Print

Print
fyi

---------- Forwarded message ----------
From: Commonwealth Security <[log in to unmask]>
Date: Fri, Dec 3, 2010 at 3:16 PM
Subject: Commonwealth Security Advisory 2010 12 03
To: "Green, John (VITA)" <[log in to unmask]>


Good Afternoon!

 

Commonwealth Security and Risk Management staff have been tracking multiple vulnerabilities related to Apache software, HP HP-UX software, IBM WebSphere MQ software, Oracle Solaris software, Red Hat software, and SUSE software. Our recommendations are included below as some of the vulnerabilities may have significant impact for the Commonwealth Information Security community. This advisory information can also be found at the Commonwealth Security Information Resource Center (CSIRC) http://www.csirc.vita.virginia.gov/

 

 

 

Vulnerability Description: Apache Archiva Cross-Site Request Forgery Vulnerabilities

 

Pertinent Details:  Multiple vulnerabilities have been reported in Apache Archiva which could be exploited by malicious people to conduct cross-site request forgery attacks, thereby enticing an administrator to expose authentication credentials.

 

More information can be found at the following URLs:

http://archiva.apache.org/download.html

http://secunia.com/advisories/42376/

http://jira.codehaus.org/browse/MRM-1438

[log in to unmask]" target="_blank">http:[log in to unmask]

 

Remediation Responsibility: If you receive support for Apache software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for Apache software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the Apache security advisory located at [log in to unmask]" target="_blank">http:[log in to unmask]. Install the Apache software update as part of the next scheduled patch cycle.

 

 

 

Vulnerability Description: Apache Tomcat Manager Cross-Site Scripting Vulnerability

 

Pertinent Details:  Multiple vulnerabilities have been reported in Apache Tomcat. These vulnerabilities could be exploited by a malicious individual to conduct cross-site scripting attacks. The successful exploitation in Apache Tomcat 7.x requires that the "CSRF" filter for the Manager application is disabled. The vulnerabilities are reported in Apache Tomcat versions 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4.

 

More information can be found at the following URLs:

https://issues.apache.org/bugzilla/show_bug.cgi?id=49406

[log in to unmask]" target="_blank">http:[log in to unmask]

http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.html

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-6.html

http://secunia.com/advisories/42288

http://secunia.com/advisories/42337

 

Remediation Responsibility: If you receive support for Apache software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for Apache software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the Apache security advisory located at [log in to unmask]" target="_blank">http:[log in to unmask]. Install the Apache software update as part of the next scheduled patch cycle.

 

 

 

Vulnerability Description: HP-UX Multiple Package Vulnerabilities

 

Pertinent Details: HP has issued a security advisory and released a software update to address multiple vulnerabilities in the HP-UX CIFS Server and Tomcat Servlet Engine software packages. These software vulnerabilities could be exploited by a malicious individual to potentially disclose system and potentially sensitive information, create denial of service condition, gain escalated privileges, conduct spoofing attacks and bypass certain security features, or compromise an affected system.

 

More information can be found at the following URLs:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02515878

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02627925

http://secunia.com/advisories/42319/

http://secunia.com/advisories/42368/

 

Remediation Responsibility: If you receive support for HP HP-UX software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for HP HP-UX software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the HP security advisories located at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02515878 and http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02627925. Install the HP HP-UX software updates as part of the next scheduled patch cycle.

 

 

 

Vulnerability Description: IBM WebSphere MQ Multiple Vulnerabilities

 

Pertinent Details:  IBM has issued a security advisory and released a software update to address vulnerabilities in IBM WebSphere MQ software. These vulnerabilities could be exploited by a malicious individual to manipulate certain data or create denial of service condition. The vulnerabilities have been reported in IBM WebSphere MQ FDC Processing function and IBM WebSphere MQ Internet Pass-Thru TLS Renegotiation function. 

 

More information can be found at the following URLs:

http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg21254675

http://www.ibm.com/support/docview.wss?uid=swg2400638

http://secunia.com/advisories/42253/

http://secunia.com/advisories/42379/

http://xforce.iss.net/xforce/xfdb/63147

 

Remediation Responsibility: If you receive support for IBM WebSphere MQ software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for IBM WebSphere software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the IBM WebSphere security advisories located at http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg21254675 and http://www.ibm.com/support/docview.wss?uid=swg2400638. Install the IBM WebSphere software update as part of the next scheduled patch cycle. Before applying these updates, make sure all previously-released errata relevant to the affected system have been applied.

 

 

 

Vulnerability Description: Oracle Solaris Multiple Vulnerabilities

 

Pertinent Details:  Oracle has issued a security advisory and released a software update to address vulnerabilities in the Oracle Solaris Perl Safe module, the Oracle Solaris APR module, and the Oracle Solaris bzip2 software library. These vulnerabilities could be exploited by a malicious individual to bypass certain security restrictions, create a denial of service condition, or potentially compromise an affected system.

