Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

231 results
CVE
Title
Severity
  • CVE-2021-27101+
    Under Investigation

    Accellion File Transfer Appliance Multiple Vulnerabilities (TEST ONLY)

    Severity
    Urgent5
    Qualys ID
    38830
    Vendor Reference
    Accellion
    CVE Reference
    CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
    CVSS Scores
    Base 9.8 / Temporal 9.4
    Description
    Accellion File Transfer Appliance is a file transfer application that is used to share files.

    Accellion is exposed to the following vulnerabilities: CVE-2021-27101 - SQL injection via a crafted Host header.

    CVE-2021-27102 - OS command execution via a local web service call.

    CVE-2021-27103 - SSRF via a crafted POST request.

    CVE-2021-27104 - OS command execution via a crafted POST request.

    Affected Versions
    Accellion File Transfer Appliance versions prior to 9_12_416

    QID Detection Logic(Unauthenticated):
    This QID extract the version of Accellion from it's web UI.

    Consequence
    On successfully exploited it could lead to remote OS command execution and information steal.
    Solution
    Vendor has release fix to this issue.
    Refer to issue trackerhere to address this vulnerability and obtain further details.
    Patches
    Accellion FTA
  • CVE-2020-11853+
    Under Investigation

    Micro Focus Operations Bridge Manager Arbitrary Code Execution Vulnerability(KM03747658)

    Severity
    Urgent5
    Qualys ID
    375321
    Vendor Reference
    KM03747658
    CVE Reference
    CVE-2020-11853, CVE-2020-11854, CVE-2020-11858
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Operations Bridge Manager (OBM) is the core component of the Operations Bridge Suite. It dynamically and automatically discovers and correlates data, event topology, and metrics.

    Affected Versions:
    Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions.

    QID Detection Logic:
    This QID checks the vulnerable version of Operation Bridge Manager.

    Consequence
    The vulnerability could allow Arbitrary code execution.

    Solution
    Customers are advised updated to the latest version of Operation Bridge Manager.

    Patches
    KM03747658
  • CVE-2020-14372+
    Recently Published

    Debian Security Update for grub2 (DSA-4867-1)

    Severity
    Urgent5
    Qualys ID
    178435
    Date Published
    March 5, 2021
    Vendor Reference
    DSA-4867-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    Debian has released security update for grub2 to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DSA-4867-1 to address this issue and obtain further details.
    Patches
    Debian DSA-4867-1
  • CVE-2015-8011+
    In Development

    Fedora Security Update for dpdk and openvswitch (FEDORA-2021-fba11d37ee)

    Severity
    Critical4
    Qualys ID
    281042
    Vendor Reference
    FEDORA-2021-fba11d37ee Fedora 33
    CVE Reference
    CVE-2015-8011, CVE-2020-27827, CVE-2020-35498
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dpdk and openvswitch to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-fba11d37ee
  • CVE-2021-26937
    In Development

    Fedora Security Update for screen (FEDORA-2021-9107eeb95c)

    Severity
    Critical4
    Qualys ID
    281039
    Vendor Reference
    FEDORA-2021-9107eeb95c Fedora 33
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for screen to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-9107eeb95c
  • CVE-2021-26937
    In Development

    Fedora Security Update for screen (FEDORA-2021-5e9894a0c5)

    Severity
    Critical4
    Qualys ID
    281038
    Vendor Reference
    FEDORA-2021-5e9894a0c5 Fedora 32
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for screen to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-5e9894a0c5
  • In Development

    EOL/Obsolete Software: SugarCRM 8.0.x detected

    Severity
    Urgent5
    Qualys ID
    650044
    Vendor Reference
    SugarCRM Release Cycle End of Support Information
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    SugarCRM regularly retires older versions of the Sugar application in order to be able to focus on delivering higher quality in the latest and upcoming product releases.

    Includes the following SugarCRM products: Sugar Ultimate, Enterprise, and Professional.

    QID detection logic:
    QId detects the EOL versions of SugarCRM 8.0.x

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of SugarCRM

  • CVE-2020-27619
    In Development

    Python 3 Denial of Service (DoS) Vulnerability

    Severity
    Critical4
    Qualys ID
    375320
    Vendor Reference
    CVE-2020-27619
    CVE Reference
    CVE-2020-27619
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Python is an interpreted, high-level and general-purpose programming language.

    Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

    Affected Versions
    Python versions 3.0.0 through 3.9.0

    QID Detection Logic(Authenticated):
    This checks for version information from patchlevel.h file.

