Monthly Archive: March 2017

In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. Date published : 2017-03-30 http://www.securityfocus.com/bid/97261 http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine’s interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303. Date published : 2017-03-30 http://www.securityfocus.com/bid/97261...

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine’s configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314. Date published : 2017-03-30 http://www.securityfocus.com/bid/97261...

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine’s interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. Date published : 2017-03-30 http://www.securityfocus.com/bid/97261 http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html

A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow remote denial of service. Date published : 2017-03-30 http://www.securityfocus.com/bid/97267 https://www.netiq.com/support/kb/doc.php?id=7018753

A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow leakage of information (account enumeration). Date published : 2017-03-30 http://www.securityfocus.com/bid/97262 https://www.netiq.com/support/kb/doc.php?id=7018753

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. Date published : 2017-03-29 http://www.securityfocus.com/bid/76060 https://bugzilla.redhat.com/show_bug.cgi?id=1248935

In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. Date published : 2017-03-29 https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.0

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision. Date published : 2017-03-29 https://wiki.openstack.org/wiki/OSSN/OSSN-0061 https://bugs.launchpad.net/glance/+bug/1516031

The string-translate* procedure in the data-structures unit in CHICKEN before 4.10.0 allows remote attackers to cause a denial of service (crash). Date published : 2017-03-29 http://www.securityfocus.com/bid/97293 https://bugzilla.redhat.com/show_bug.cgi?id=1231871

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks. Date published : 2017-03-29 http://www.securityfocus.com/bid/97121 https://wiki.zimbra.com/wiki/Security_Center

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before...

The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command. Date published : 2017-03-29 http://www.securityfocus.com/bid/92143 https://bugzilla.redhat.com/show_bug.cgi?id=1360634

Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. Date published : 2017-03-29 http://www.securityfocus.com/bid/97229 https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.0