Does vulnerability CVE-2013-3336 apply to CF8.0?

Similar Messages

• CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118

  I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
  Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
  EDIT:
  2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
  Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.

  Hi,
  Please refer this links,
  Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
  https://rhn.redhat.com/errata/RHSA-2015-0090.html
  Regards,
  S27

• CVE-2013-3751 and Instant Client 11.2.0.3

  The README for the July 2013 Database GI Patch Set Update mentions Instant Client Installations needing Database PSU 11.2.0.3.7 to address CVE-2013-3751. Further details on the CVE at http://www.oracle.com/technetwork/topics/security/cpujuly2013verbose-1899830.html#DB say “Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. “  The Patch README references the Oracle Call Interface Programmer’s Guide and in there I found this relevant section http://docs.oracle.com/cd/E11882_01/appdev.112/e10646/oci01int.htm#autoId37 
  That document spells out the steps required create Instant Client zip or RPM files.  That’s great, but here at my company we haven’t gone through these steps in the past.  We simply go to the appropriate page on oracle.com ( Instant Client Downloads ) and download what we need.
  I’m assuming the vulnerable file is in the “basic” package.  I looked at linux x64 zip today and it has not been updated.
  unzip -l instantclient-basic-linux.x64-11.2.0.3.0.zip
  Archive:  instantclient-basic-linux.x64-11.2.0.3.0.zip
    Length Date    Time    Name
        437 09-17-2011 09:08 instantclient_11_2/BASIC_README
      25308 09-17-2011 09:08 instantclient_11_2/adrci
      46228 09-17-2011 09:08 instantclient_11_2/genezi
  52761218 09-17-2011 09:08 instantclient_11_2/libclntsh.so.11.1
    7955322 09-17-2011 09:08 instantclient_11_2/libnnz11.so
    1971762 09-17-2011 09:08 instantclient_11_2/libocci.so.11.1
  118408281 09-17-2011 09:08 instantclient_11_2/libociei.so
     164836 09-17-2011 09:08 instantclient_11_2/libocijdbc11.so
    2095661 09-17-2011 09:08 instantclient_11_2/ojdbc5.jar
    2714016 09-17-2011 09:08 instantclient_11_2/ojdbc6.jar
     191237 09-17-2011 09:08 instantclient_11_2/uidrvci
      66779 09-17-2011 09:08 instantclient_11_2/xstreams.jar
  186401085                     12 files
  I have 2 questions.
  Q1. If I apply only the database server home patch, will my database server still be vulnerable to takeover if the unpatched Oracle Instant Client from oracle.com is left out on my various app servers?
  Q2. Is there any effort planned at Oracle to replace the vulnerable versions of Instant Client posted on oracle.com with updated versions no longer vulnerable?

  I opened a Service Request with My Oracle Support.  Here is the response.
  Q1 answer:Yes.
  Q2 answer: yes, ETA is next patchset release Q3CY2013

• Apache vulnerability CVE-2011-3192

  We're have a private itunesu site on a server running Mac OS 10.5.8 with Apache 2.2.17 which is affected by the DoS vulnerability CVE-2011-3192.  I am looking for some feedback from other ItunesU admins who have either applied the suggested rewrite rule or have found another way to remediate the vulnerability.  The following rewrite rule is supposed to be added to the httpd.conf file:
  RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$ | ^$)
  RewriteRule .* - [F]
  I have read that some streaming media servers are set up to use ranges, so I'm not real comfortable with implementing this rule without hearing from some others who may have either done it or have another way to address the vulnerability.
  Thank you all for your time!

  For the following PSIRT:
  http://www.cisco.com/en/US/products/csa/cisco-sa-20110830-apache.html
  Download the following patch "lms40-win-Oct2011-su1-0.zip" :
  http://www.cisco.com/cisco/software/release.html?mdfid=283434800&flowid=19062&softwareid=280775103&os=Windows&release=4.0&relind=AVAILABLE&rellifecycle=&reltype=latest
  The instructions should be in the zip file how to install the patch.
  This should cover all theses bugs that you can query in the bug tool kit:
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  CSCte45565
  CSCto12712
  CSCto23584
  CSCto23622
  CSCto35544
  CSCto35577
  CSCtq48990

• CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???

