Weekly Vulnerabilities Reports > July 25 to 31, 2016

Overview

24 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 6 high severity vulnerabilities. This weekly summary report vulnerabilities in 19 products from 12 vendors including PHP, Cisco, Apache, Rockwellautomation, and CA. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", "Use After Free", "Cross-site Scripting", and "Improper Input Validation".

  • 19 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 5 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 20 reported vulnerabilities are exploitable by an anonymous user.
  • PHP has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • PHP has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-07-25 CVE-2016-6296 PHP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function.

9.8
2016-07-25 CVE-2016-6295 PHP Use After Free vulnerability in PHP

ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773.

9.8
2016-07-25 CVE-2016-6294 PHP Out-of-bounds Read vulnerability in PHP

The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.

9.8
2016-07-25 CVE-2016-6293 ICU Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Icu-Project International Components for Unicode

The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.

9.8
2016-07-25 CVE-2016-6291 PHP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image.

9.8
2016-07-25 CVE-2016-6290 PHP Use After Free vulnerability in PHP

ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization.

9.8
2016-07-25 CVE-2016-6288 PHP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.

9.8
2016-07-28 CVE-2016-1374 Cisco Improper Input Validation vulnerability in Cisco Unified Computing System Performance Manager

The web framework in Cisco Unified Computing System (UCS) Performance Manager 2.0.0 and earlier allows remote authenticated users to execute arbitrary commands via crafted parameters in a GET request, aka Bug ID CSCuy07827.

9.0
2016-07-26 CVE-2016-6152 Broadcom
CA
CA eHealth 6.2.x and 6.3.x before 6.3.2.13 allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors.
9.0
2016-07-26 CVE-2016-6151 CA Command Injection vulnerability in CA Ehealth 6.2/6.2.1/6.2.2

CA eHealth 6.2.x allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors.

9.0

6 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-07-28 CVE-2016-4469 Apache Cross-Site Request Forgery (CSRF) vulnerability in Apache Archiva

Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to admin/addProxyConnector_commit.action, (2) new repositories via the token parameter to admin/addRepository_commit.action, (3) edit existing repositories via the token parameter to admin/editRepository_commit.action, (4) add legacy artifact paths via the token parameter to admin/addLegacyArtifactPath_commit.action, (5) change the organizational appearance via the token parameter to admin/saveAppearance.action, or (6) upload new artifacts via the token parameter to upload_submit.action.

8.8
2016-07-25 CVE-2016-6297 PHP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL.

8.8
2016-07-25 CVE-2016-6289 PHP Integer Overflow or Wraparound vulnerability in PHP

Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive.

7.8
2016-07-28 CVE-2016-4531 Rockwellautomation Improper Authorization vulnerability in Rockwellautomation Factorytalk Energrymetrix

Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

7.5
2016-07-28 CVE-2016-4522 Rockwellautomation SQL Injection vulnerability in Rockwellautomation Factorytalk Energrymetrix

SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2016-07-26 CVE-2015-5738 Marvell
F5
Information Exposure vulnerability in multiple products

The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II CN6xxx Hardware on Linux to support TLS with Perfect Forward Secrecy (PFS), makes it easier for remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack.

7.5

8 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-07-25 CVE-2016-6292 PHP NULL Pointer Dereference vulnerability in PHP

The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image.

6.5
2016-07-28 CVE-2016-1467 Cisco Resource Management Errors vulnerability in Cisco Videoscape Session Resource Manager

Cisco Videoscape Session Resource Manager (VSRM) allows remote attackers to cause a denial of service (device restart) by sending a traffic flood to upstream devices, aka Bug ID CSCva01813.

6.1
2016-07-28 CVE-2016-1465 Cisco Resource Management Errors vulnerability in Cisco Nx-Os

Cisco Nexus 1000v Application Virtual Switch (AVS) devices before 5.2(1)SV3(1.5i) allow remote attackers to cause a denial of service (ESXi hypervisor crash and purple screen) via a crafted Cisco Discovery Protocol packet that triggers an out-of-bounds memory access, aka Bug ID CSCuw57985.

6.1
2016-07-28 CVE-2016-1460 Cisco Resource Management Errors vulnerability in Cisco Wireless LAN Controller Software 7.4.121.0/8.0.0.30220.385

Cisco Wireless LAN Controller (WLC) devices 7.4(121.0) and 8.0(0.30220.385) allow remote attackers to cause a denial of service via crafted wireless management frames, aka Bug ID CSCun92979.

6.1
2016-07-28 CVE-2016-1463 Cisco Improper Input Validation vulnerability in Cisco Firesight System Software

Cisco FireSIGHT System Software 5.3.0, 5.3.1, 5.4.0, 6.0, and 6.0.1 allows remote attackers to bypass Snort rules via crafted parameters in the header of an HTTP packet, aka Bug ID CSCuz20737.

5.0
2016-07-26 CVE-2016-3992 Cronic Project
Debian
Opensuse
Improper Access Control vulnerability in multiple products

cronic before 3 allows local users to write to arbitrary files via a symlink attack on a (1) cronic.out.$$, (2) cronic.err.$$, or (3) cronic.trace.$$ file in /tmp.

4.9
2016-07-28 CVE-2016-5005 Apache Cross-site Scripting vulnerability in Apache Archiva

Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action.

4.8
2016-07-28 CVE-2016-1462 Cisco Cross-site Scripting vulnerability in Cisco Prime Service Catalog 11.0Base

Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Prime Service Catalog (PSC) 11.0 allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCuz63795.

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS