@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Oracle Multiple Products Multiple Vulnerabilities
• (2) HIGH: Apple iOS Multiple Vulnerabilities
• (3) MEDIUM: Citrix Access Gateway ActiveX Component Stack Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.30.1 - Citrix Access Gateway Plug-in ActiveX Control Multiple Unspecified Vulnerabilities
• 11.30.2 - Dell OpenManage IT Assistant Information Disclosure
• 11.30.3 - Google Picasa JPEG Image Processing Remote Code Execution Vulnerability

Linux

• 11.30.4 - JBoss Seam Expression Language Remote Code Execution Vulnerability

Solaris

• 11.30.5 - Oracle Sun Solaris Multiple Vulnerabilities

Cross Platform

• 11.30.6 - BlackBerry Enterprise Server Administration API Information Disclosure Vulnerability
• 11.30.7 - VLC Media Player ".RM" and ".AVI" Files Multiple Remote Heap Buffer Overflow Vulnerabilities
• 11.30.8 - Check Point Provider-1 Unspecified Local Security Vulnerability
• 11.30.9 - Apache Tomcat "sendfile" Request Attributes Information Disclosure
• 11.30.10 - Foomatic "foomatic-rip" Command Injection Vulnerability
• 11.30.11 - Mozilla Firefox and Thunderbird CRLF Injection Vulnerability
• 11.30.12 - IBM WebSphere Application Server Administration Console Local Information Disclosure Vulnerability
• 11.30.13 - Fglrx "xauth secret" Cookie Information Disclosure
• 11.2.0.2 - Oracle Enterprise Manager Grid Control Multiple Vulnerabilities
• 11.30.15 - Oracle Application Server XML Developer Kit Remote Security Vulnerability
• 11.30.16 - Oracle Fusion Middleware Multiple Vulnerabilities
• 11.30.17 - Oracle VM VirtualBox Multiple Local Vulnerabilities
• 11.30.18 - Oracle Database Server Multiple Vulnerabilities
• 11.30.19 - Oracle PeopleSoft Multiple Vulnerabilities

Web Application - SQL Injection

• 11.30.20 - LiteRadius "locator.php" Multiple SQL Injection Vulnerabilities
• 11.30.21 - MapServer Multiple SQL Injection Vulnerabilities

Web Application

• 11.30.22 - Trend Micro Control Manager "module" Parameter Directory Traversal Vulnerability
• 11.30.23 - Chyrp Multiple Input Validation Vulnerabilities
• 11.30.24 - EMC Documentum eRoom Indexing Server HummingBird Connector Remote Buffer Overflow Vulnerability
• 11.30.25 - Support Incident Tracker Multiple Unspecified Vulnerabilities

Network Device

• 11.30.26 - Iskratel SI2000 Callisto 821+ Multiple Security Vulnerabilities

Hardware

• 11.30.27 - HP Arcsight Connector Appliance Cross-Site Scripting Vulnerability

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 26, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11784 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.30.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Citrix Access Gateway Plug-in ActiveX Control Multiple Unspecified Vulnerabilities
• Description: The Citrix Access Gateway Plug-in is client software for Windows. The application is exposed to multiple unspecified remote code execution issues. Citrix Access Gateway Plug-in versions prior to 8.1-67.7, 9.0-70.5 and 9.1-96.4 are vulnerable and other versions may also be affected.
• Ref: http://support.citrix.com/article/CTX129902

• 11.30.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Dell OpenManage IT Assistant Information Disclosure
• Description: Dell OpenManage IT Assistant provides solutions for centralized management of computer systems. Dell OpenManage IT Assistant "detectIESettingsForITA.OCX" ActiveX control is exposed to a remote information disclosure issue. Specifically, this issue occurs because of an insecure "readRegVal()" method which allows attackers to disclose registry values by querying it. The affected control is identified by CLSID: 6286EF1A-B56E-48EF-90C3-743410657F3C. Dell OpenManage IT Assistant 8.9.0 is affected.
• Ref: http://www.securityfocus.com/bid/48680/discuss

• 11.30.3 - CVE: CVE-2011-2747
• Platform: Third Party Windows Apps
• Title: Google Picasa JPEG Image Processing Remote Code Execution Vulnerability
• Description: Google Picasa is a graphics application available for Microsoft Windows. Google Picasa is exposed to a remote code execution issue while processing JPEG image files. Google Picasa 3.6 Build 105.61 is affected.
• Ref: http://www.securityfocus.com/bid/48725/references

• 11.30.4 - CVE: CVE-2011-2196
• Platform: Linux
• Title: JBoss Seam Expression Language Remote Code Execution Vulnerability
• Description: JBoss Seam is a framework for developing Web 2.0 applications. JBoss Seam is exposed to a remote code execution issue because it fails to properly restrict access to JBoss Expression Language constructs during page exception handling. JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0 are affected.
• Ref: http://packetstormsecurity.org/files/view/103146/RHSA-2011-0952-01.txt

• 11.30.5 - CVE:CVE-2011-2295,CVE-2011-2293,CVE-2011-2258,CVE-2011-2289,CVE-2011-2296,CVE-2011-2294,CVE-2011-2249,CVE-2011-2290,CVE-2011-2259,CVE-2011-2298,CVE-2011-2291,CVE-2011-2285,CVE-2011-2287,CVE-2011-2245
• Platform: Solaris
• Title: Oracle Sun Solaris Multiple Vulnerabilities
• Description: Oracle Sun Solaris is exposed to multiple issues. Multiple local issues affect "Driver/USB", "Zones", "rksh", "LiveUpgrade", "Kernel/SCTP", "Kernel/sockfs", "UFS", "Trusted Extensions" and "Installer" sub component. Multiple remote issues affect "SSH", "TCP/IP", "KSSL" and "fingerd" sub component. Solaris 8, 9, 10 and 11 Express are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.6 - CVE: CVE-2011-0287
• Platform: Cross Platform
• Title: BlackBerry Enterprise Server Administration API Information Disclosure Vulnerability
• Description: Blackberry Enterprise Server is communications middleware for Research In Motion Blackberry devices. BlackBerry Enterprise Server is exposed to an information disclosure issue. This issue affects the Administration API. BlackBerry Enterprise Server software 5.0.1 through 5.0.3 and BlackBerry Enterprise Server Express software 5.0.1 through 5.0.3 are affected.
• Ref: http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&a
  mp;externalId=KB27258

• 11.30.7 - CVE: CVE-2011-2588,CVE-2011-2587
• Platform: Cross Platform
• Title: VLC Media Player ".RM" and ".AVI" Files Multiple Remote Heap Buffer Overflow Vulnerabilities
• Description: VLC is a cross-platform media player. The application is exposed to multiple heap-based buffer overflow issues. A heap-based buffer overflow occurs because of an integer overflow error when parsing a RealAudio data block in RealMedia files. A heap-based buffer overflow occurs because of an integer underflow error when parsing a "strf" chunk in AVI files. VLC media player versions 0.5.0 through 1.1.10 are vulnerable and other versions may also be affected.
• Ref: http://www.videolan.org/security/sa1105.html http://www.videolan.org/security/sa1106.html

• 11.30.8 - CVE: CVE-2011-2664
• Platform: Cross Platform
• Title: Check Point Provider-1 Unspecified Local Security Vulnerability
• Description: Check Point Provider-1 provides a multi-domain management solution. The application is exposed to an unspecified security issue which occurs during installation on non-Windows systems. Check Point NGX R65, R70, R71, R75 are affected.
• Ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewso
  lutiondetails=&solutionid=sk63565

