Next Page >>
Common Vulnerabilities and Exposures
a. JRE Security Update
JRE update to version 1.5.0_20, which addresses multiple security
issues that existed in earlier releases of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
a. Service Console update for COS kernel
Updated COS package "kernel" addresses the security issues that are
fixed through versions 2.6.18-164.11.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
fixed in kernel 2.6.18-164.6.1
The Common Vulnerabilities and Exposures project (cve.mitre.org)
display request (direct or via a custom application), leading to a
denial of service (application crash) or, potentially, arbitrary
code execution with the privileges of the user running the
application using the newt library.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-2905 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
This vulnerability is documented in Cisco Bug ID CSCsx47543 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1155.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
to certain TCP-based services that terminate on the affected appliance.
Although exploitation of this vulnerability requires a TCP three-way
handshake, authentication is not required.
This vulnerability is documented in Cisco bug ID CSCsz77717 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0149.
SIP Inspection Denial of Service Vulnerabilities
+-----------------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances are affected by two
reboot of the guest system.
VMware would like to thank iDefense and Stephen Fewer of Harmony
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5671 to this issue.
VMware Product Running Replace with/
Product Version on Apply Patch
============ ======== ======= =================
issues that exist in the earlier releases of Microsoft SQL Express.
Customers using other database solutions need not update for
these issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
Express Service Pack 3.
Column 4 of the following table lists the action required to
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface.
This vulnerability is documented in Cisco Bug ID CSCsm84110
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2055.
2. Crafted TLS Packet Vulnerability
+----------------------------------
VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS
Security (http://www.acrossecurity.com) for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1141 to this issue.
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS
Security (http://www.acrossecurity.com) for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1141 to this issue.
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
256 1412 1381 1412
1550 6274 0 0
...
This vulnerability is documented in Cisco bug ID CSCtj04707 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0393.
SCCP Inspection Denial of Service Vulnerability
+----------------------------------------------
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a
actions.
VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,
and Michal Bucko for reporting these issues to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the names CVE-2008-3691, CVE-2008-3692,
CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and
CVE-2008-3696 to the security issues with VMware ActiveX controls.
VMware Product Running Replace with/
~ VMware would like to thank CORE Security Technologies for
~ working with us on this issue. This addresses advisory
~ CORE-2007-0930.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2008-0923 to this issue.
~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
virtual machines on that host.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-4916 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
a. ESX third party update for Service Console openssl RPM
The Service Console openssl RPM is updated to
openssl-0.9.8e.12.el5_5.7 resolving two security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-7270 and CVE-2010-4180 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
These vulnerability is documented in the following Cisco Bug IDs and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2732.
* CSCsq07867
* CSCsq57091
* CSCsk60581
Cisco DMM versions earler than 5.2 have default credentials that could
allow an attacker full control of the installed web applications,
including settings, status, and deployment.
This vulnerability is documented in Cisco Bug ID CSCta03378 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0570.
Privilege Escalation Vulnerability
+---------------------------------
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
operating systems that support NTLM version 1, collectively referred to
as "NT servers". NT Domain authentication is supported only for remote
access VPNs.
This vulnerability is documented in Cisco Bug ID CSCsu65735 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2008-3815.
IPv6 Denial of Service Vulnerability
+-----------------------------------
directory traversal vulnerability that may allow an authenticated
attacker to view and download arbitrary files from the server that is
hosting the Management Center for Cisco Security Agents.
This vulnerability is documented in Cisco Bug ID CSCtd73275 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0146.
Management Center for Cisco Security Agents SQL Injection Vulnerability
+----------------------------------------------------------------------
vulnerabilities. These vulnerabilities can be triggered by using UDP
packets, not TCP.
These vulnerabilities are documented in Cisco bug IDs CSCtc77567,
CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities
and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580,
respectively.
Transport Layer Security (TLS) Denial of Service Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5060) as the underlying transport protocol. The NAT for SIP DoS
vulnerability can be exploited only with the use of UDP port 5060
packets.
This vulnerability is documented in Cisco bug ID CSCtf17624
and has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2010-2831.
NAT for H.323 DoS Vulnerability
+------------------------------
OpenSSL 0.9.7a-33.24 and earlier does not properly check the return
value from the EVP_VerifyFinal function, which could allow a remote
attacker to bypass validation of the certificate chain via a
malformed SSL/TLS signature for DSA and ECDSA keys.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-5077 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
This vulnerability is triggered by malformed transit LDAP traffic
that needs to be processed by the NAT for NetMeeting Directory
feature.
This vulnerability is documented in Cisco bug ID CSCtd10712 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0946.
NAT for SIP DoS Vulnerabilities
+------------------------------
Four vulnerabilities in the NAT for SIP feature are described in this
~ This patch fixes a flaw in how the aacraid SCSI driver checked
~ IOCTL command permissions. This flaw might allow a local user
~ on the service console to cause a denial of service or gain
~ privileges. Thanks to Adaptec for reporting this issue.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2007-4308 to this issue.
~ ESX Server 3.0.2 ESX-1003362
~ http://download3.vmware.com/software/vi/ESX-1003362.tgz
~ md5sum: f828e7c1c00c2b32ebd4f14f92febe16
Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5360 to this issue.
RPM Updated: pegasus-2.5-552927
VM Shutdown: No
Host Reboot: No
Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5360 to this issue.
RPM Updated: pegasus-2.5-552927
VM Shutdown: No
Host Reboot: No
enabled, a remote attacker could send a carefully crafted request
that would cause the Apache child process handling that request to
crash. This could lead to a denial of service if using a threaded
Multi-Processing Module.
The Common Vulnerabilities and Exposures project has assigned the
names CVE-2006-5752, CVE-2007-3304 and CVE-2007-1863 to these issues.
clamav < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: Some vulnerabilities have been reported in ClamAV,
which can potentially be exploited by malicious people to cause a
a. Service Console update for cpio
The service console package cpio is updated to version 2.5-6.RHEL3.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
Next Page>>
|