 

More information can be found at the following URLs:

http://blogs.sun.com/security/entry/cve_2010_1168_vulnerability_in

http://blogs.sun.com/security/entry/cve_2010_1623_memory_leak

http://blogs.sun.com/security/entry/cve_2010_0405_integer_overflow

http://secunia.com/advisories/42404/

http://secunia.com/advisories/42403/

http://secunia.com/advisories/42402/

 

Remediation Responsibility: If you receive support for Oracle Solaris software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for Oracle Solaris software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the Oracle Solaris security advisories located at http://blogs.sun.com/security/entry/cve_2010_1168_vulnerability_in, http://blogs.sun.com/security/entry/cve_2010_1623_memory_leak, and http://blogs.sun.com/security/entry/cve_2010_0405_integer_overflow. Install the Oracle Solaris software update as part of the next scheduled patch cycle. Before applying these updates, make sure all previously-released errata relevant to the affected system have been applied.

 

 

 

Vulnerability Description: Red Hat Multiple Packages Vulnerabilities

 

Pertinent Details:  Red Hat has issued a security advisory and released a software update to address multiple vulnerabilities in multiple Red Hat software packages. These software vulnerabilities could be exploited by a malicious individual to potentially disclose system and potentially sensitive information, create denial of service condition, gain escalated privileges, conduct spoofing attacks and bypass certain security features, or compromise an affected system.

 

The software packages addressed by this advisory include:

cvs (2010-0918-1)

dhcp (RHSA-2010:0923-1)

freetype (RHSA-2010:0889-1)

krb5 (2010-0925-1)

openssl (RHSA-2010:0888-1)

openswan (RHSA-2010:0892-1)

php (RHSA-2010:0919-1)

postgresql (RHSA-2010:0908-1)

systemtap (RHSA-2010:0894-1 & RHSA-2010:0895-1)

thunderbird (RHSA-2010:0896-1)

 

More information can be found at the following URLs:

https://rhn.redhat.com/errata/RHSA-2010-0888.html

https://rhn.redhat.com/errata/RHSA-2010-0889.html

https://rhn.redhat.com/errata/RHSA-2010-0892.html

http://rhn.redhat.com/errata/RHSA-2010-0894.html

http://rhn.redhat.com/errata/RHSA-2010-0895.html

https://rhn.redhat.com/errata/RHSA-2010-0896.html

http://rhn.redhat.com/errata/RHSA-2010-0908.html

https://rhn.redhat.com/errata/RHSA-2010-0918.html

http://rhn.redhat.com/errata/RHSA-2010-0919.html

https://rhn.redhat.com/errata/RHSA-2010-0923.html

https://rhn.redhat.com/errata/RHSA-2010-0925.html

http://secunia.com/advisories/42310/

http://secunia.com/advisories/42296/

http://secunia.com/advisories/42291/

http://secunia.com/advisories/42295/

http://secunia.com/advisories/42263/

http://secunia.com/advisories/42306/

http://secunia.com/advisories/42325/

http://secunia.com/advisories/42399/

http://secunia.com/advisories/42407/

http://secunia.com/advisories/42409/

http://secunia.com/advisories/42410/

 

Remediation Responsibility: If you receive support for Red Hat software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for Red Hat software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the Red Hat security advisories listed in the more information section of this security advisory. Install the Red Hat software update as part of the next scheduled patch cycle. Before applying these updates, make sure all previously-released errata relevant to the affected system have been applied.

 

 

 

Vulnerability Description: SUSE Multiple Packages Vulnerabilities

 

Pertinent Details: SUSE has issued a security advisory and released a software update to address multiple vulnerabilities in multiple SUSE software packages. These software vulnerabilities could be exploited by a malicious individual to potentially disclose system and potentially sensitive information, create denial of service condition, gain escalated privileges, conduct spoofing attacks and bypass certain security features, or compromise an affected system.

 

More information can be found at the following URLs:

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html

http://secunia.com/advisories/42252/

http://secunia.com/advisories/42397/

 

Remediation Responsibility: If you receive support for SUSE software from the Commonwealth Information Technology Infrastructure (IT) Partnership, these software vulnerabilities will be remediated on any vulnerable devices by the Commonwealth Information Technology Infrastructure (IT) Partnership. If you do not receive support for SUSE software from the Commonwealth Information Technology Infrastructure (IT) Partnership, please remediate the software vulnerabilities on any vulnerable devices.

 

Recommended Action: Review the SUSE security advisories located at http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.htmla and http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html.

Install the SUSE software update as part of the next scheduled patch cycle. Before applying these updates, make sure all previously-released errata relevant to the affected system have been applied.

 

 

 

 

John Green

CISO, Commonwealth Security and Risk Management

Virginia Information Technologies Agency (VITA)

VITA – Enabling the Business of Government

[log in to unmask]

www.vita.virginia.gov

(804) 416-6013

 

VITA Customer Care Center - Call (866) 637-8482 (toll free) to report an outage or request service. Or e-mail the VCCC at [log in to unmask]Please note: E-mail should not be used to report critical issues or outages impacting an agency. To report a critical issue, please call the VCCC directly.