• 11.30.9 - CVE: CVE-2011-2526
• Platform: Cross Platform
• Title: Apache Tomcat "sendfile" Request Attributes Information Disclosure
• Description: Apache Tomcat is a Java-based web server application for multiple operating systems. The application is exposed to a remote information disclosure issue. Specifically, "sendfile" is used automatically to serve content through the "DefaultServlet", and web applications may use it by setting request attributes. The request attributes are not properly validated, which allows a specially crafted web application to return files that would normally be protected by a Security Manager. Tomcat versions 5.5.0 through 5.5.33, 6.0.0 through 6.0.32 and 7.0.0 through 7.0.18 are affected.
• Ref: http://www.securityfocus.com/bid/48667/discuss

• 11.30.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Foomatic "foomatic-rip" Command Injection Vulnerability
• Description: Foomatic is a database driven system for integrating various print spoolers with available printer drivers. Foomatic is exposed to a command injection issue because it fails to adequately sanitize user-supplied input. Specifically, the issue affects the "foomatic-rip" utility because it allows users to provide crafted PPD files using the "-p" parameter. Foomatic 4.0.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48674/references

• 11.30.11 - CVE: CVE-2011-2605
• Platform: Cross Platform
• Title: Mozilla Firefox and Thunderbird CRLF Injection Vulnerability
• Description: Firefox is a browser. Thunderbird is an email client. Both applications are available for multiple platforms. Mozilla Firefox and Thunderbird are exposed to a CRLF injection issue in the "netwerk/cookie/nsCookieService.cpp" source file. Multiple cookies may be set with the "document.cookie" API. Mozilla Thunderbird versions prior to 3.1.11, Mozilla Firefox versions prior to 3.6.18 are affected.
• Ref: http://www.securityfocus.com/bid/48696/discuss

• 11.30.12 - CVE: CVE-2011-1356
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Administration Console Local Information Disclosure Vulnerability
• Description: IBM WebSphere Application Server for z/OS is an application server used for service oriented architecture. The application is exposed to a local information disclosure issue affecting the administrative console. IBM WebSphere Application Server 6.1 and 7.0 are vulnerable and other versions may also be affected.
• Ref: http://xforce.iss.net/xforce/xfdb/68571

• 11.30.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Fglrx "xauth secret" Cookie Information Disclosure
• Description: Fglrx is a driver for AMD/ATI based chipsets for Linux and Windows. The application is exposed to an information disclosure issue. Specifically, the issue occurs due to improper handling of "xauth secret" cookie. Fglrx 1:11-3-1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48724/discuss

• 11.2.0.2 - CVE: CVE-2011-0848,CVE-2011-0875,CVE-2011-0816,CVE-2011-084510.2.0.4, are affected.
• Platform: Cross Platform
• Title: Oracle Enterprise Manager Grid Control Multiple Vulnerabilities
• Description: Oracle Enterprise Manager Grid Control is exposed to multiple issues. A remote issue in Security Framework can be exploited over the "HTTP" protocol. The "User Model" sub component is affected. A remote issue in EMCTL can be exploited over the "HTTP" protocol. A remote issue in CMDB Metadata & Instance APIs can be exploited over the "Oracle NET" protocol. A remote vulnerability in Database Control can be exploited over the "HTTP" protocol. Oracle Enterprise Manager Grid Control version 10.1.0.5, 10.2.0.3, 10.1.0.6, 10.2.0.5,
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.15 - CVE: CVE-2011-2232
• Platform: Cross Platform
• Title: Oracle Application Server XML Developer Kit Remote Security Vulnerability
• Description: Oracle Application Server is exposed to a remote issue in XML Developer Kit. The issue can be exploited over different protocols. For an exploit to succeed, the attacker must have "Authenticated session" privileges. Oracle Application Server 10g Release 3, version 10.1.3.5.0, Oracle Application Server 10g Release 2, version 10.1.2.3.0 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.16 - CVE: CVE-2011-0883,CVE-2011-0884,CVE-2011-2241,CVE-2011-226411.1.1.3 are affected.
• Platform: Cross Platform
• Title: Oracle Fusion Middleware Multiple Vulnerabilities
• Description: Oracle Fusion Middleware is exposed to multiple issues: A remote issue in Oracle Containers for J2EE can be exploited over the "HTTP" protocol. The "Servlet Runtime in OC4J" sub component is affected. A remote issue in Oracle BPEL Process Manager can be exploited over the "HTTP" protocol. The "BPEL Console" sub component is affected. A remote issue in Oracle Business Intelligence Enterprise Edition can be exploited over the "TCP/IP" protocol. The "Analytics Server" sub component is affected. A local issue in Oracle Outside In Technology can be exploited over the "Local" protocol. The "Outside In Filters" sub component is affected. Oracle Fusion Middleware versions 8.3.2.0, 8.3.5.0, 10.1.2.3, 10.1.3.5, 10.1.4.0.1, 10.1.4.3, 10.1.3.4.1,
• Ref: http://www.securityfocus.com/bid/48761 http://www.securityfocus.com/bid/48756 http://www.securityfocus.com/bid/48763 http://www.securityfocus.com/bid/48766/

• 11.30.17 - CVE: CVE-2011-2300, CVE-2011-2305
• Platform: Cross Platform
• Title: Oracle VM VirtualBox Multiple Local Vulnerabilities
• Description: Oracle VM VirtualBox is an x86 virtualization software package. The application is exposed to multiple local issues that affect the "Guest Additions for Windows" sub component and the "All packages" sub component. Oracle VM VirtualBox 3.0, 3.1, 3.2 and 4.0 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.18 - CVE:CVE-2011-2239,CVE-2011-2231,CVE-2011-2242,CVE-2011-0877,CVE-2011-0811,CVE-2011-2238,CVE-2011-0879,CVE-2011-0831,CVE-2011-0830,CVE-2011-0876,CVE-2011-2243,CVE-2011-0881,CVE-2011-2257,CVE-2011-2230,CVE-2011-0880,CVE-2011-0832,CVE-2011-2244,CVE-2011-0835
• Platform: Cross Platform
• Title: Oracle Database Server Multiple Vulnerabilities
• Description: Oracle Database Server is exposed to multiple issues that affect multiple sub components. Please refer to Reference for details. Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2, Oracle Database 11g Release 1, version 11.1.0.7, Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5, Oracle Database 10g Release 1, version 10.1.0.5 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.19 - CVE:CVE-2011-2277,CVE-2011-2284,CVE-2011-2275,CVE-2011-2281,CVE-2011-2279,CVE-2011-2272,CVE-2011-2280,CVE-2011-2282,CVE-2011-2274,CVE-2011-2250,CVE-2011-2283,CVE-2011-2278
• Platform: Cross Platform
• Title: Oracle PeopleSoft Multiple Vulnerabilities
• Description: Oracle PeopleSoft is exposed Multiple issues that affect "Purchasing", "ePerformance", "Global Payroll Core", "Talent Acquisition Manager", "eProcurement", "Receivables", "Payables" sub component and "HTTP(s)", "Proprietary" protocol. PeopleSoft Enterprise FIN, version 9.0, 9.1, Enterprise FMS, versions 9.0, 9.1, Enterprise FSCM, versions 9.0, 9.1, Enterprise HRMS, versions 8.9, 9.0, 9.1, Enterprise SCM, versions 9.0, 9.1, Enterprise PeopleTools, versions 8.49, 8.50, 8.51 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

• 11.30.20 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: LiteRadius "locator.php" Multiple SQL Injection Vulnerabilities
• Description: LiteRadius is a web-based application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input submitted to the "lat" and "long" parameters of the "locator.php" script before using it an SQL query. LiteRadius versions 3.2 and prior are affected.
• Ref: http://www.securityfocus.com/bid/48665/references

• 11.30.21 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MapServer Multiple SQL Injection Vulnerabilities
• Description: MapServer is a development environment for building spatially enabled Internet applications. The application is available for various platforms. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data in Open Geospatial Consortium filter encoding within Web Map Server (WMS), Web Feature Service Sensor Observation Service and WMS time support. MapServer versions 6.x prior to 6.0.1, 5.x prior to 5.6.7 and 4.x prior to 4.10.7 are affected.
• Ref: http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html

• 11.30.22 - CVE: Not Available
• Platform: Web Application
• Title: Trend Micro Control Manager "module" Parameter Directory Traversal Vulnerability
• Description: Trend Micro Control Manager is a web-based management console. The application is exposed to a directory traversal issue because it fails to properly sanitize user-supplied input submitted to the "module" parameter of the "WebApp/widget/proxy_request.php" script when the "sid" parameter is set to "undefined", and the "serverid", "SORTFIELD", "SELECTION", and "WID" parameters are set. Trend Micro Control Manager 5.5 Build 1250 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48662/references

• 11.30.23 - CVE: CVE-2011-2743,CVE-2011-2744
• Platform: Web Application
• Title: Chyrp Multiple Input Validation Vulnerabilities
• Description: Chyrp is a PHP-based blogging engine. The application is exposed to multiple input validation issues. Multiple cross-site scripting issues occur. A local file include issue affects the "action" parameter of the "index.php" script. A directory traversal issue affects the "file" parameter of the "includes/lib/gz.php" script. An issue occurs because the application fails to sufficiently sanitize file extensions before uploading files to the web server through the "modules/swfupload/upload_handler.php" script. Chyrp 2.1 and prior are affected.
• Ref: http://www.securityfocus.com/bid/48672/references

• 11.30.24 - CVE: CVE-2011-1741
• Platform: Web Application
• Title: EMC Documentum eRoom Indexing Server HummingBird Connector Remote Buffer Overflow Vulnerability
• Description: EMC Documentum eRoom is a web-based collaboration application. EMC Documentum eRoom is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue affects the HummingBird client connector ("ftserver.exe") of the application's indexing server. EMC Documentum eRoom versions 7.4.x are affected.
• Ref: http://www.securityfocus.com/bid/48712/references

• 11.30.25 - CVE: Not Available
• Platform: Web Application
• Title: Support Incident Tracker Multiple Unspecified Vulnerabilities
• Description: Support Incident Tracker is a web-based application implemented in PHP. Support Incident Tracker is exposed to multiple unspecified vulnerabilities. Support Incident Tracker versions prior to 3.64 are affected.
• Ref: http://www.securityfocus.com/bid/48719/references

• 11.30.26 - CVE: Not Available
• Platform: Network Device
• Title: Iskratel SI2000 Callisto 821+ Multiple Security Vulnerabilities
• Description: The Iskratel SI2000 Callisto 821+ is a router. The device is exposed to multiple issues. A cross-site request-forgery issue exists because the device allows users to clear event logs through the "event_log_selection.html" script. A cross-site scripting issue affects the "events.html" script. Multiple HTML-injection issues exist because the device fails to sanitize user-supplied input passed to the following parameters of the "events.html" script: "EmWeb_ns:vim:2.", "EmWeb_ns:vim:7.", "EmWeb_ns:vim:11.", "EmWeb_ns:vim:12.", "EmWeb_ns:vim:13.", "EmWeb_ns:vim:14.", "EmWeb_ns:vim:15.". Iskratel SI2000 Callisto 821+ is affected.
• Ref: http://www.securityfocus.com/bid/48706/discuss

• 11.30.27 - CVE: CVE-2011-0770
• Platform: Hardware
• Title: HP Arcsight Connector Appliance Cross-Site Scripting Vulnerability
• Description: HP Arcsight Connector Appliance is an event logging device. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "Windows Event Log Connector" component. HP Arcsight Connector Appliance versions prior to 6.1 are affected.
• Ref: http://www.kb.cert.org/vuls/id/122054

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account