@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Apple Products Multiple Security Vulnerabilities
• (2) HIGH: Oracle Java Multiple Security Vulnerabilities
• (3) HIGH: Adobe Products Multiple Security Vulnerabilities
• (4) MEDIUM: Novell Multiple Products Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.43.1 - Microsoft Publisher Memory Corruption Remote Code Execution

Third Party Windows Apps

• 11.43.2 - atvise webMI2ADS Web Server Multiple Remote Vulnerabilities
• 11.43.3 - Honeywell EBI TEMA Remote Installer ActiveX Control Arbitrary File Download

Mac Os

• 10.6.8 - Apple Mac OS X and Mac OS X Lion Multiple Security Vulnerabilities

Solaris

• 11.43.5 - Oracle Solaris Multiple Vulnerabilities

Cross Platform

• 11.43.6 - VMware Hosted Products UDF File Systems Buffer Overflow
• 11.43.7 - Snort Report Multiple Remote Command Execution Vulnerabilities
• 11.43.8 - Google App Engine SDK Cross-Site Request Forgery And Command Execution Weaknesses
• 11.43.9 - Cisco TelePresence Video Communication Server "User-Agent" HTTP Header HTML Injection
• 11.43.10 - Apple Safari Multiple Security Vulnerabilities
• 11.43.11 - HP Data Protector Unspecified Remote Code Execution Vulnerabilities
• 11.43.12 - ClamAV Recursion Level Handling Denial of Service
• 11.43.13 - X.Org X11 File Enumeration Information Disclosure
• 11.43.14 - Oracle E-Business Suite Multiple Remote Vulnerabilities
• 11.2.0.2 - Oracle Database Server Remote Database Multiple Vulnerabilities
• 11.43.16 - Oracle Java SE Remote Java Runtime Environment Vulnerabilities
• 11.43.17 - Oracle PeopleSoft Multiple Vulnerabilities

Web Application - Cross Site Scripting

• 11.43.18 - Contao CMS Cross-Site Scripting
• 11.43.19 - BugFree Multiple Cross-Site Scripting Vulnerabilities
• 11.43.20 - phpMyAdmin Setup Interface Cross-Site Scripting

Web Application - SQL Injection

• 11.43.21 - Roundcube webmail "_user" Parameter SQL Injection

Web Application

• 11.43.22 - Filmis SQL Injection and Cross-Site Scripting Vulnerabilities
• 11.43.23 - Geeklog BBCode Tags HTML Injection Vulnerabilities
• 11.43.24 - Simple Machines Forum Cross-Site Scripting and Spoofing Vulnerabilities
• 11.43.25 - Supermicro IPMI Web Interface Multiple Security Bypass Vulnerabilities

Network Device

• 11.43.26 - Avaya Identity Engines Ignition Server Remote Code Execution

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 38, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12501 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.43.1 - CVE: CVE-2011-1508
• Platform: Other Microsoft Products
• Title: Microsoft Publisher Memory Corruption Remote Code Execution
• Description: Microsoft Publisher is a desktop publishing application. The application is exposed to a remote code execution issue. Specifically, memory may become corrupted when the "pubconv.dll" parses a specially crafted ".pub" file. Microsoft Publisher 2007 is vulnerable.
• Ref: http://www.coresecurity.com/content/publisher-pubconv-memory-corruption

• 11.43.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: atvise webMI2ADS Web Server Multiple Remote Vulnerabilities
• Description: atvise webMI2ADS is a web server for Microsoft Windows. The application is exposed to multiple remote issues. Two directory traversal issues let attackers view directories outside of the web root directory. A NULL pointer dereference issue occurs when handling an HTTP request that contains a specially crafted Authorization Basic field. atvise webMI2ADS 1.0 and prior versions are affected.
• Ref: http://www.securityfocus.com/bid/50048/references

