Riasztások

SecurityFocus · 2017. december 31.

Vuln: Apache Wicket CVE-2016-6793 Denial of Service Vulnerability

Apache Wicket CVE-2016-6793 Denial of Service Vulnerability
SANS · 7 óra 36 perc

What is the State of Your Union? , (Fri, Sep 22nd)

Regularly the President of the United States delivers the State of the Union address. This practice "fulfills rules in Article II, Section 3 of the U.S. Constitution, requiring the President to periodically give Congress information on the "state of the union” and recommend any measures that he believes are necessary and expedient.".

What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What are some candidates to include in your State of the Union?

  • Effectiveness of your program
  • Opportunities to improve your program
  • Communicate recent achievements
  • Demonstrate stewardship of your resources
  • Show how your team supported objectives of your organization
  • Possible actions that you want others to take
  • Clear call to action to the leaders to increase support, funding, and staffing
  • Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below!

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux security Advisories · 2017. szeptember 22.

Fedora 25: mpg123 Security Update

LinuxSecurity.com: Update to upstream release 1.25.6
Linux security Advisories · 2017. szeptember 22.

Fedora 25: drupal7-views Security Update

LinuxSecurity.com: * [7.x-3.18](https://www.drupal.org/project/views/releases/7.x-3.18) * [7.x-3.17](https://www.drupal.org/project/views/releases/7.x-3.17) * [Moderately Critical - Access Bypass - DRUPAL-SA- CONTRIB-2017-068](https://www.drupal.org/node/2902604)
Linux security Advisories · 2017. szeptember 22.

Fedora 25: krb5 Security Update

LinuxSecurity.com: - Prevent applications from accidentally implementing CVE-2017-11462 (double free if sec_context is copied). - fc26+: Add ccselect hostrealm module for ccache selection based on service hostname.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14694

Foxit Reader 8.3.2.25013 allows attackers to execute arbitrary code or cause a denial of service via a crafted .pdf file, related to "Data from Faulting Address controls Code Flow starting at tiptsf!CPenInputPanel::FinalRelease+0x000000000000002f."
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14712

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14713

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14714

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14715

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14716

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14717

In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14705

DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-14706

DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6266

NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where improper access controls could allow unprivileged users to cause a denial of service.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6267

NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where an incorrect initialization of internal objects can cause an infinite loop which may lead to a denial of service.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6268

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a value passed from a user to the driver is not correctly validated and used as the index to an array which may lead to denial of service or possible escalation of privileges.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6269

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a pointer passed from a user to the driver is used without validation which may lead to denial of service or possible escalation of privileges.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6270

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiCreateAllocation where untrusted user input is used as a divisor without validation during a calculation which may lead to a potential divide by zero and denial of service.
NVD: all CVE · 2017. szeptember 22.

CVE-2017-6271

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiCreateAllocation where untrusted user input is used as a divisor without validation while processing block linear information which may lead to a potential divide by zero and denial of service.