implementation in Cisco ASA-CX Content-Aware Security software before 9.3.1.1(112) and Cisco Prime Security Manager (PRSM) software before 9.3.1.1(112) allows remote authenticated users to change arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuo94842.2016-02-078.5CVE-2016-1301
cloudbees -- jenkinsThe Plugins Manager in CloudBees Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.2016-02-037.6CVE-2015-7539
ge -- ups_snmp_web_adapter_firmwareGeneral Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.2016-02-059CVE-2016-0861
google -- androidlibstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file that triggers a large memory allocation in the (1) SoftMPEG4Encoder or (2) SoftVPXEncoder component, aka internal bug 25812794.2016-02-0610CVE-2016-0803
google -- androidThe Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.2016-02-068.3CVE-2016-0801
google -- androidThe Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25306181.2016-02-068.3CVE-2016-0802
google -- kubernetesThe API server in Kubernetes might allow remote attackers to gain privileges by editing a build configuration to use a restricted strategy.2016-02-0310CVE-2016-1906
linux -- linux_kernelThe nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.2016-02-0710CVE-2015-8787
linux -- linux_kernelThe KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c.2016-02-077.2CVE-2015-8539
linux -- linux_kernelThe join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.2016-02-077.2CVE-2016-0728
radicale -- radicaleThe multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.2016-02-037.5CVE-2015-8747
radicale -- radicaleThe filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore.2016-02-037.5CVE-2016-1505
sauter -- moduweb_visionSauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network.2016-02-0610CVE-2015-7915
sauter -- moduweb_visionSauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password.2016-02-069.3CVE-2015-7914
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
apple -- iphone_osWebSheet in Apple iOS before 9.2.1 allows remote attackers to read or write to cookies by operating a crafted captive portal.2016-02-015.8CVE-2016-1730
apple -- mac_os_xThe IOAcceleratorFamily2 interface in IOAcceleratorFamily in Apple OS X before 10.11.3 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.2016-02-016.9CVE-2016-1718
apple -- safariThe Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site.2016-02-014.3CVE-2016-1728
cisco -- application_policy_infrastructure_controller_enterprise_moduleCross-site scripting (XSS) vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML entities, aka Bug ID CSCux15511.2016-02-074.3CVE-2016-1305
cisco -- finesseThe Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and Unified Contact Center Express 10.6(1) has a hardcoded account, which makes it easier for remote attackers to obtain access via an XMPP session, aka Bug ID CSCuw79085.2016-02-075.5CVE-2016-1307
cisco -- fog_directorMultiple cross-site scripting (XSS) vulnerabilities in Cisco Fog Director 1.0(0) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCux80466.2016-02-064.3CVE-2016-1306
cisco -- jabber_guestCross-site scripting (XSS) vulnerability in the management interface in Cisco Jabber Guest Server 10.6(8) allows remote attackers to inject arbitrary web script or HTML via the host tag parameter, aka Bug ID CSCuy08224.2016-02-064.3CVE-2016-1311
cisco -- unified_communications_managerSQL injection vulnerability in Cisco Unified Communications Manager 10.5(2.13900.9) allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCux99227.2016-02-076.5CVE-2016-1308
cisco -- unity_connectionCross-site scripting (XSS) vulnerability in Cisco Unity Connection 11.5(0.199) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy09033.2016-02-064.3CVE-2016-1310
cisco -- webex_meetings_serverMultiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meetings Server 2.5.1.5 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuy01843.2016-02-074.3CVE-2016-1309
cloudbees -- jenkinsCross-site request forgery (CSRF) vulnerability in CloudBees Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.2016-02-036.8CVE-2015-7537
cloudbees -- jenkinsCloudBees Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.2016-02-036.8CVE-2015-7538
ffmpeg -- ffmpegThe jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.6 allows remote attackers to cause a denial of service (out-of-bounds array read access) via crafted JPEG 2000 data.2016-02-034.3CVE-2016-2213
fisher-price -- smart_toy_bearThe API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number.2016-02-046.5CVE-2015-8269
ge -- ups_snmp_web_adapter_firmwareGeneral Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to obtain sensitive cleartext account information via unspecified vectors.2016-02-054CVE-2016-0862
google -- kubernetesThe API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.2016-02-034CVE-2016-1905
janrain -- php-openidexamples/consumer/common.php in JanRain PHP OpenID library (aka php-openid) improperly checks the openid.realm parameter against the SERVER_NAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted HTTP Host header.2016-02-016.8CVE-2016-2049
libtiff -- libtifftif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.2016-02-014.3CVE-2015-8781
libtiff -- libtifftif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.2016-02-014.3CVE-2015-8782
libtiff -- libtifftif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.2016-02-014.3CVE-2015-8783
linux -- linux_kernelRace condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.2016-02-075.6CVE-2016-0723
linux -- linux_kernelnet/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.2016-02-075CVE-2015-8767