• 11.43.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Honeywell EBI TEMA Remote Installer ActiveX Control Arbitrary File Download
• Description: Honeywell EBI is a building system integration application. The application is exposed to an issue that exists in the TEMA installer and can allow malicious files to be downloaded and saved to arbitrary locations on an affected computer. The issue affects an unspecified ActiveX control when downloading a malicious file named "TinClient_TemaKit.msi". When the file is downloaded onto the victim's computer, TEMA will silently install the ".msi" file. Honeywell EBI R310.1 - TEMA 4.8, EBI R310.1 - TEMA 4.9, EBI R310.1 - TEMA 4.10, EBI R400.2 SP1 - TEMA 5.2, EBI R410.1 - TEMA 5.3.0 and EBI R410.2 - TEMA 5.3.1 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf

• 10.6.8 - CVE:CVE-2011-0419,CVE-2011-3192,CVE-2011-0185,CVE-2011-3437,CVE-2011-0229,CVE-2011-0230,CVE-2011-1910,CVE-2011-2464,CVE-2009-4022,CVE-2010-0097,CVE-2010-3613,CVE-2010-3614,CVE-2011-1910,CVE-2011-2464,CVE-2011-0231,CVE-2011-3246,CVE-2011-0259,CVE-2011-0187
• Platform: Mac Os
• Title: Apple Mac OS X and Mac OS X Lion Multiple Security Vulnerabilities
• Description: Apple Mac OS X and Mac OS X Lion are exposed to multiple remote code execution issues that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation and libsecurity. Mac OS X lion prior to
• Ref: http://lists.apple.com/archives/security-announce/2011/oct///msg00003.html

• 11.43.5 - CVE:CVE-2011-3508,CVE-2011-3543,CVE-2011-3515,CVE-2011-3534,CVE-2011-3535,CVE-2011-3537,CVE-2011-3542,CVE-2011-2313,CVE-2011-2304,CVE-2011-2292,CVE-2011-2286,CVE-2011-3536,CVE-2011-2311,CVE-2011-2312,CVE-2011-3539
• Platform: Solaris
• Title: Oracle Solaris Multiple Vulnerabilities
• Description: Oracle Solaris is an operating system. The application is exposed to multiple local and remote issues. See reference for further details. Oracle Solaris versions 8, 9, 10 and 11 Express are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

• 11.43.6 - CVE: CVE-2011-3868
• Platform: Cross Platform
• Title: VMware Hosted Products UDF File Systems Buffer Overflow
• Description: Multiple VMware products are exposed to a buffer overflow issue. This issue occurs because the application fails to perform adequate boundary checks when processing UDF file systems. VMware Workstation 7.1.4 and earlier, VMware Player 3.1.4 and earlier and VMware Fusion 3.1.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/49942/references

• 11.43.7 - CVE: Not Available
• Platform: Cross Platform
• Title: Snort Report Multiple Remote Command Execution Vulnerabilities
• Description: Snort Report is an add-on module for the Snort Intrusion Detection System. Snort Report is exposed to multiple remote command execution issues because it fails to properly validate user-supplied input submitted to the "nmap.php" and "nbtscan.php" scripts. All version of Snort Report are affected.
• Ref: http://www.securityfocus.com/bid/50031/discuss

• 11.43.8 - CVE: CVE-2011-1364
• Platform: Cross Platform
• Title: Google App Engine SDK Cross-Site Request Forgery And Command Execution Weaknesses
• Description: Google App Engine is an application to build and host web applications. The application is exposed to multiple issues. A cross-site request forgery issue affects the admin console. Specifically, the "_ah/admin/interactive/execute" script allows attackers to perform certain actions, such as executing local python scripts on user's behalf. Multiple command execution weaknesses affect the FakeFile, original OS and google.appengine.api.blobstore.os objects because the application fails to properly restrict access. Google App Engine versions prior to 1.5 are vulnerable.
• Ref: http://blog.watchfire.com/files/googleappenginesdk.pdf

• 11.43.9 - CVE: CVE-2011-3294
• Platform: Cross Platform
• Title: Cisco TelePresence Video Communication Server "User-Agent" HTTP Header HTML Injection
• Description: Cisco Unified Video Communication Server is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "User-Agent" HTTP Header. Versions prior to Cisco TelePresence Video Communication Server X7.0 are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_response09186a0080b98d0b.h
  tml

• 11.43.10 - CVE: CVE-2011-3229,CVE-2011-3230,CVE-2011-3231,CVE-2011-3242
• Platform: Cross Platform
• Title: Apple Safari Multiple Security Vulnerabilities
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. The application is exposed to multiple security issues that have been addressed in Apple security advisory APPLE-SA-2011-10-12-4. See reference for further details. versions prior to Safari 5.1.1 running on Apple Mac OS X, Windows 7, XP and Vista are affected.
• Ref: http://lists.apple.com/archives/Security-announce/2011/Oct/msg00004.html

• 11.43.11 - CVE:CVE-2011-3162,CVE-2011-3161,CVE-2011-3160,CVE-2011-3159,CVE-2011-3158,CVE-2011-3157,CVE-2011-3156
• Platform: Cross Platform
• Title: HP Data Protector Unspecified Remote Code Execution Vulnerabilities
• Description: HP Data Protector is a backup and recovery solution. The application is exposed to unspecified code execution issues. HP Data Protector Notebook Extension version 6.20, and HP Data Protector for Personal Computers version 7.0 running on Windows platforms are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03054543

• 11.43.12 - CVE: Not Available
• Platform: Cross Platform
• Title: ClamAV Recursion Level Handling Denial of Service
• Description: ClamAV is a multiplatform toolkit used to scan email messages for viruses. The application is exposed to a denial of service issue that occurs in the "cli_bcapi_extractnew()" function of the "bytecode.c" source file and the "cli_bytecode_runhook()" function of the "bytecode_api.c" files. Versions prior to ClamAV 0.97.3 are vulnerable.
• Ref: http://www.securityfocus.com/bid/50183/discuss

• 11.43.13 - CVE: CVE-2011-4028
• Platform: Cross Platform
• Title: X.Org X11 File Enumeration Information Disclosure
• Description: The X.Org X Windows server is an open source X Window System for UNIX, Linux and variants. The application is exposed to an information disclosure issue because of the way it handles lock files. Specifically, the application returns different results when handling a lock file as a symbolic link that points to a file that does or does not exist. All X.Org Xserver versions are vulnerable when running with root privileges.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/6033

• 11.43.14 - CVE:CVE-2011-2303,CVE-2011-3519,CVE-2011-2308,CVE-2011-3513,CVE-2011-2302
• Platform: Cross Platform
• Title: Oracle E-Business Suite Multiple Remote Vulnerabilities
• Description: Oracle E-Business Suite is exposed to multiple remote issues which affect Oracle Application Object Library and Oracle Applications Framework. See reference for further details. Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3 and Oracle E-Business Suite Release 11i, version 11.5.10.2 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

• 11.2.0.2 - CVE:CVE-2011-3525,CVE-2011-3512,CVE-2011-2301,CVE-2011-3511,CVE-2011-232211.1.0.7 and are vulnerable.
• Platform: Cross Platform
• Title: Oracle Database Server Remote Database Multiple Vulnerabilities
• Description: Oracle Database Server is exposed to multiple local and remote issues. See reference for further details. Oracle Database Server version 3.2, 4.0, 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5,
• Ref: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

• 11.43.16 - CVE:CVE-2011-3548,CVE-2011-3521,CVE-2011-3554,CVE-2011-3544,CVE-2011-3545,CVE-2011-3549,CVE-2011-3551,CVE-2011-3550,CVE-2011-3516,CVE-2011-3556,CVE-2011-3557,CVE-2011-3560,CVE-2011-3555,CVE-2011-3546,CVE-2011-3558,CVE-2011-3547,CVE-2011-3389,CVE-2011-3553
• Platform: Cross Platform
• Title: Oracle Java SE Remote Java Runtime Environment Vulnerabilities
• Description: Oracle Java SE is exposed to multiple remote issues in the Java Runtime Environment. See reference for further details. JDK and JRE 7, 6 Update 27, 5.0 Update 31 and before, 1.4.2_33 and before, JRockit R28.1.4 and JavaFX 2.0 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

