Weekly Vulnerabilities Reports > November 14 to 20, 2016

Overview

49 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 24 high severity vulnerabilities. This weekly summary report vulnerabilities in 44 products from 14 vendors including Linux, Cisco, Dotcms, Wireshark, and Debian. Vulnerabilities are notably categorized as "SQL Injection", "Use After Free", "Improper Input Validation", "Resource Management Errors", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 25 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 34 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 12 reported vulnerabilities.
  • Paloaltonetworks has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-19 CVE-2016-9150 Paloaltonetworks Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Paloaltonetworks Pan-Os

Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows remote attackers to execute arbitrary code via unspecified vectors.

9.8
2016-11-15 CVE-2016-9287 Exponentcms SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.0

In /framework/modules/notfound/controllers/notfoundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into getSearchResults.

9.8
2016-11-14 CVE-2016-8902 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.

9.8
2016-11-15 CVE-2016-5763 Novell 7PK - Security Features vulnerability in Novell products

Vulnerability in Novell Open Enterprise Server (OES2015 SP1 before Scheduled Maintenance Update 10992, OES2015 before Scheduled Maintenance Update 10990, OES11 SP3 before Scheduled Maintenance Update 10991, OES11 SP2 before Scheduled Maintenance Update 10989) might allow authenticated remote attackers to perform unauthorized file access and modification.

9.1

24 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-14 CVE-2016-8908 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

8.8
2016-11-14 CVE-2016-8907 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

8.8
2016-11-14 CVE-2016-8906 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

8.8
2016-11-14 CVE-2016-8905 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.

8.8
2016-11-14 CVE-2016-8904 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

8.8
2016-11-14 CVE-2016-8903 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

8.8
2016-11-18 CVE-2016-4333 Hdfgroup Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hdfgroup Hdf5 1.8.16

The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator.

8.6
2016-11-18 CVE-2016-4332 Hdfgroup Improper Input Validation vulnerability in Hdfgroup Hdf5 1.8.16

The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer.

8.6
2016-11-18 CVE-2016-4331 Hdfgroup Out-of-bounds Write vulnerability in Hdfgroup Hdf5 1.8.16

When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.

8.6
2016-11-18 CVE-2016-4330 Hdfgroup Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hdfgroup Hdf5 1.8.16

In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.

8.6
2016-11-15 CVE-2016-0909 EMC Improper Input Validation vulnerability in EMC Avamar Data Store and Avamar Server Virtual Edition

EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions 7.3 and older contain a vulnerability that may expose the Avamar servers to potentially be compromised by malicious users.

8.4
2016-11-15 CVE-2016-8661 Obdev Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Obdev Little Snitch

Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges (EoP) and unauthorised ring0 access to the operating system.

8.4
2016-11-19 CVE-2016-9151 Paloaltonetworks Permissions, Privileges, and Access Controls vulnerability in Paloaltonetworks Pan-Os

Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows local users to gain privileges via crafted values of unspecified environment variables.

7.8
2016-11-16 CVE-2016-7913 Linux
Canonical
Use After Free vulnerability in multiple products

The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure.

7.8
2016-11-16 CVE-2016-7912 Linux Use After Free vulnerability in Linux Kernel

Use-after-free vulnerability in the ffs_user_copy_worker function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before 4.5.3 allows local users to gain privileges by accessing an I/O data structure after a certain callback call.

7.8
2016-11-16 CVE-2016-7911 Linux Use After Free vulnerability in Linux Kernel

Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.

7.8
2016-11-16 CVE-2016-7910 Linux Use After Free vulnerability in Linux Kernel

Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.

7.8
2016-11-16 CVE-2015-8961 Linux Use After Free vulnerability in Linux Kernel

The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.

7.8
2016-11-19 CVE-2016-6466 Cisco Resource Management Errors vulnerability in Cisco ASR 5000 Series Software and Virtualized Packet Core

A vulnerability in the IPsec component of StarOS for Cisco ASR 5000 Series routers could allow an unauthenticated, remote attacker to terminate all active IPsec VPN tunnels and prevent new tunnels from establishing, resulting in a denial of service (DoS) condition.

7.5
2016-11-19 CVE-2016-6460 Cisco 7PK - Security Features vulnerability in Cisco Firesight System Software

A vulnerability in the FTP Representational State Transfer Application Programming Interface (REST API) for Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass FTP malware detection rules and download malware over an FTP connection.

7.5
2016-11-19 CVE-2016-6458 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware

A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass content filters configured on an affected device.

7.5
2016-11-18 CVE-2016-8562 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 1543-1 (All versions < V2.0.28), SIPLUS NET CP 1543-1 (All versions < V2.0.28).

7.5
2016-11-16 CVE-2015-8962 Linux Double Free vulnerability in Linux Kernel

Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.

7.3
2016-11-16 CVE-2015-8963 Linux Use After Free vulnerability in Linux Kernel

Race condition in kernel/events/core.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation.

7.0

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-18 CVE-2016-8561 Siemens Permissions, Privileges, and Access Controls vulnerability in Siemens Simatic CP 1543-1 Firmware

A vulnerability has been identified in SIMATIC CP 1543-1 (All versions < V2.0.28), SIPLUS NET CP 1543-1 (All versions < V2.0.28).

6.6
2016-11-19 CVE-2016-9149 Paloaltonetworks Data Processing Errors vulnerability in Paloaltonetworks Pan-Os

The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string.

6.5
2016-11-19 CVE-2016-6457 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Nexus 9000 Series Platform Leaf Switches for Application Centric Infrastructure (ACI) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the affected device.

6.5
2016-11-15 CVE-2016-7165 Siemens Improper Access Control vulnerability in Siemens products

A vulnerability has been identified in Primary Setup Tool (PST) (All versions < V4.2 HF1), SIMATIC IT Production Suite (All versions < V7.0 SP1 HFX 2), SIMATIC NET PC-Software (All versions < V14), SIMATIC PCS 7 V7.1 (All versions), SIMATIC PCS 7 V8.0 (All versions), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2), SIMATIC STEP 7 V5.X (All versions < V5.5 SP4 HF11), SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced (All versions < V14), SIMATIC WinCC (TIA Portal) Professional V13 (All versions < V13 SP2), SIMATIC WinCC (TIA Portal) Professional V14 (All versions < V14 SP1), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1), SIMATIC WinCC V7.0 SP2 and earlier versions (All versions < V7.0 SP2 Upd 12), SIMATIC WinCC V7.0 SP3 (All versions < V7.0 SP3 Upd 8), SIMATIC WinCC V7.2 (All versions < V7.2 Upd 14), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 11), SIMATIC WinCC V7.4 (All versions < V7.4 SP1), SIMIT V9.0 (All versions < V9.0 SP1), SINEMA Remote Connect Client (All versions < V1.0 SP3), SINEMA Server (All versions < V13 SP2), SOFTNET Security Client V5.0 (All versions), Security Configuration Tool (SCT) (All versions < V4.3 HF1), TeleControl Server Basic (All versions < V3.0 SP2), WinAC RTX 2010 SP2 (All versions), WinAC RTX F 2010 SP2 (All versions).

6.4
2016-11-19 CVE-2016-6472 Cisco Cross-site Scripting vulnerability in Cisco Unified Communications Manager 11.5(1.2)

A vulnerability in several parameters of the ccmivr page of Cisco Unified Communication Manager (CallManager) could allow an unauthenticated, remote attacker to launch a cross-site scripting (XSS) attack against a user of the web interface on the affected system.

6.1
2016-11-19 CVE-2016-6461 Cisco Improper Input Validation vulnerability in Cisco Adaptive Security Appliance Software

A vulnerability in the HTTP web-based management interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to inject arbitrary XML commands on the affected system.

5.9
2016-11-17 CVE-2016-9376 Wireshark
Debian
Resource Management Errors vulnerability in multiple products

In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file.

5.9
2016-11-17 CVE-2016-9375 Wireshark
Debian
Resource Management Errors vulnerability in multiple products

In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop, triggered by network traffic or a capture file.

5.9
2016-11-17 CVE-2016-9374 Wireshark
Debian
Resource Management Errors vulnerability in multiple products

In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file.

5.9
2016-11-17 CVE-2016-9373 Wireshark
Debian
Use After Free vulnerability in multiple products

In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file.

5.9
2016-11-17 CVE-2016-9372 Wireshark Resource Management Errors vulnerability in Wireshark 2.2.0/2.2.1

In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop excessively, triggered by network traffic or a capture file.

5.9
2016-11-19 CVE-2016-6459 Cisco OS Command Injection vulnerability in Cisco Telepresence TC Software

Cisco TelePresence endpoints running either CE or TC software contain a vulnerability that could allow an authenticated, local attacker to execute a local shell command injection.

5.5
2016-11-16 CVE-2016-7916 Linux Race Condition vulnerability in Linux Kernel

Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.

5.5
2016-11-16 CVE-2016-7915 Linux Out-of-bounds Read vulnerability in Linux Kernel

The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.

5.5
2016-11-16 CVE-2016-7914 Linux NULL Pointer Dereference vulnerability in Linux Kernel

The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.

5.5
2016-11-16 CVE-2015-8964 Linux Information Exposure vulnerability in Linux Kernel

The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.

5.5
2016-11-16 CVE-2016-9318 Xmlsoft
Canonical
XXE vulnerability in multiple products

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

5.5
2016-11-19 CVE-2016-6463 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware 10.0.0082/9.7.0125/9.7.106

A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass Advanced Malware Protection (AMP) filters that are configured for an affected device.

5.3
2016-11-19 CVE-2016-6462 Cisco Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware 10.0.0082/10.0.0125/9.7.106

A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass Advanced Malware Protection (AMP) filters that are configured for an affected device.

5.3
2016-11-16 CVE-2016-7917 Linux Out-of-bounds Read vulnerability in Linux Kernel

The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.

5.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-19 CVE-2016-6450 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the package unbundle utility of Cisco IOS XE Software could allow an authenticated, local attacker to gain write access to some files in the underlying operating system.

2.5