linux -- linux_kernelarch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.2016-02-074.9CVE-2015-7513
linux -- linux_kernelThe keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.2016-02-074.9CVE-2015-7550
linux -- linux_kernelThe clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.2016-02-074.9CVE-2015-7566
linux -- linux_kernelThe fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.2016-02-074.9CVE-2015-8785
mcafee -- vulnerability_managerMultiple cross-site request forgery (CSRF) vulnerabilities in the Organizations and Remediation management page in Enterprise Manager in McAfee Vulnerability Manager (MVM) before 7.5.10 allow remote attackers to hijack the authentication of administrators for requests that have unspecified impact via unknown vectors.2016-02-016.8CVE-2016-2199
radicale -- radicaleRadicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by ".*".2016-02-035CVE-2015-8748
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
cloudbees -- jenkinsCross-site scripting (XSS) vulnerability in CloudBees Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.2016-02-033.5CVE-2015-7536
linux -- linux_kernelThe sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.2016-02-072.1CVE-2015-8575
sauter -- moduweb_visionCross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.2016-02-063.5CVE-2015-7916
Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
android -- alternaterecentscomponent.javapackages/SystemUI/src/com/android/systemui/recents/AlternateRecentsComponent.java in Setup Wizard in Android 5.1.x before 5.1.1 LMY49G and 6.x before 2016-02-01 does not properly check for device provisioning, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 25476219.2016-02-06not yet calculatedCVE-2016-0813
android -- get_build_idThe get_build_id function in elf_utils.cpp in Debuggerd in Android 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application that mishandles a Desc Size element in an ELF Note, aka internal bug 25187394.2016-02-06not yet calculatedCVE-2016-0807
android -- getcoverageformat12Integer overflow in the getCoverageFormat12 function in CmapCoverage.cpp in the Minikin library in Android 5.x before 5.1.1 LMY49G and 6.x before 2016-02-01 allows attackers to cause a denial of service (continuous rebooting) via an application that triggers loading of a crafted TTF font, aka internal bug 25645298.2016-02-06not yet calculatedCVE-2016-0808
android -- libmediaplayerserviceInteger overflow in the BnCrypto::onTransact function in media/libmedia/ICrypto.cpp in libmediaplayerservice in Android 6.x before 2016-02-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, by triggering an improper size calculation, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 25800375.2016-02-06not yet calculatedCVE-2016-0811
android -- mediaservermedia/libmedia/SoundPool.cpp in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 mishandles locking requirements, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 25781119.2016-02-06not yet calculatedCVE-2016-0810
android -- phonewindowmanagerThe interceptKeyBeforeDispatching function in policy/src/com/android/internal/policy/impl/PhoneWindowManager.java in Setup Wizard in Android 5.1.x before 5.1.1 LMY49G and 6.0 before 2016-02-01 does not properly check for setup completion, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 25229538.2016-02-06not yet calculatedCVE-2016-0812
android -- wifi_cleanup_functionUse-after-free vulnerability in the wifi_cleanup function in bcmdhd/wifi_hal/wifi_hal.cpp in Wi-Fi in Android 6.x before 2016-02-01 allows attackers to gain privileges by leveraging access to the local physical environment during execution of a crafted application, aka internal bug 25753768.2016-02-06not yet calculatedCVE-2016-0809
cisco -- application_policy_infrastructure_controllerCisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3h) and 1.1 before 1.1(1j) and Nexus 9000 ACI Mode switches with software before 11.0(3h) and 11.1 before 11.1(1j) allow remote authenticated users to bypass intended RBAC restrictions via crafted REST requests, aka Bug ID CSCut12998.2016-02-07not yet calculatedCVE-2016-1302
cisco -- nexusCisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switches with software before 11.0(1c) allow remote attackers to cause a denial of service (device reload) via an IPv4 ICMP packet with the IP Record Route option, aka Bug ID CSCuq57512.2016-02-07not yet calculatedCVE-2015-6398
huawei -- e5186Huawei E5186 4G LTE router with software before V200R001B310D01SP00C00 allows DNS query packets using the static source port, which makes it easier for remote attackers to spoof responses via unspecified vectors.2016-02-01not yet calculatedCVE-2015-8265
isc -- bindrdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via crafted flag values in a query.2016-02-04not yet calculatedCVE-2016-1284
nuplayer -- genericsourceThe NuPlayer::GenericSource::notifyPreparedAndCleanup function in media/libmediaplayerservice/nuplayer/GenericSource.cpp in mediaserver in Android 5.x before 5.1.1 LMY49G and 6.x before 2016-02-01 improperly manages mDrmManagerClient objects, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25070434.2016-02-06not yet calculatedCVE-2016-0804
openstack -- identityThe identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.2016-02-03not yet calculatedCVE-2015-7546
qualcomm -- androidThe Qualcomm Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application, aka internal bug 25344453.2016-02-06not yet calculatedCVE-2016-0806
qualcomm -- androidThe performance event manager for Qualcomm ARM processors in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application, aka internal bug 25773204.2016-02-06not yet calculatedCVE-2016-0805
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top