  Hello; I have a question regarding the Coldfusion Security Bulletin APSB13-03 for ColdFusion 10, 9.0.2, 9.0.1 and 9.0.
  Is this hotfix also availablefor Coldfusion 8.01? We use the Coldfusion 8.01 enterprise version.
  Patched on the last available hotfix APSB12-21 -> Security update: Hotfix available for ColdFusion 10 and earlier.
  By regulary scanning our systems a finding regarding CVE-2013-0632 was found by the scanners, to resolve with APSB13-03.
  Is APSB13-03 available for Coldfusion 8.01? Core support ends 7/31/2012 (the last hotfix for cf 8 wa from 11/2012!)
  But extended Support reaches until 7/31/2014.
  frank

  Thanks;
  You wrote exactly my thoughts )
  Mit freundlichen Grüßen
  Frank Winkelmann
  Siemens AG
  Corporate Information Technology
  Corporate Automation
  CIT CA HS 1 4
  Hugo-Junkers-Str. 9
  90411 Nürnberg, Deutschland
  Tel. Geschäftlich: 091145051290
  Tel. Mobil: 015254690615
  mailto:[email protected]
  Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme; Vorstand: Peter Löscher, Vorsitzender; Roland Busch, Brigitte Ederer, Klaus Helmrich, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen, Michael Süß; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322
  Von: Adam Cameron. [email protected]
  Gesendet: Mittwoch, 29. Mai 2013 12:29
  An: Winkelmann, Frank
  Betreff: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
  Re: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
  created by Adam Cameron.<http://forums.adobe.com/people/Adam+Cameron.> in ColdFusion - View the full discussion<http://forums.adobe.com/message/5361018#5361018

• Are BlackBerry products affected by Samba vulnerability, CVE-2015-0240?

  Samba versions 3.5.0 to 4.2.0rc4 are now known to have a remote code execution vulnerability, CVE-2015-0240. [1] Are BlackBerry products affected?
  [1] https://www.samba.org/samba/security/CVE-2015-0240

  We have updated the release notes to indicate following-
  All versions prior to the following releases are shipping with the vulnerable code. This also includes any train which has already reached end of software maintenance (eg- 3.8.x) 
  15.5(1)S/XE3.14.1S
  15.4(3)S2/XE3.13.3S
  15.4(2)S1/XE3.12.3S
  15.4(1)S3/XE3.11.4S
  15.3(3)S4/XE3.10.6S
  15.2(4)S6/XE3.7.7S
  15.1(3)S7/XE3.4.7S
  Regards,
  Vishnu Asok

• How does the Labview based program apply to computer which without Labview

  How does the Labview based program apply to computer which without Labview
  student number：1110340001

  SInce you list your "student number", you are probably using the student edition.
  You cannot build standalone executables with the student edition.
  You need LabVIEW professional. If you only have LabVIEW full, you need to purchase the application builder seperately.
  LabVIEW Champion . Do more with less code and in less time .

• Is AsyncOS vulnerable to New Critical GLibc Vulnerability CVE-2015-0235 (aka Ghost)

  Raising for awareness in the community.
  New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
  https://isc.sans.edu/diary/New+Critical+GLibc+Vulnerability+CVE-2015-0235+%28aka+GHOST%29/19237
  Raised a support case and current update is Cicso is investigating if AsynOS is vulnerable
  Paul

  Currently it is being reviewed and looked into:
  http://tools.cisco.com/security/center/viewAlert.x?alertId=37181
  Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
  Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
  This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
  http://www.cisco.com/go/psirt

• Glibc GHOST vulnerability # CVE-2015-0235.

  Please suggest patch for glibc GHOST vulnerability # CVE-2015-0235 in Oracle Linux server.Please find below details:-
  ./ghost
  Linux JBLDCVSNPRE01 2.6.39-400.214.6.el6uek.x86_64 #1 SMP Thu May 8 03:38:30 PDT 2014 x86_64 x86_64 x86_64 GNU/Linux
  Red Hat Enterprise Linux Server release 6.5 (Santiago)
  Installed glibc version(s)
  - glibc-2.12-1.132.el6_5.1.x86_64: vulnerable

  Hi,
  Please refer this links,
  Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
  https://rhn.redhat.com/errata/RHSA-2015-0090.html
  Regards,
  S27

• OpenSSL vulnerability CVE-2014-0224

  My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
        SSL/TLS MITM vulnerability (CVE-2014-0224),
        DTLS recursion flaw (CVE-2014-0221)
        DTLS invalid fragment vulnerability (CVE-2014-0195)
        SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
        SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
        Anonymous ECDH denial of service (CVE-2014-3470)
  Can you help me to confirm the above question?

  You have clearly double posted this question in two groups.
  So the first question goes back to you.
  Are you Running SAP Applications on ASE, if so this is not the proper group?

• If my ipad has a dint in it but it still worked for 7 months after that moment and know it just stoped working does the year warranty still apply

  If my ipad has a dint in it but it still worked for 7 months after that moment and know it just stoped working does the year warranty still apply.

  No. iPads that have any type of denting or physical damage (old or new) are not covered under the warranty. Apple would have no way of determining when the damage was done or if that damage caused your present issue.
  I believe that once they see physical damage, their reasoning for voiding the warranty would be that visible, physical damage, irregardless of when it ocurred.

• Does my June 2013 imac Thunderbolt support Thunderbolt 2?

  Does my June 2013 imac Thunderbolt support Thunderbolt 2?

  No past or currently shipping Mac supports Thunderbolt 2. The only Mac announced that will is the new Mac Pro.
  Regards.

• Oracle Database Control Component Unspecified Vulnerability (CVE-2007-5530)

  Hi experts,
  Recently we are getting some vulnerabilities on one of our server. But we are unable to download and find patches which were mentioned in that.
  Ex:
  Oracle Database Control Component Unspecified Vulnerability (CVE-2007-5530)
  Oracle Database OLAP Component Unspecified Vulnerability (CVE-2008-3997)
  The entire report is showing these patch names, can you please suggest where i have to download these patches. I searched these in metalink but didn't found anything.
  *These are coming on one of our SAP appliation. so i am requesting suggetion here.
  Regards
  Nick Loy

  Nick,
  Check below links.
  http://secunia.com/advisories/cve_reference/CVE-2008-3997/
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
  http://secunia.com/advisories/cve_reference/CVE-2007-5530/
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
  http://www.juniper.net/security/auto/vulnerabilities/vuln26039.html..
  Hope this helps you.
  Thanks,
  Sushil

• Linux Ghost Vulnerability CVE-2015-0235

  Just heard about this, the bug is old (discovered around 2013 I believe) but was just released as a security advisory today or yesterday.
  This link shows you how to determine if your system is vulnerable, and how to patch the bug although it doesn't include how to patch on arch systems. I tested my system and it isn't vulnerable, so for the most part if you keep your system up to date it shouldn't be vulnerable either, but it doesn't hurt to check!
  http://www.cyberciti.biz/faq/cve-2015-0 … hel-linux/

  Trilby wrote:I was about to post in this in our grr thread.  Archlinux had the fixed glibc version over a year and a half ago.  Those who say the sky is falling really need to stop and actually look outside once in a while (not referring to this thread - but to my university's IT "professional" who sent out the dumbest email about this to the entire university acting like it was the end of the world).
  On Google+, there's a guy (who I won't name) going around promoting his article about this security vulnerability, which incidentally written in such a way that mother said "so, all Linux devices, including Android phones, are affected, right?". Same guy seems to write articles monthly about how Linux is dying on the Desktop Computer...
  On that note, I wonder whether we need to keep this thread open before it turns into a GRR-fest.

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.