    Consequence
    On successfully exploited it could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
    Solution
    Vendor has release fix to this issue.
    Refer to issue trackerhere to address this vulnerability and obtain further details.
    Patches
    WIndows CVE-2020-27619
  • CVE-2020-35517
    In Development

    Red Hat Update for virt:rhel and virt-devel:rhel (RHSA-2021:0711)

    Severity
    Critical4
    Qualys ID
    239107
    Vendor Reference
    RHSA-2021:0711
    CVE Reference
    CVE-2020-35517
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Kernel-based Virtual Machine (KVM)
    offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

    Security Fix(es): QEMU: virtiofsd: potential privileged host device access from guest (CVE-2020-35517)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0711 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0711
  • CVE-2020-8625
    Recently Published

    Red Hat Update for bind (RHSA-2021:0669)

    Severity
    Critical4
    Qualys ID
    239124
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0669
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The Berkeley Internet Name Domain (BIND)
    is an implementation of the Domain Name System (DNS)
    protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es): bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0669 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0669
  • CVE-2020-8625
    Recently Published

    Red Hat Update for bind (RHSA-2021:0670)

    Severity
    Critical4
    Qualys ID
    239123
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0670
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The Berkeley Internet Name Domain (BIND)
    is an implementation of the Domain Name System (DNS)
    protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es): bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0670 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0670
  • CVE-2020-8625
    Recently Published

    Red Hat Update for bind (RHSA-2021:0671)

    Severity
    Critical4
    Qualys ID
    239122
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0671
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The Berkeley Internet Name Domain (BIND)
    is an implementation of the Domain Name System (DNS)
    protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es): bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0671 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0671
  • CVE-2020-8625
    In Development

    Red Hat Update for bind (RHSA-2021:0672)

    Severity
    Critical4
    Qualys ID
    239121
    Vendor Reference
    RHSA-2021:0672
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The Berkeley Internet Name Domain (BIND)
    is an implementation of the Domain Name System (DNS)
    protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es): bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625)

    Affected Products:

    Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
    Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
    Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0672 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0672
  • CVE-2020-8625
    Recently Published

    Red Hat Update for bind (RHSA-2021:0691)

    Severity
    Critical4
    Qualys ID
    239117
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0691
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The Berkeley Internet Name Domain (BIND)
    is an implementation of the Domain Name System (DNS)
    protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

    Security Fix(es): bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
    Red Hat Enterprise Linux Server - AUS 7.6 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.6 x86_64
    Red Hat Enterprise Linux for Power 9 7 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
    Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0691 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0691
  • CVE-2020-1945+
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.5.33 packages and (RHSA-2021:0429)

    Severity
    Critical4
    Qualys ID
    239126
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0429
    CVE Reference
    CVE-2020-1945, CVE-2020-11979, CVE-2021-21602, CVE-2021-21603, CVE-2021-21604, CVE-2021-21605, CVE-2021-21606, CVE-2021-21607, CVE-2021-21608, CVE-2021-21609, CVE-2021-21610, CVE-2021-21611, CVE-2021-21615
    CVSS Scores
    Base 8 / Temporal 7
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift ContainerPlatform 4.5.33. See the following advisory for the container images forthis release:https://access.redhat.com/errata/RHSA-2021:0428

    Security Fix(es): jenkins: XSS vulnerability in notification bar (CVE-2021-21603) jenkins: Improper handling of REST API XML deserialization errors (CVE-2021-21604) jenkins: Path traversal vulnerability in agent names (CVE-2021-21605) jenkins: Stored XSS vulnerability in button labels (CVE-2021-21608) jenkins: Reflected XSS vulnerability in markup formatter preview (CVE-2021-21610) jenkins: Stored XSS vulnerability on new item page (CVE-2021-21611) ant: insecure temporary file vulnerability (CVE-2020-1945) ant: insecure temporary file (CVE-2020-11979) jenkins: Arbitrary file read vulnerability in workspace browsers (CVE-2021-21602) jenkins: Arbitrary file existence check in file fingerprints (CVE-2021-21606) jenkins: Excessive memory allocation in graph URLs leads to denial of service (CVE-2021-21607) jenkins: Filesystem traversal by privileged users (CVE-2021-21615) jenkins: Missing permission check for paths with specific prefix (CVE-2021-21609)

    Affected Products:

    Red Hat OpenShift Container Platform 4.5 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.5 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.5 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for Power 4.5 for RHEL 7 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 8 s390x
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 7 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0429 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0429
  • CVE-2020-0444+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:0686)

    Severity
    Critical4
    Qualys ID
    239119
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0686
    CVE Reference
    CVE-2020-0444, CVE-2020-14351, CVE-2020-25705, CVE-2020-29661
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444) kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661) kernel: performance counters race condition use-after-free (CVE-2020-14351) kernel: ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.1 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0686 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0686
  • CVE-2020-0444+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:0689)

    Severity
    Critical4
    Qualys ID
    239118
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0689
    CVE Reference
    CVE-2020-0444, CVE-2020-29661
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: bad kfree in auditfilter.c may lead to escalation of privilege (CVE-2020-0444) kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0689 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0689
  • CVE-2020-1945+
    Recently Published

    Red Hat Update for OpenShift Container Platform 3.11.394 bug fix and (RHSA-2021:0637)

    Severity
    Critical4
    Qualys ID
    239125
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0637
    CVE Reference
    CVE-2020-1945, CVE-2020-2304, CVE-2020-2305, CVE-2020-2306, CVE-2020-2307, CVE-2020-2308, CVE-2020-2309, CVE-2020-11979, CVE-2020-25658
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.

    Security Fix(es): jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE)
    attacks (CVE-2020-2304) jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE)
    attacks (CVE-2020-2305) ant: Insecure temporary file vulnerability (CVE-2020-1945) jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint could result in information disclosure (CVE-2020-2306) jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes plug-in (CVE-2020-2307) jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates (CVE-2020-2308) jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes plug-in allows enumerating credentials IDs (CVE-2020-2309) ant: Insecure temporary file (CVE-2020-11979) python-rsa: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25658)

    Affected Products:

    Red Hat OpenShift Container Platform 3.11 x86_64
    Red Hat OpenShift Container Platform for Power 3.11 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0637 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0637
  • CVE-2021-20188
    Recently Published

    Red Hat Update for podman (RHSA-2021:0681)

    Severity
    Critical4
    Qualys ID
    239120
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0681
    CVE Reference
    CVE-2021-20188
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

    Security Fix(es): podman: container users permissions are not respected in privileged containers (CVE-2021-20188)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0681 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0681
  • CVE-2021-20188
    Recently Published

    Red Hat Update for container-tools:1.0 (RHSA-2021:0705)

    Severity
    Critical4
    Qualys ID
    239110
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0705
    CVE Reference
    CVE-2021-20188
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): podman: container users permissions are not respected in privileged containers (CVE-2021-20188)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0705 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0705
  • CVE-2021-20188
    Recently Published

    Red Hat Update for container-tools:2.0 (RHSA-2021:0706)

    Severity
    Critical4
    Qualys ID
    239109
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0706
    CVE Reference
    CVE-2021-20188
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): podman: container users permissions are not respected in privileged containers (CVE-2021-20188)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0706 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0706
  • CVE-2021-20188
    Recently Published

    Red Hat Update for container-tools:2.0 (RHSA-2021:0710)

    Severity
    Critical4
    Qualys ID
    239108
    Date Published
    March 5, 2021
    Vendor Reference
    RHSA-2021:0710
    CVE Reference
    CVE-2021-20188
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): podman: container users permissions are not respected in privileged containers (CVE-2021-20188)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0710 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0710
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0684-1)

    Severity
    Critical4
    Qualys ID
    174697
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0684-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0684-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0684-1
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0679-1)

    Severity
    Critical4
    Qualys ID
    174696
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0679-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0679-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0679-1
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0682-1)

    Severity
    Critical4
    Qualys ID
    174695
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0682-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0682-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0682-1
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0683-1)

    Severity
    Critical4
    Qualys ID
    174694
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0683-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0683-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0683-1
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0681-1)

    Severity
    Critical4
    Qualys ID
    174693
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0681-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0681-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0681-1
  • CVE-2020-14372+
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2021:0685-1)

    Severity
    Critical4
    Qualys ID
    174689
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0685-1
    CVE Reference
    CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released a security update for grub2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0685-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0685-1
  • CVE-2020-13987+
    Recently Published

    SUSE Enterprise Linux Security Update for open-iscsi (SUSE-SU-2021:0663-1)

    Severity
    Critical4
    Qualys ID
    174683
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0663-1
    CVE Reference
    CVE-2020-13987, CVE-2020-13988, CVE-2020-17437, CVE-2020-17438, CVE-2019-17437
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released a security update for open-iscsi to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0663-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0663-1
  • CVE-2020-36242
    Recently Published

    SUSE Enterprise Linux Security Update for python-cryptography (SUSE-SU-2021:0675-1)

    Severity
    Critical4
    Qualys ID
    174685
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0675-1
    CVE Reference
    CVE-2020-36242
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    SUSE has released a security update for python-cryptography to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0675-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0675-1
  • CVE-2021-23968+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:0676-1)

    Severity
    Critical4
    Qualys ID
    174686
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0676-1
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released a security update for mozillafirefox to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0676-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0676-1
  • CVE-2021-23968+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:0659-1)

    Severity
    Critical4
    Qualys ID
    174678
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0659-1
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released a security update for mozillafirefox to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Desktop Applications 15-SP3
    SUSE Linux Enterprise Module for Desktop Applications 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0659-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0659-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2021:0674-1)

    Severity
    Critical4
    Qualys ID
    174688
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0674-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884, CVE-2021-23840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released a security update for nodejs10 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Web Scripting 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0674-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0674-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2021:0673-1)

    Severity
    Critical4
    Qualys ID
    174687
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0673-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884, CVE-2021-23840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released a security update for nodejs10 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Web Scripting 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0673-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0673-1
  • Recently Published

    SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:0689-1)

    Severity
    Critical4
    Qualys ID
    174692
    Date Published
    March 4, 2021
    Vendor Reference
    SUSE-SU-2021:0689-1
    CVSS Scores
    Base 5.6 / Temporal 4.9
    Description
    SUSE has released a security update for bind to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0689-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0689-1
  • CVE-2017-9800+
    Recently Published

    EulerOS Security Update for bzr (EulerOS-SA-2021-1283)

    Severity
    Urgent5
    Qualys ID
    375312
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1283
    CVE Reference
    CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, CVE-2017-1000117, CVE-2017-14176
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    Euler has released security update for bzr to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1283
    Patches
    EulerOS-SA-2021-1283
  • CVE-2020-6831+
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2020-2049)

    Severity
    Urgent5
    Qualys ID
    159048
    Date Published
    March 4, 2021
    Vendor Reference
    ELSA-2020-2049
    CVE Reference
    CVE-2020-6831, CVE-2020-12397, CVE-2020-12395, CVE-2020-12387, CVE-2020-12392
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for thunderbird to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 6

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-2049.
    Patches
    Oracle Linux ELSA-2020-2049
  • CVE-2016-4738
    Recently Published

    EulerOS Security Update for libxslt (EulerOS-SA-2021-1324)

    Severity
    Urgent5
    Qualys ID
    375271
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1324
    CVE Reference
    CVE-2016-4738
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Euler has released security update for libxslt to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1324
    Patches
    EulerOS-SA-2021-1324
  • CVE-2017-15705+
    Recently Published

    EulerOS Security Update for spamassassin (EulerOS-SA-2021-1360)

    Severity
    Urgent5
    Qualys ID
    375234
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1360
    CVE Reference
    CVE-2017-15705, CVE-2019-12420, CVE-2018-11805, CVE-2020-1931
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for spamassassin to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1360
    Patches
    EulerOS-SA-2021-1360
  • CVE-2019-15024+
    Recently Published

    ClickHouse Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    375314
    Date Published
    March 4, 2021
    Vendor Reference
    ClickHouse 19.14.3.3
    CVE Reference
    CVE-2019-15024, CVE-2019-16535, CVE-2019-16536
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    ClickHouse is an open-source column-oriented DBMS for online analytical processing.

    ClickHouse is vulnerable to multiple vulnerabilities

    Affected Versions:
    Prior to ClickHouse version 19.14.3.3

    QID Detection Logic:
    This QID uses command clickhouse-client to get the version from the linux system

    Consequence
    Successful exploitation of vulnerability could compromise Authenticity, Confidentiality and Integrity of the system

    Solution
    Please refer to advisory clickhouse release 19.14.3.3
    Patches
    ClickHouse 19.14.3.3
  • CVE-2020-14928+
    Recently Published

    EulerOS Security Update for evolution-data-server (EulerOS-SA-2021-1293)

    Severity
    Critical4
    Qualys ID
    375302
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1293
    CVE Reference
    CVE-2020-14928, CVE-2018-12422, CVE-2020-16117
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for evolution-data-server to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1293
    Patches
    EulerOS-SA-2021-1293
  • CVE-2020-12658
    Recently Published

    EulerOS Security Update for gssproxy (EulerOS-SA-2021-1304)

    Severity
    Critical4
    Qualys ID
    375291
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1304
    CVE Reference
    CVE-2020-12658
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for gssproxy to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1304
    Patches
    EulerOS-SA-2021-1304
  • CVE-2019-15140+
    Recently Published

    EulerOS Security Update for ImageMagick (EulerOS-SA-2021-1305)

    Severity
    Critical4
    Qualys ID
    375290
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1305
    CVE Reference
    CVE-2019-15140, CVE-2019-14981, CVE-2019-16708, CVE-2019-16709, CVE-2019-16710, CVE-2019-16711, CVE-2019-19948, CVE-2019-19949, CVE-2020-13902, CVE-2017-9501, CVE-2017-11533, CVE-2017-13768, CVE-2020-29599, CVE-2020-27766
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for ImageMagick to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1305
    Patches
    EulerOS-SA-2021-1305
  • CVE-2016-9942+
    Recently Published

    EulerOS Security Update for libvncserver (EulerOS-SA-2021-1321)

    Severity
    Critical4
    Qualys ID
    375274
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1321
    CVE Reference
    CVE-2016-9942, CVE-2017-18922, CVE-2019-15681, CVE-2020-25708
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for libvncserver to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1321
    Patches
    EulerOS-SA-2021-1321
  • CVE-2017-7467
    Recently Published

    EulerOS Security Update for minicom (EulerOS-SA-2021-1329)

    Severity
    Critical4
    Qualys ID
    375266
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1329
    CVE Reference
    CVE-2017-7467
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for minicom to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1329
    Patches
    EulerOS-SA-2021-1329
  • CVE-2017-14040+
    Recently Published

    EulerOS Security Update for openjpeg (EulerOS-SA-2021-1336)

    Severity
    Critical4
    Qualys ID
    375259
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1336
    CVE Reference
    CVE-2017-14040, CVE-2017-14041, CVE-2017-17479
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for openjpeg to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1336
    Patches
    EulerOS-SA-2021-1336
  • CVE-2020-27619
    Recently Published

    EulerOS Security Update for python (EulerOS-SA-2021-1350)

    Severity
    Critical4
    Qualys ID
    375245
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1350
    CVE Reference
    CVE-2020-27619
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for python to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1350
    Patches
    EulerOS-SA-2021-1350
  • CVE-2019-17626
    Recently Published

    EulerOS Security Update for python-reportlab (EulerOS-SA-2021-1354)

    Severity
    Critical4
    Qualys ID
    375241
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1354
    CVE Reference
    CVE-2019-17626
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for python-reportlab to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1354
    Patches
    EulerOS-SA-2021-1354
  • CVE-2020-1764+
    Recently Published

    Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne (ELSA-2020-5765)

    Severity
    Critical4
    Qualys ID
    159056
    Date Published
    March 4, 2021
    Vendor Reference
    ELSA-2020-5765
    CVE Reference
    CVE-2020-1764, CVE-2020-15104, CVE-2020-10739, CVE-2020-2024, CVE-2020-8557, CVE-2020-2025, CVE-2020-2026, CVE-2020-11080, CVE-2020-8559
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5765.
    Patches
    Oracle Linux ELSA-2020-5765
  • CVE-2020-25681+
    Recently Published

    EulerOS Security Update for dnsmasq (EulerOS-SA-2021-1288)

    Severity
    Critical4
    Qualys ID
    375307
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1288
    CVE Reference
    CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685, CVE-2020-25686, CVE-2020-25684, CVE-2020-25684, CVE-2020-25685, CVE-2020-25684, CVE-2020-25686, CVE-2020-25687
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for dnsmasq to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1288
    Patches
    EulerOS-SA-2021-1288
  • CVE-2020-25681+
    Recently Published

    EulerOS Security Update for dnsmasq (EulerOS-SA-2021-1374)

    Severity
    Critical4
    Qualys ID
    375221
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1374
    CVE Reference
    CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685, CVE-2020-25686, CVE-2020-25684, CVE-2020-25684, CVE-2020-25685, CVE-2020-25684, CVE-2020-25686, CVE-2020-25687
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for dnsmasq to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1374
    Patches
    EulerOS-SA-2021-1374
  • CVE-2019-3695+
    Recently Published

    EulerOS Security Update for pcp (EulerOS-SA-2021-1341)

    Severity
    Critical4
    Qualys ID
    375254
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1341
    CVE Reference
    CVE-2019-3695, CVE-2019-3696
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Euler has released security update for pcp to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1341
    Patches
    EulerOS-SA-2021-1341
  • CVE-2021-3156
    Recently Published

    EulerOS Security Update for sudo (EulerOS-SA-2021-1366)

    Severity
    Critical4
    Qualys ID
    375229
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1366
    CVE Reference
    CVE-2021-3156
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    Euler has released security update for sudo to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1366
    Patches
    EulerOS-SA-2021-1366
  • CVE-2021-3156
    Recently Published

    EulerOS Security Update for sudo (EulerOS-SA-2021-1375)

    Severity
    Critical4
    Qualys ID
    375220
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1375
    CVE Reference
    CVE-2021-3156
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    Euler has released security update for sudo to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1375
    Patches
    EulerOS-SA-2021-1375
  • CVE-2020-28243
    Under Investigation

    SaltStack Salt Local Privilege Escalation

    Severity
    Critical4
    Qualys ID
    375219
    Vendor Reference
    SaltStack
    CVE Reference
    CVE-2020-28243
    CVSS Scores
    Base 7.8 / Temporal 7.2
    Description
    SaltStack Salt is a software to automate the management and configuration of any infrastructure or application at scale.

    Affected Versions:
    All versions between 2016.3.0rc2 and 3002.5

    QID Detection Logic:
    This authenticated QID detects vulnerable salt-master versions by running the following command: salt-master --versions-report

    Consequence
    This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.

    Solution
    Customers are advised upgrade to the latest version of SaltStack to remediate these vulnerabilities.
    Patches
    SaltStack
  • CVE-2018-17540+
    Recently Published

    EulerOS Security Update for strongimcv (EulerOS-SA-2021-1364)

    Severity
    Critical4
    Qualys ID
    375235
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1364
    CVE Reference
    CVE-2018-17540, CVE-2006-4790, CVE-2014-1568, CVE-2018-16152, CVE-2018-16151, CVE-2018-10811, CVE-2017-9022, CVE-2017-11185, CVE-2015-8023, CVE-2015-4171
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Euler has released security update for strongimcv to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1364
    Patches
    EulerOS-SA-2021-1364
  • CVE-2019-25013
    Recently Published

    EulerOS Security Update for glibc (EulerOS-SA-2021-1299)

    Severity
    Critical4
    Qualys ID
    375296
    Date Published
    March 4, 2021
    Vendor Reference
    EulerOS-SA-2021-1299
    CVE Reference
    CVE-2019-25013
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Euler has released security update for glibc to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1299
    Patches
    EulerOS-SA-2021-1299
  • CVE-2020-14803+
    In Development

    SUSE Enterprise Linux Security Update for java-1_8_0-ibm (SUSE-SU-2021:0670-1)

    Severity
    Critical4
    Qualys ID
    174682
    Date Published
    March 3, 2021
    Vendor Reference
    SUSE-SU-2021:0670-1
    CVE Reference
    CVE-2020-14803, CVE-2020-27221
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released a security update for java-1_8_0-ibm to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Legacy Software 15-SP3
    SUSE Linux Enterprise Module for Legacy Software 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0670-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0670-1
  • CVE-2020-27844+
    Recently Published

    Google Chrome Prior To 89.0.4389.72 Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    375319
    Date Published
    March 3, 2021
    Vendor Reference
    89.0.4389.72
    CVE Reference
    CVE-2020-27844, CVE-2021-21159, CVE-2021-21160, CVE-2021-21161, CVE-2021-21162, CVE-2021-21163, CVE-2021-21164, CVE-2021-21165, CVE-2021-21166, CVE-2021-21167, CVE-2021-21168, CVE-2021-21169, CVE-2021-21170, CVE-2021-21171, CVE-2021-21172, CVE-2021-21173, CVE-2021-21174, CVE-2021-21175, CVE-2021-21176, CVE-2021-21177, CVE-2021-21178, CVE-2021-21179, CVE-2021-21180, CVE-2021-21181, CVE-2021-21182, CVE-2021-21183, CVE-2021-21184, CVE-2021-21185, CVE-2021-21186, CVE-2021-21187, CVE-2021-21188, CVE-2021-21189, CVE-2021-21190
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Google Chrome is a web browser for multiple platforms developed by Google.
    Google Chrome has released a security update in version 89.0.4389.72 to fix multiple vulnerabilities.

    Affected Versions:
    Google Chrome Prior to 89.0.4389.72

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of Google Chrome on Windows, MAC OS, and Linux OS.

    Consequence
    Successful exploitation of these vulnerabilities could affect Confidentiality, Integrity and Availability.

    Solution
    Customers are advised to upgrade to latest version 89.0.4389.72
    For further details refer to Google Chrome 89.0.4389.72
    Patches
    89.0.4389.72
  • CVE-2021-26412+
    Recently Published

    Microsoft Exchange Server Remote Code Execution Vulnerability

    Severity
    Urgent5
    Qualys ID
    50107
    Date Published
    March 3, 2021
    Vendor Reference
    KB5000871, KB5000978
    CVE Reference
    CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    Microsoft Exchange Server is prone to remote code execution vulnerability.

    Microsoft released the following details and the security updates.
    CVE-2021-26855 is a server-side request forgery vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
    CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program.
    CVE-2021-26858 and CVE-2021-27065 are post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.
    KB Articles associated with this update are: KB5000978, KB5000871

    Affected Versions:
    Microsoft Exchange Server 2010 Service Pack 3
    Microsoft Exchange Server 2013 Cumulative Update 23
    Microsoft Exchange Server 2016 Cumulative Update 18
    Microsoft Exchange Server 2016 Cumulative Update 19
    Microsoft Exchange Server 2019 Cumulative Update 7
    Microsoft Exchange Server 2019 Cumulative Update 8

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe.

    Consequence
    Successful exploitation allows attackers to execute remote code.
    Solution
    Customers are advised to refer to KB5000978, KB5000871 for information pertaining to this vulnerability.
    Patches
    KB5000871, KB5000978
  • CVE-2020-26950
    Recently Published

    Oracle Enterprise Linux Security Update for firefox (ELSA-2020-5100)

    Severity
    Urgent5
    Qualys ID
    159055
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2020-5100
    CVE Reference
    CVE-2020-26950
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for firefox to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5100.
    Patches
    Oracle Linux ELSA-2020-5100
  • CVE-2020-26950
    Recently Published

    Oracle Enterprise Linux Security Update for firefox (ELSA-2020-5099)

    Severity
    Urgent5
    Qualys ID
    159054
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2020-5099
    CVE Reference
    CVE-2020-26950
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for firefox to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5099.
    Patches
    Oracle Linux ELSA-2020-5099
  • CVE-2019-19535+
    Recently Published

    Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2020-5845)

    Severity
    Critical4
    Qualys ID
    159058
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2020-5845
    CVE Reference
    CVE-2019-19535, CVE-2019-17133, CVE-2020-12771, CVE-2019-15218, CVE-2019-19052, CVE-2019-19063, CVE-2019-19078, CVE-2020-10767, CVE-2019-10639, CVE-2020-10781, CVE-2019-10638, CVE-2019-19066, CVE-2019-3874, CVE-2019-5108, CVE-2020-16166, CVE-2019-20812, CVE-2019-3900, CVE-2019-11487, CVE-2019-19074, CVE-2020-14331, CVE-2019-16746, CVE-2018-14613, CVE-2020-12114, CVE-2019-14898, CVE-2019-19922, CVE-2020-24394, CVE-2020-10751, CVE-2019-19073, CVE-2020-10769, CVE-2018-16884, CVE-2019-17075, CVE-2019-18885
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for Unbreakable Enterprise kernel to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5845.
    Patches
    Oracle Linux ELSA-2020-5845
  • CVE-2021-27135
    Recently Published

    Oracle Enterprise Linux Security Update for xterm (ELSA-2021-9066)

    Severity
    Critical4
    Qualys ID
    159044
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-9066
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for xterm to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 6

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-9066.
    Patches
    Oracle Linux ELSA-2021-9066
  • CVE-2021-27135
    Recently Published

    Oracle Enterprise Linux Security Update for xterm (ELSA-2021-0617)

    Severity
    Critical4
    Qualys ID
    159036
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0617
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for xterm to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0617.
    Patches
    Oracle Linux ELSA-2021-0617
  • CVE-2021-27135
    Recently Published

    Oracle Enterprise Linux Security Update for xterm (ELSA-2021-0611)

    Severity
    Critical4
    Qualys ID
    159035
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0611
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for xterm to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0611.
    Patches
    Oracle Linux ELSA-2021-0611
  • CVE-2020-7754+
    Recently Published

    Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-0549)

    Severity
    Critical4
    Qualys ID
    159033
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0549
    CVE Reference
    CVE-2020-7754, CVE-2019-10746, CVE-2019-10747, CVE-2020-7788, CVE-2020-8265, CVE-2020-8287
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for nodejs:12 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0549.
    Patches
    Oracle Linux ELSA-2021-0549
  • CVE-2020-36158+
    In Development

    EulerOS Security Update for kernel (EulerOS-SA-2021-1311)

    Severity
    Critical4
    Qualys ID
    375284
    Date Published
    March 3, 2021
    Vendor Reference
    EulerOS-SA-2021-1311
    CVE Reference
    CVE-2020-36158, CVE-2020-25656, CVE-2020-14351, CVE-2020-27777, CVE-2020-29661, CVE-2020-29660, CVE-2019-20934, CVE-2020-27786, CVE-2020-29371, CVE-2019-9456, CVE-2020-10773, CVE-2020-12114, CVE-2020-14305, CVE-2020-15436, CVE-2020-15437, CVE-2020-28915, CVE-2020-28974, CVE-2020-0305, CVE-2020-12352
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1311
    Patches
    EulerOS-SA-2021-1311
  • CVE-2020-7754+
    Recently Published

    Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-0551)

    Severity
    Critical4
    Qualys ID
    159034
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0551
    CVE Reference
    CVE-2020-7754, CVE-2020-7788, CVE-2020-8265, CVE-2020-8287, CVE-2020-8277, CVE-2020-7774, CVE-2020-15366
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released security update for nodejs:14 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0551.
    Patches
    Oracle Linux ELSA-2021-0551
  • CVE-2020-8116+
    Recently Published

    Oracle Enterprise Linux Security Update for nodejs:10 (ELSA-2021-0548)

    Severity
    Critical4
    Qualys ID
    159032
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0548
    CVE Reference
    CVE-2020-8116, CVE-2020-8252, CVE-2020-15095, CVE-2020-7608, CVE-2020-7754, CVE-2020-7788, CVE-2020-8265, CVE-2020-8287, CVE-2020-7774, CVE-2020-15366
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released security update for nodejs:10 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0548.
    Patches
    Oracle Linux ELSA-2021-0548
  • CVE-2020-12695
    In Development

    EulerOS Security Update for wpa_supplicant (EulerOS-SA-2021-1372)

    Severity
    Critical4
    Qualys ID
    375223
    Date Published
    March 3, 2021
    Vendor Reference
    EulerOS-SA-2021-1372
    CVE Reference
    CVE-2020-12695
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Euler has released security update for wpa_supplicant to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1372
    Patches
    EulerOS-SA-2021-1372
  • CVE-2020-28243+
    Recently Published

    SUSE Enterprise Linux Security Update for salt (SUSE-SU-2021:0631-1)

    Severity
    Urgent5
    Qualys ID
    174668
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0631-1
    CVE Reference
    CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for salt to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0631-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0631-1
  • CVE-2020-28243+
    Recently Published

    SUSE Enterprise Linux Security Update for salt (SUSE-SU-2021:0630-1)

    Severity
    Urgent5
    Qualys ID
    174667
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0630-1
    CVE Reference
    CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for salt to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Python2 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0630-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0630-1
  • CVE-2020-28243+
    Recently Published

    SUSE Enterprise Linux Security Update for salt (SUSE-SU-2021:0628-1)

    Severity
    Urgent5
    Qualys ID
    174666
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0628-1
    CVE Reference
    CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for salt to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0628-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0628-1
  • CVE-2020-14803+
    Recently Published

    SUSE Enterprise Linux Security Update for java-1_8_0-ibm (SUSE-SU-2021:0652-1)

    Severity
    Critical4
    Qualys ID
    174672
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0652-1
    CVE Reference
    CVE-2020-14803, CVE-2020-27221
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for java-1_8_0-ibm to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0652-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0652-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs12 (SUSE-SU-2021:0649-1)

    Severity
    Critical4
    Qualys ID
    174674
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0649-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884, CVE-2021-23840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for nodejs12 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Web Scripting 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0649-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0649-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs14 (SUSE-SU-2021:0648-1)

    Severity
    Critical4
    Qualys ID
    174673
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0648-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released security update for nodejs14 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Web Scripting 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0648-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0648-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs12 (SUSE-SU-2021:0651-1)

    Severity
    Critical4
    Qualys ID
    174671
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0651-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884, CVE-2021-23840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for nodejs12 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Web Scripting 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0651-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0651-1
  • CVE-2020-28493
    Recently Published

    SUSE Enterprise Linux Security Update for python-Jinja2 (SUSE-SU-2021:0654-1)

