Threat/Vulnerability report week of March 12th

Security annoucements of interest to the AtomiCorp community, such as vulnerabilities in third party applications.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Threat/Vulnerability report week of March 12th

Unread post by mikeshinn »

We're changing the date of the weekly reports to the week in which the report is released due to customer feedback.

This report is an analysis of all published vulnerabilities in any product, weaknesses in technologies, exploits Internet wide, current internet threats associated with platforms and products our customers use for the previous week. This is report is for historical purposes. If a vulnerability requires customer action, customers will be notified at that time.

This report documents if any action was required to protect customer assets from these these vulnerabilities, weaknesses and exploits depending on the Atomicorp product(s) they are using. If action was required, a separate report would have been posted on that day.

Please see this forum post for an explanation of the categories used in this report.

CVEs are sometimes created after a vulnerability is published (sometimes far after it has been made public). When CVEs are referenced, it is because a CVE was created today, not because an issue was resolved today, and it is included here for reference.

ASL users

Summary: No update required. ASL systems were already immune to all published vulnerabilities this week.

Already protected against/Known Method/No update required
Redaxo CMS Addon MyEvents 2.2.1 SQL Injection
Magento Product Attributes Cross Site Scripting
Magento Downloadable Products Cross Site Scripting
Magento Backups Cross Site Request Forgery
Magento User Info Cross Site Scripting
OTRS Command Injection
HPE System Management 7.6.0.11 Cross Site Scripting
Red Hat Security Advisory 2018-0380-01: Red Hat CloudForms Management Engine stored XSS
Routers2 2.24 Cross Site Scripting
antMan <= 0.9.0c Authentication Bypass
Bravo Tejari Web Portal Cross Site Scripting
TestLink Open Source Test Management Remote Code Execution
uWSGI Directory Traversal
TestLink Open Source Test Management Insecure Direct Object Reference
AxxonSoft Axxon Next Directory Traversal
CVE-2017-8824
CVE-2017-7890
Linux Kernel _sctp_make_chunk() Denial Of Service
Red Hat Security Advisory 2018-0377-01: Quagga Double free vulnerability arbitrary code execution

New Method/Update Available

No updates required for vulnerabilities released this week.

Doesnt protect against/Solution

None.

Potential Vulnerability/Solution

None.

Rules only users

Summary:

Summary: No update required. However, a number of system level vulnerabilities were published during the period that a WAF can not defend against. Additional security controls are required to defend against these vulnerabilities.

Already protected against/Known Method/No update required

Redaxo CMS Addon MyEvents 2.2.1 SQL Injection
Magento Product Attributes Cross Site Scripting
Magento Downloadable Products Cross Site Scripting
Magento Backups Cross Site Request Forgery
Magento User Info Cross Site Scripting
OTRS Command Injection
HPE System Management 7.6.0.11 Cross Site Scripting
Red Hat Security Advisory 2018-0380-01: Red Hat CloudForms Management Engine stored XSS
Routers2 2.24 Cross Site Scripting
antMan <= 0.9.0c Authentication Bypass
Bravo Tejari Web Portal Cross Site Scripting
TestLink Open Source Test Management Remote Code Execution
uWSGI Directory Traversal
TestLink Open Source Test Management Insecure Direct Object Reference
AxxonSoft Axxon Next Directory Traversal


New Method/Update Available

No updates required for vulnerabilities released this week.

Doesnt protect against/Solution

Modsecurity can not protect against system levels (no WAF can). The follow is a list of vulnerabilities that were published during the period that require additional security controls to protect again, such as ASL (which protects against all of the vulnerabilities below):

CVE-2017-8824
CVE-2017-7890
Linux Kernel _sctp_make_chunk() Denial Of Service
Red Hat Security Advisory 2018-0377-01: Quagga Double free vulnerability arbitrary code execution

Potential Vulnerability/Solution

None this week.
Post Reply