Security Bulletins

  more  xml  hide  
last updated: Thu, 29 Nov 2018 21:48:00 GMT


US-CERT: The United States Computer Emergency Readiness Team   more  xml  hide  
last updated: Thu, 13 Dec 2018 23:18:26 GMT

 Thu, 13 Dec 2018 20:06:49 +0000 WordPress Releases Security Update
Original release date: December 13, 2018

WordPress 5.0 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Agency (CISA), encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.0.1.


This product is provided subject to this Notification and this Privacy & Use policy.


 Wed, 12 Dec 2018 22:00:33 +0000 Google Releases Security Updates for Chrome
Original release date: December 12, 2018

Google has released Chrome Version 71.0.3578.98 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Chrome Releases page and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


 Tue, 11 Dec 2018 21:11:28 +0000 Microsoft Releases December 2018 Security Updates
Original release date: December 11, 2018

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker could exploit some of these vulnerabilities to obtain access to sensitive information.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Microsoft’s December 2018 Security Update Summary and Deployment Information and apply the necessary updates.

 


This product is provided subject to this Notification and this Privacy & Use policy.


 Tue, 11 Dec 2018 16:13:44 +0000 Mozilla Releases Security Updates for Firefox
Original release date: December 11, 2018

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Mozilla Security Advisories for Firefox 64 and Firefox ESR 60.4 and apply the necessary updates.

 


This product is provided subject to this Notification and this Privacy & Use policy.


 Tue, 11 Dec 2018 16:10:16 +0000 Adobe Releases Security Updates
Original release date: December 11, 2018

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Adobe Security Bulletin APSB18-41 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



[logo] Yahoo News - Latest News & Headlines   more  xml  hide  
last updated: Thu, 13 Dec 2018 23:19:44 GMT

 Thu, 13 Dec 2018 08:46:09 -0500 Trump denies directing lawyer to break law

Trump denies directing lawyer to break lawDonald Trump on Thursday denied directing his ex-lawyer Michael Cohen to break the law after the US president's longtime close ally was sentenced to three years for campaign finance violations and other crimes. "I never directed Michael Cohen to break the law. Pleading for leniency in a packed Manhattan courtroom before US District Court Judge William H. Pauley III, Cohen said he had been led astray by misplaced admiration for Trump.


 Tue, 11 Dec 2018 22:17:42 -0500 Michael Flynn's lawyers request no prison time, defend cooperation with Mueller team

Michael Flynn's lawyers request no prison time, defend cooperation with Mueller teamFlynn's lawyers defend cooperation with Robert Mueller; ask for no prison time


 Wed, 12 Dec 2018 08:38:10 -0500 Palestinians offer new details of Israel's botched Gaza raid

Palestinians offer new details of Israel's botched Gaza raidGAZA CITY, Gaza Strip (AP) — The small town of Abassan in the Gaza Strip is a tough place to infiltrate — everyone knows everyone else and outsiders passing through quickly attract attention. So when strangers drove through town, suspicious Hamas security men stopped the van and questioned those inside.


 Tue, 11 Dec 2018 18:55:34 -0500 Gunman kills at least two in French Christmas market and flees

Gunman kills at least two in French Christmas market and fleesWith France still on high alert after a wave of attacks commissioned or inspired by Islamic State militants since early 2015, the counter-terrorism prosecutor opened an investigation. Amid fast-moving, confusing scenes it was not clear if the suspect, identified by police as Strasbourg-born Chekatt Cherif, 29, had been cornered by commandos or had slipped the dragnet. "There was confusion initially but they locked the front doors pretty soon after the gunshots," said U.S. citizen Elizabeth Osterwisch, who was sheltering on the top floor of the Galeries Lafayette department store.


 Wed, 12 Dec 2018 16:38:23 -0500 May Survives Confidence Vote to Face Uphill Struggle in Brexit

May Survives Confidence Vote to Face Uphill Struggle in BrexitTheresa May survived an attempt to oust her as U.K. prime minister on Wednesday, but the size of the rebellion against her weakens her position at a critical time as she tries to steer the U.K. out of the European Union. May won a vote of confidence in her leadership of the Conservative Party, with Tory members of Parliament backing her by 200 to 117 in the secret ballot.



Cisco Security Advisory   more  xml  hide  
last updated: Thu, 13 Dec 2018 23:31:37 GMT

 Thu, 13 Dec 2018 20:58:56 CST Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability
On November 1st, 2018, Armis announced the presence of a Remote Code Execution (RCE) or Denial of Service (DoS) vulnerability in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID of CVE-2018-16986.

The vulnerability is due to a memory corruption condition that may occur when processing malformed BLE frames. An attacker in close proximity to an affected device that is actively scanning could exploit the issue by broadcasting malformed BLE frames. A successful exploit may result in the attacker gaining the ability to execute arbitrary code or cause a denial of service condition on an affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap


Security Impact Rating: High
CVE: CVE-2018-16986
 Mon, 10 Dec 2018 18:27:03 CST Cisco Prime License Manager SQL Injection Vulnerability

Update (2018-December-10): Installing the ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch may cause functional issues. Workarounds are available for some of these issues. Rolling back this patch as described in the Fixed Releases section will correct these functional issues, but the device will be affected by this vulnerability again when the patch is not in place. See the Fixed Releases section for details.


A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.

The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181128-plm-sql-inject


Security Impact Rating: Critical
CVE: CVE-2018-15441
 Wed, 05 Dec 2018 16:34:38 CST Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability Affecting Cisco Products: November 2018

On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload


Security Impact Rating: Critical
CVE: CVE-2016-1000031
 Tue, 04 Dec 2018 16:00:00 CST Cisco Energy Management Suite Default PostgreSQL Password Vulnerability

A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential data.

The vulnerability is due to the installation of the PostgreSQL database with unchanged default access credentials. An attacker could exploit this vulnerability by logging in to the machine where CEMS is installed and establishing a local connection to the database.

The fix for this vulnerability randomizes the database access password in new installations; however, the fix will not change the password for existing installations. Users are required to manually change the password, as documented in the Workarounds section of this advisory.

There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181204-ems-sql-passwrd


Security Impact Rating: Medium
CVE: CVE-2018-0468
 Tue, 27 Nov 2018 16:01:05 CST Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability

A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.

The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.

While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

After an additional attack method was reported to Cisco, the previous fix for this vulnerability was determined to be insufficient. A new fix was developed, and the advisory was updated on November 27, 2018, to reflect which software releases include the complete fix.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection


Security Impact Rating: High
CVE: CVE-2018-15442

powered by zFeeder

Reload this page to check for the most recent news updates.

Please read our legal disclaimer for the use of this information.

Stay Secure
Axiom understands how vital the security of your data is to your organization. Please don't hesitate to contact us if you would like a professional assessment of your network infrastructure.
Home Axiom Advisor Security Bulletins