We've had customers ask us over the years if we produce a changelog for for new vulnerabilities (and CVEs) like some other security companies do. We havent done that, because we usually dont have to release any updates when a number vulnerability is discovered. This is part our design philosophy: target methods not vulnerabilities. Real security is preventing exploitation of vulnerabilities before they're even introduced, not patching or releasing something new after 0days are released.
This means we and our customers dont have to chase the latest vulnerability and play catch up with the bad guys, who lets face it already know about these new vulnerabilities. Which is why we've always tried to look ahead and build our products around methods, meaning that when a new vulnerability uses a known method (like SQL injection, or buffer overflows), we dont have to release an update and all our customers are already protected.
When a new method of attack comes out, and that requires an update, we've always posted an alert about that.
But we realize that for some users its necessary to know specifically if a new vulnerability is something ASL or our modsecurity rules already protect against. Which means we need to a way to communicate what vulnerabilities you dont need to worry about (because you're already immune) and also which ones represent something novel that requires an update from us. We're thinking of putting these four categories:
Already protect against/Known Method/No update required
The product is configured with the default protections enabled, and with all default features installed and enabled. For example, with ASL, this means the ASL secure kernel is installed and enabled.
New Method/Update Available
This means a new method has been published, and a new countermeasure is required to address it. Users should install the latest updates.
Doesnt protect against/Solution
This would include either vulnerabilities that a particular product cant protect against, for example rules only users and vulnerabilities in things other than web applications, or more fundamental vulnerabilities that cant be addressed on the server itself.
Potential Vulnerability/Solution
Something that a product could protect against, if configured to do so, but is not configured ot do this by default. Or may require installation of an update from a vendor.
So starting this week, we're going to post lists of CVEs and vulnerabilities (when a CVE hasnt been issued) that are published that day and its status within our products. Just for today, we're going to include everything thats come out in the past week as well.
ASL users
Summary: No update required, you are already immune from all vulnerabilities/CVEs below
Already protect against/Known Method/No update required
PHP Melody CMS v2.3 SQL injection
RW::Download 4.0.8 File Inclusion / SQL Injection
EasyCafe Server 2.2.14 Remote File Read
Bigware Shop 2.3.01 Cross Site Scripting / File Upload
Bigware Shop 2.3.01 Local File Inclusion
Backshell Web Shell Cross Site Request Forgery
EasyCafe Server <= 2.2.14 Remote File Read
esoTalk 1.0.0g4: XSS
CouchCMS 1.4.5: Code Execution
CouchCMS 1.4.5: XSS & Open Redirect
Grawlix 1.0.3: CSRF
Grawlix 1.0.3: Code Execution
Grawlix 1.0.3: XSS
Arastta 1.1.5: XSS
Arastta 1.1.5: SQL Injection
PhpSocial v2.0.0304: CSRF
PhpSocial v2.0.0304: XSS
Wordpress Content Text Slider on Post 6.8 - Persistent Vulnerability
Lithium Forum - (previewImages) Persistent Vulnerability
CVE-2013-7446
CVE-2015-6004
CVE-2015-6005
CVE-2015-6537
CVE-2015-6538
CVE-2015-7509
CVE-2015-7783
CVE-2015-7884
CVE-2015-8669
Beezfud Remote Code Execution
Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
CVE-2015-8668
New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
None.
Potential Vulnerability/Solution
None.
Rules only users
Summary: See below for OS level vulnerabilities that a WAF will not protect against.
Already protect against/Known Method/No update required
PHP Melody CMS v2.3 SQL injection
RW::Download 4.0.8 File Inclusion / SQL Injection
EasyCafe Server 2.2.14 Remote File Read
Bigware Shop 2.3.01 Cross Site Scripting / File Upload
Bigware Shop 2.3.01 Local File Inclusion
Backshell Web Shell Cross Site Request Forgery
EasyCafe Server <= 2.2.14 Remote File Read
esoTalk 1.0.0g4: XSS
CouchCMS 1.4.5: Code Execution
CouchCMS 1.4.5: XSS & Open Redirect
Grawlix 1.0.3: CSRF
Grawlix 1.0.3: Code Execution
Grawlix 1.0.3: XSS
Arastta 1.1.5: XSS
Arastta 1.1.5: SQL Injection
PhpSocial v2.0.0304: CSRF
PhpSocial v2.0.0304: XSS
Wordpress Content Text Slider on Post 6.8 - Persistent Vulnerability
Lithium Forum - (previewImages) Persistent Vulnerability
CVE-2015-6004
CVE-2015-6005
CVE-2015-6537
CVE-2015-6538
CVE-2015-7783
CVE-2015-8669
Beezfud Remote Code Execution
Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
CVE-2013-7446 - ASL protects against this method
CVE-2015-7509 - ASL protects against this method
CVE-2015-7884 - ASL protects against this method
CVE-2015-7990 - ASL protects against this method
CVE-2015-8668 - ASL protects against this method
Potential Vulnerability/Solution
None.
Your thoughts appreciated about the best way to communicate this information. We dont like the idea of creating more work for anyone, so we dont want to create a report you need to read everyday either.
Daily updates on CVEs
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Daily updates on CVEs
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone