Weekly Vulnerabilities Reports > October 17 to 23, 2011

Overview

4 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 7 products from 5 vendors including Cisco, Oracle, Redhat, Suse, and Canonical. Vulnerabilities are notably categorized as "Improper Input Validation", and "Resource Exhaustion".

  • 4 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 3 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-19 CVE-2011-3544 Oracle
Canonical
Redhat
Suse 		Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
9.8

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-22 CVE-2011-2058 Cisco Improper Input Validation vulnerability in Cisco IOS

The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does not properly handle an external loop between a pair of dot1x enabled ports, which allows remote attackers to cause a denial of service (traffic storm) via unspecified vectors that trigger many unicast EAPoL Protocol Data Units (PDUs), aka Bug ID CSCtq36336.
7.5
2011-10-22 CVE-2011-2057 Cisco Improper Input Validation vulnerability in Cisco IOS

The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does not properly handle (1) a loop between a dot1x enabled port and an open-authentication dot1x enabled port and (2) a loop between a dot1x enabled port and a non-dot1x port, which allows remote attackers to cause a denial of service (traffic storm) via unspecified vectors that trigger many Spanning Tree Protocol (STP) Bridge Protocol Data Unit (BPDU) frames, aka Bug ID CSCtq36327.
7.5
2011-10-22 CVE-2011-1640 Cisco Resource Exhaustion vulnerability in Cisco IOS

The ethernet-lldp component in Cisco IOS 12.2 before 12.2(33)SXJ1 does not properly support a large number of LLDP Management Address (MA) TLVs, which allows remote attackers to cause a denial of service (device crash) via crafted LLDPDUs, aka Bug ID CSCtj22354.
7.5

0 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS