Weekly Vulnerabilities Reports > August 25 to 31, 2008

Overview

3 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 15 products from 9 vendors including Fedoraproject, Apple, Debian, Apache, and Redhat. Vulnerabilities are notably categorized as "Use of Insufficiently Random Values", "Incorrect Conversion between Numeric Types", and "XML Entity Expansion".

  • 2 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 3 reported vulnerabilities are exploitable by an anonymous user.
  • Fedoraproject has the most reported vulnerabilities, with 2 reported vulnerabilities.
  • Trendmicro has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-08-27 CVE-2008-2433 Trendmicro Use of Insufficiently Random Values vulnerability in Trendmicro products

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks.

9.8

1 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-08-29 CVE-2008-3282 Apache
Fedoraproject
Incorrect Conversion between Numeric Types vulnerability in multiple products

Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a "numeric truncation error," a different vulnerability than CVE-2008-2152.

7.8

1 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-08-27 CVE-2008-3281 Xmlsoft
Apple
Fedoraproject
Canonical
Debian
Redhat
Vmware
XML Entity Expansion vulnerability in multiple products

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

6.5

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS