Next Page >>
affected
CVE-2008-3696 to the security issues with VMware ActiveX controls.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 6.x Windows 6.0.5 build 109488 or later
Workstation 6.x Linux not affected
Workstation 5.x Windows 5.5.8 build 108000 or later
Workstation 5.x Linux not affected
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 6.5.x any 6.5.1 build 126130 or later
Workstation 6.0.x any upgrade to at least 6.5.1
Workstation 5.5.x any 5.5.9 build 126128 or later
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows affected, patch pending
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
details.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.x any not affected
Workstation 6.5.x any 6.5.4 build 246459 or later
Player 3.x any not affected
details.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.x any not affected
Workstation 6.5.x any 6.5.4 build 246459 or later
Player 3.x any not affected
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
Update Manager 4.1 Windows Update 1
Update Manager 4.0 Windows affected, patch pending
Update Manager 1.0 Windows affected, no patch planned
Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All
affected products are command-line versions of
the AVs.
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
+---------------------------------------------------------------------
Summary
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
Summary
=======
Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco
Catalyst 6500 Series ASA Services Module (ASASM) are affected by the
following vulnerabilities:
* Cisco ASA UDP Inspection Engine Denial of Service Vulnerability
* Cisco ASA Threat Detection Denial of Service Vulnerability
* Cisco ASA Syslog Message 305006 Denial of Service Vulnerability
control of a server on the same network as the system where
WebAccess is being used.
Workaround
By switching off WebAccess the issue can no longer be exploited.
This can be accomplished on affected versions of Virtual Center and
ESX as follows:
Virtual Center 2.0.2 and Virtual Center 2.5:
Go to the Windows Services overview on the system that runs
Virtual Center.
The way temporary files are handled by the mounting process could
result in a race condition. This issue could allow a local user on
the host to elevate their privileges.
VMware Workstation and Player running on Microsoft Windows are not
affected.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4295 to this issue.
VMware would like to thank Dan Rosenberg for reporting this issue.
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
is running, as this is a guest driver vulnerability and not a
vulnerability on the host.
The HGFS.sys driver is present in the guest operating system if the
VMware Tools package is loaded. Even if the host has HGFS disabled
and has no shared folders, Windows-based guests may be affected. This
is regardless if a host supports HGFS.
This issue could be mitigated by removing the VMware Tools package
from Windows based guests. However this is not recommended as it
would impact usability of the product.
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html
Affected Products
=================
Vulnerable Products
+------------------
=======
Multiple vulnerabilities exist in the Session Initiation Protocol
(SIP) implementation in Cisco IOS Software and Cisco IOS XE Software
that could allow an unauthenticated, remote attacker to cause a
reload of an affected device or trigger memory leaks that may result
in system instabilities. Affected devices would need to be configured
to process SIP messages for these vulnerabilities to be exploitable.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for devices that must run
+---------------------------------------------------------------------
Summary
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by
multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service
Vulnerabilities
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support
for Four-octet AS Number Space") and contain two remote denial of
service (DoS) vulnerabilities when handling specific Border Gateway
Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software
with support for four-octet AS number space (here after referred to as
4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains autonomous system (AS) path
The Cisco Clientless VPN solution as deployed by Cisco ASA 5500
Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX
control on client systems to perform port forwarding operations.
Microsoft Windows-based systems that are running Internet Explorer or
another browser that supports Microsoft ActiveX technology may be
affected if the system has ever connected to a device that is running
the Cisco Clientless VPN solution. A remote, unauthenticated attacker
who could convince a user to connect to a malicious web page could
exploit this issue to execute arbitrary code on the affected machine
with the privileges of the web browser.
this issue on the guest operating system does not lead to a
compromise of the host system but could lead to a privilege
escalation on guest operating system. An attacker would need to
have a user account on the guest operating system.
Affected
64-bit Windows and 64-bit FreeBSD guest operating systems and
possibly other 64-bit operating systems. The issue does not
affect the 64-bit versions of Linux guest operating systems.
VMware would like to thank Derek Soeder for discovering
* Unauthenticated XML-RPC Interface
Duplicate Issue Identification in Other Cisco TelePresence Advisories
+--------------------------------------------------------------------
The Unauthenticated Java Servlet Access vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording Server. The defect
that is related to each component is covered in each associated
advisory. The Cisco Bug IDs for these defects are as follows:
* Cisco TelePresence Multipoint Switch - CSCtf42008
Summary
=======
Multiple vulnerabilities exist in the Session Initiation Protocol
(SIP) implementation in Cisco IOS^ Software that could allow an
unauthenticated, remote attacker to cause a reload of an affected
device when SIP operation is enabled.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for devices that must run
SIP; however, mitigations are available to limit exposure to the
Summary
=======
Cisco IOS Software contains a vulnerability in multiple features
that could allow an attacker to cause a denial of service (DoS)
condition on the affected device. A sequence of specially crafted TCP
packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this
vulnerability.
+---------------------------------------------------------------------
Summary
=======
The Cisco 10000 Series Router is affected by a denial of service
(DoS) vulnerability that can allow an attacker to cause a device
reload by sending a series of ICMP packets.
Cisco has released free software updates that address this
vulnerability.
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
* Real-Time Transport Control Protocol Denial of Service
* XML-Remote Procedure Call (RPC) Denial of Service
Duplicate Issue Identification in Other Cisco TelePresence Advisories
The Unauthenticated Java Servlet Access vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording Server. The defect
as related to each component is covered in each associated advisory.
The Cisco bug IDs for these defects are as follows:
* Cisco TelePresence Multipoint Switch - CSCtf42008
=======
A vulnerability exists in the Smart Install feature of Cisco Catalyst
Switches running Cisco IOS Software that could allow an
unauthenticated, remote attacker to perform remote code execution on
the affected device.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds available to mitigate this vulnerability
* HTTP, RTSP, and Session Initiation Protocol (SIP) inspection DoS
vulnerability
* Secure Socket Layer (SSL) DoS vulnerability
* SIP inspection DoS vulnerability
Cisco has released free software updates for affected customers.
Workarounds that mitigate some of the vulnerabilities are available.
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
A denial of service (DoS) vulnerability exists in the Cisco Content
Services Gateway - Second Generation, that runs on the Cisco Service
and Application Module for IP (SAMI). An unauthenticated, remote
attacker could exploit this vulnerability by sending a series of
crafted ICMP packets to an affected device. Exploitation could cause
the device to reload.
There are no workarounds available to mitigate exploitation of this
vulnerability other than blocking ICMP traffic destined to the
affected device.
Next Page>>
|
