This report is a daily analysis of all published vulnerabilities in any product, weaknesses in technologies, exploits Internet wide, current internet threats associated with platforms and products our customer use, and if any action is required to protect their assets from these these vulnerabilities, weaknesses and exploits depending on the Atomicorp product they are using.
Please see this forum post for an explanation of the categories used in this report.
Note: CVEs are sometimes created after a vulnerability is published (sometimes far after it has been made public). When CVEs are referenced, it is because a CVE was created today, not because an issue was resolved today, and it is included here for reference.
ASL users
Summary: If you use socat, see note below, otherwise no action required.
Already protect against/Known Method/No update required
eClinicalWorks Population Health (CCMR) SQL Injection / CSRF / XSS
Netlife Photosuite Pro - Client Side Cross Site Scripting Vulnerability
iScripts EasyCreate 3.0 – SQL, XSS and Remote Code Execution Vulnerabilities
CVE-2015-7884
CVE-2015-8543
Not already protected against/New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
None.
Potential Vulnerability/Solution
Socat – if you use socat, a vulnerability was discovered in the implementation to establish encrypted connections. The effective cryptographic strength of a key generated by these versions would be weak. Additional details are available at http://www.openwall.com/lists/oss-security/2016/02/01/4. A patch is available.
Rules only users
Summary: Several potential vulnerabilities exist for rules only users:
1) Non-ASL systems using the Linux 4.3.3 kernel are vulnerable to an information disclosure attack.
2) Summary: If you use socat, see note below.
Already protect against/Known Method/No update required
eClinicalWorks Population Health (CCMR) SQL Injection / CSRF / XSS
Netlife Photosuite Pro - Client Side Cross Site Scripting Vulnerability
iScripts EasyCreate 3.0 – SQL, XSS and Remote Code Execution Vulnerabilities
Not already protected against/New Method/Update Available
None.
Not already protected against/Doesnt protect against/Solution
CVE-2015-7884 – Newer Linux kernels (4.3.3) does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application. Please contact your Linux kernel vendor for a patch.
CVE-2015-8543 – There is a remote kernel vulnerability in non-ASL Linux kernels that may lead to arbitrary code execution and privileges escalation vulnerability or to kernel panic (denial of service).
Potential Vulnerability/Solution
Socat – if you use socat, a vulnerability was discovered in the implementation to establish encrypted connections. The effective cryptographic strength of a key generated by these versions would be weak. Additional details are available at http://www.openwall.com/lists/oss-security/2016/02/01/4. A patch is available.