Next Page >>
solutions
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
issues that exist in the earlier releases of Microsoft SQL Express.
Customers using other database solutions need not update for
these issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-2905 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
3. *Vulnerability Description*
WebSphere is IBM's integration software platform. It includes the entire
middleware infrastructure --such as servers, services, and tools--
needed to write, run, and monitor 24x7 industrial-strength, on demand
Web applications and cross-platform, cross-product solutions. WebSphere
Application Server is the base for the infrastructure; everything else
runs on top of it [1].
The administrative console of IBM WebSphere Application Server is
vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: CiscoWorks LAN Management Solution Remote
Code Execution Vulnerabilities
Advisory ID: cisco-sa-20110914-lms
Revision 1.0
The following CiscoWorks products with the default Common Services
installed are affected by this vulnerability, due to their underlying
Common Services version:
* CiscoWorks LAN Management Solution
+---------------------------------------------------------------+
| LAN Management Solution Versions | Common Services Versions |
|------------------------------------+--------------------------|
| Prior to 3.2 on Microsoft Windows | Various |
+--------------------------------------------------------------------
Summary
=======
The Cisco Clientless VPN solution as deployed by Cisco ASA 5500
Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX
control on client systems to perform port forwarding operations.
Microsoft Windows-based systems that are running Internet Explorer or
another browser that supports Microsoft ActiveX technology may be
affected if the system has ever connected to a device that is running
CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
the security issues fixed in kernel 2.6.18-164.11.1.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
|-------------------------------+------------------+----------------|
| CiscoWorks QoS Policy Manager | 4.0, 4.0.1, and | 3.0.5 |
| | 4.0.2 | |
|-------------------------------+------------------+----------------|
| CiscoWorks LAN Management | 2.6 Update | 3.0.5 |
| Solution | | |
|-------------------------------+------------------+----------------|
| CiscoWorks LAN Management | 3.0 | 3.1 |
| Solution | | |
|-------------------------------+------------------+----------------|
| CiscoWorks LAN Management | 3.0 (December | 3.1.1 |
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. See above for remediation
details.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. See above for remediation
details.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
*Vulnerability Description*
WonderWare is supplier of industrial automation and information software
solutions. According to the company's website [1]: "one third of the
world's plants run Wonderware software solutions. Having sold more than
500,000 software licenses in over 100,000 plants worldwide, Wonderware
has customers in virtually every global industry - including Oil & Gas,
Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals,
Automotive and more".
5. *Non-vulnerable packages*
. ManageEngine ADSelfService Plus 4.5 Build 4500 and above.
6. *Vendor Information, Solutions and Workarounds*
Core would like to thanks Manikandan.T [2] for giving us the following
detailed information about the way Zoho team has addressed the security
vulnerabilities highlighted in this document.
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
4. Affected Components Description
==================================
The SAP J2EE Engine is a key component of the SAP NetWeaver application
platform, which enables the development and execution of Java solutions
in SAP
landscapes.
The J2EE Engine is the component on which, for example, the SAP
Enterprise Portal solution is built and executed.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-4916 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
======================
A remote, unauthenticated user may connect over TCP to the "ctrlservice.exe" or "rep_srv.exe" process and send a specially-crafted
message to cause a heap based buffer overflow, which can result in arbitrary code execution.
Solutions:
===========
The FortiGuard Global Security Research Team released the signature "EMC.RepliStor.Integer.Overflow"
Users should use EMC's Powerlink solution to upgrade to the following EMC RepliStor products:
RepliStor 6.2 SP5: Navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads P-R >RepliStor 6.2 SP5
Hi,
Version 6.5.3.12 is still vulnerable.
The only good solution I see here is that AOL will lock down Local Zone.
Ready, AIM, fire! http://aviv.raffon.net/2007/09/25/ReadyAIMFire.aspx
--Aviv.
-----Original Message-----
From: Core Security Technologies Advisories [mailto:advisories@coresecurity.com]
Additional Information:
A potential remote code execution vulnerability exists in Adobe Flash Player10(Flash10h.ocx).
It'll crash browser when Adobe Flash Player(Flash10h.ocx) tries playing a malicious flv video.
Solutions:
* Users should apply the solution provided by Adobe(APSB10-26 http://www.adobe.com/support/security/bulletins/apsb10-26.html ).
* FortiGuard Labs released a signature to protect against this vulnerability.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-7270 and CVE-2010-4180 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
5. *Non-vulnerable packages*
. Adobe Director 11.5 (Version: 11.5.7.609)
6. *Solutions and Workarounds*
See the Adobe Security Bulletin [1] available at
[http://www.adobe.com/go/apsb10-12/].
4. Affected Components Description
==================================
The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP
landscapes.
The J2EE Engine is the component on which, for example, the SAP Enterprise Portal solution is built and executed.
Paper: Testing the Enterprise Security: Anti-Spam and Anti-Virus Solutions
Abstract:
Enterprise Anti-Spam and Anti-Virus solutions are widely used to protect corporate e-mail servers against various external threats including spamming, viruses, spyware, and phishing attacks. Usually claiming a high rate of malicious message filtering (between 95-99%), it is hard to argue that its main purpose is realized. However, no comprehensive benchmarking on how such security solutions stand against internal attacks is currently available. Relying on various commercial and open-source technologies (Microsoft .NET, MySQL, PHP, Linux, Apache HTTP server, etc.), the majority of Anti-Spam and Anti-Virus enterprise solutions employ Web-based applications to allow remote configuration, administration and management of spam-quarantined e-mails. While Web-based applications are often found to be vulnerable to a wide variety of security vulnerabilities (including SQL Injection, Cross-Site Scripting, Denial of Service, Privilege Escalation, etc.), such enterprise security solution
s make unfortunately no exception.
This paper highlights the need of vendor-certified security testing for Anti-Spam and Anti-
Virus enterprise solutions, in order to protect it against internal attacks. In a structured effort to benchmark and potentially improve various enterprise security products, the author’s recent research done in collaboration with Data Communication Security Laboratory from University of Limerick, (Ireland) is presented. Various security vulnerabilities identified in high-profile enterprise Anti-Spam and Anti-Virus products commercialized by vendors such as Marshal8e6 [1], Barracuda Networks [2], and Symantec [3] are discussed, while the implications of vulnerabilities exploitation and the risks for the enterprise are analyzed.
Additional Information
+---------------------
Cisco Secure ACS provides a comprehensive, identity-based access
control solution for Cisco intelligent information networks. It is
the integration and control layer for managing enterprise network
users, administrators, and the resources of the network
infrastructure.
Described in RFC2865, RADIUS is a distributed client/server system
CVE Name: N/A
*Vulnerability Description*
vBulletin [1] is a community forum solution for a wide range of users,
including industry leading companies. A XSS vulnerability has been
discovered that could allow an attacker to carry out an action
impersonating a legal user, or to obtain access to a user's account.
This flaw allows unauthorized disclosure and modification of
information, and it allows disruption of service.
CitectSCADA (Supervisory Control and Data Acquisition) is a system with
the primary function of collecting data and providing an interface to
control equipment such as Programmable Logic Controllers (PLCs), Remote
Terminal Units (RTUs) etc. with an integrated Human Machine Interface
(HMI) / SCADA solution to deliver a scalable and reliable control and
monitoring system. The system is composed by software installed on
standard computer equipment running on commercial-of-the-shelf Microsoft
Windows operating systems.
A vulnerability was found in CitectSCADA that could allow a remote
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080516.2
___________________________________________________________________
Name: Altiris Deployment Solution - Domain Account Disclosure
Released: 16 May 2008
Vendor Link:
http://www.altiris.com/
*Non-vulnerable Packages*
*Vendor Information, Solutions and Workarounds*
Contact the vendor for fix information.
*Credits*
. The Wiki Server is also available for Mac OS X v10.5 (Leopard).
*Non-vulnerable Packages*
View section "Vendor Information, Solutions and Workarounds".
*Vendor Information, Solutions and Workarounds*
Apple security updates are available via the Software Update mechanism:
CVE Name: None currently assigned
*Vulnerability Description*
CORE FORCE is the first community oriented security solution for personal
computers that provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
Next Page>>
|