• 11.43.17 - CVE:CVE-2011-3527,CVE-2011-3533,CVE-2011-3528,CVE-2011-2315,CVE-2011-3529,CVE-2011-3530,CVE-2011-3520
• Platform: Cross Platform
• Title: Oracle PeopleSoft Multiple Vulnerabilities
• Description: Oracle PeopleSoft products provide solutions for Human Resource Management, Financial Management, Supply Chain, manufacturing and enterprise performance management. The applications are exposed to multiple issues. See reference for further details. PeopleSoft Enterprise PeopleTools version 8.49, 8.50 and 8.51, PeopleSoft Enterprise HRMS version 8.9, 9.0 and 9.1 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

• 11.43.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Contao CMS Cross-Site Scripting
• Description: Contao is a PHP-based content management system. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "index.php" script. Contao 2.10.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50061/references

• 11.43.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BugFree Multiple Cross-Site Scripting Vulnerabilities
• Description: BugFree is a web-based application implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. The following scripts and parameters are affected: "Bug.php" : "ActionType", "Report.php" : "ReportMode", "ReportLeft.php" : "ReportMode", "AdminProjectList.php", "AdminGroupList.php", "AdminUserLogList.php". BugFree 2.1.3 is vulnerable and other versions may also be affected.
• Ref: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_bugfree.html

• 11.43.20 - CVE: CVE-2011-4064
• Platform: Web Application - Cross Site Scripting
• Title: phpMyAdmin Setup Interface Cross-Site Scripting
• Description: phpMyAdmin is a web-based administration interface for MySQL databases and is implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue affects the setup interface, when the configuration directory exists and is writeable. Versions prior to phpMyAdmin 3.4.6 are vulnerable.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php

• 11.43.21 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Roundcube webmail "_user" Parameter SQL Injection
• Description: Roundcube Webmail is a web-based IMAP client implemented in PHP. Roundcube Webmail is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "_user" parameter of the "index.php" script before using it in an SQL query. Roundcube Webmail 0.3.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50035/discuss

• 11.43.22 - CVE: Not Available
• Platform: Web Application
• Title: Filmis SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Filmis is a Web-based application implemented in PHP. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. An SQL injection issue affects the "nb" parameter of the "cat.php" script. Multiple cross-site scripting issues exist in the "nb" parameter of the "index.php" and "cat.php" scripts. Filmis 2.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50081/discuss

• 11.43.23 - CVE: Not Available
• Platform: Web Application
• Title: Geeklog BBCode Tags HTML Injection Vulnerabilities
• Description: Geeklog is a web-based application implemented in PHP. The application is exposed to HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, "code" and "raw" BBCode tags aren't properly sanitized. Geeklog versions prior to 1.8.1 are affected.
• Ref: http://www.securityfocus.com/bid/50060/discuss

• 11.43.24 - CVE: CVE-2011-3615
• Platform: Web Application
• Title: Simple Machines Forum Cross-Site Scripting and Spoofing Vulnerabilities
• Description: Simple Machines Forum is an open-source web forum. The application is exposed to an unspecified cross-site scripting issue and an unspecified issue that may aid in phishing attacks. Simple Machines Forum 1.x prior to 1.1.15 and 2.x prior to 2.0.1 are vulnerable.
• Ref: http://www.securityfocus.com/bid/50103/discuss

• 11.43.25 - CVE: Not Available
• Platform: Web Application
• Title: Supermicro IPMI Web Interface Multiple Security Bypass Vulnerabilities
• Description: Supermicro is an "end-to-end green computing solutions" application. The application is exposed to multiple issues. A security bypass issue affects the IPMI web interface. A security bypass issue occurs because the IPMI web interface contains an "Anonymous" account and password. Supermicro X8SI6-F and X9SCL-F are affected.
• Ref: http://www.securityfocus.com/bid/50097/discuss

• 11.43.26 - CVE: Not Available
• Platform: Network Device
• Title: Avaya Identity Engines Ignition Server Remote Code Execution
• Description: Avaya Identity Engines Ignition Server is a network monitoring and management application. The application is exposed to a remote code execution issue. The problem occurs in the AdminAccountManager process, which listens for GIOP requests on 23456 and 23457 (SSL). Specifically, this issue occurs because the process responds differently to remote requests for administrative functions. Avaya Identity Engines Ignition Server 6.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/50271/references

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account