Weekly Vulnerabilities Reports > October 19 to 25, 2009
Overview
4 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 2 high severity vulnerabilities. This weekly summary report vulnerabilities in 16 products from 9 vendors including Linux, Fedoraproject, Opensuse, Redhat, and Suse. Vulnerabilities are notably categorized as "Use of Uninitialized Resource", "Use After Free", "Resource Exhaustion", and "Cross-Site Request Forgery (CSRF)".
- 2 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 1 reported vulnerabilities are exploitable by an anonymous user.
- Linux has the most reported vulnerabilities, with 2 reported vulnerabilities.
- Redhat has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-23 | CVE-2009-3616 | Qemu Redhat | Use After Free vulnerability in multiple products Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities. | 9.9 |
2 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-22 | CVE-2009-3759 | Citrix | Cross-Site Request Forgery (CSRF) vulnerability in Citrix Xencenterweb Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. | 8.8 |
2009-10-22 | CVE-2009-3620 | Linux Fedoraproject Canonical Redhat Opensuse Suse | Use of Uninitialized Resource vulnerability in multiple products The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. | 7.8 |
1 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-22 | CVE-2009-3621 | Linux Canonical Fedoraproject Opensuse Suse Vmware | Resource Exhaustion vulnerability in multiple products net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. | 5.5 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|