    Severity
    Critical4
    Qualys ID
    174676
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0654-1
    CVE Reference
    CVE-2020-28493
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    SUSE has released security update for python-jinja2 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Python2 15-SP3
    SUSE Linux Enterprise Module for Python2 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP3
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0654-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0654-1
  • CVE-2021-22883+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs14 (SUSE-SU-2021:0650-1)

    Severity
    Critical4
    Qualys ID
    174670
    Date Published
    March 2, 2021
    Vendor Reference
    SUSE-SU-2021:0650-1
    CVE Reference
    CVE-2021-22883, CVE-2021-22884
    CVSS Scores
    Base / Temporal
    Description
    SUSE has released security update for nodejs14 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Web Scripting 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0650-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0650-1
  • CVE-2020-28243+
    In Development

    SUSE Enterprise Linux Security Update for salt (SUSE-SU-2021:0627-1)

    Severity
    Urgent5
    Qualys ID
    174669
    Date Published
    March 1, 2021
    Vendor Reference
    SUSE-SU-2021:0627-1
    CVE Reference
    CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for salt to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Advanced Systems Management 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0627-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0627-1
  • CVE-2021-27135
    Recently Published

    Fedora Security Update for xterm (FEDORA-2021-e7a8e79fa8)

    Severity
    Critical4
    Qualys ID
    281025
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-e7a8e79fa8 Fedora 33
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for xterm to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-e7a8e79fa8
  • CVE-2021-1721+
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-48ca39b6ad)

    Severity
    Critical4
    Qualys ID
    281017
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-48ca39b6ad Fedora 32
    CVE Reference
    CVE-2021-1721, CVE-2021-24112
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-48ca39b6ad
  • CVE-2021-1721+
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-c3d7fc8949)

    Severity
    Critical4
    Qualys ID
    281016
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-c3d7fc8949 Fedora 33
    CVE Reference
    CVE-2021-1721, CVE-2021-24112
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-c3d7fc8949
  • CVE-2021-3177+
    Recently Published

    Fedora Security Update for python36 (FEDORA-2021-3352c1c802)

    Severity
    Critical4
    Qualys ID
    281015
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-3352c1c802 Fedora 32
    CVE Reference
    CVE-2021-3177, CVE-2021-23336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python36 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-3352c1c802
  • CVE-2021-3177+
    Recently Published

    Fedora Security Update for python37 (FEDORA-2021-907f3bacae)

    Severity
    Critical4
    Qualys ID
    281014
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-907f3bacae Fedora 32
    CVE Reference
    CVE-2021-3177, CVE-2021-23336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python37 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-907f3bacae
  • CVE-2021-1721+
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-56e894d5ca)

    Severity
    Critical4
    Qualys ID
    281012
    Date Published
    March 1, 2021
    Vendor Reference
    FEDORA-2021-56e894d5ca Fedora 32
    CVE Reference
    CVE-2021-1721, CVE-2021-24112
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-56e894d5ca
  • CVE-2019-25013+
    In Development

    SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2021:0653-1)

    Severity
    Critical4
    Qualys ID
    174675
    Date Published
    March 1, 2021
    Vendor Reference
    SUSE-SU-2021:0653-1
    CVE Reference
    CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2020-29573, CVE-2021-3326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for glibc to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Development Tools 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0653-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0653-1
  • CVE-2020-0452
    Recently Published

    CentOS Security Update for libexif (CESA-2020:5402)

    Severity
    Critical4
    Qualys ID
    257062
    Date Published
    March 1, 2021
    Vendor Reference
    CESA-2020:5402 centos 7
    CVE Reference
    CVE-2020-0452
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    CentOS has released security update for libexif to fix the vulnerabilities.

    Affected Products:

    centos 7

    Consequence
    This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2020:5402
  • CVE-2021-23968+
    Recently Published

    CentOS Security Update for thunderbird (CESA-2021:0661)

    Severity
    Critical4
    Qualys ID
    257066
    Date Published
    March 1, 2021
    Vendor Reference
    CESA-2021:0661 centos 7
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23978, CVE-2021-23973
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    CentOS has released security update for thunderbird to fix the vulnerabilities.

    Affected Products:

    centos 7

    Consequence
    This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:0661
  • CVE-2021-23968+
    Recently Published

    CentOS Security Update for firefox (CESA-2021:0656)

    Severity
    Critical4
    Qualys ID
    257065
    Date Published
    March 1, 2021
    Vendor Reference
    CESA-2021:0656 centos 7
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23978, CVE-2021-23973
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    CentOS has released security update for firefox security update to fix the vulnerabilities.

    Affected Products:

    centos 7

    Consequence
    This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:0656
  • CVE-2020-29599
    Recently Published

    CentOS Security Update for ImageMagick (CESA-2021:0024)

    Severity
    Critical4
    Qualys ID
    257064
    Date Published
    March 1, 2021
    Vendor Reference
    CESA-2021:0024 centos 7
    CVE Reference
    CVE-2020-29599
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CentOS has released security update for imagemagick to fix the vulnerabilities.

    Affected Products:

    centos 7

    Consequence
    This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:0024
  • CVE-2020-14360+
    Recently Published

    CentOS Security Update for xorg-x11-server (CESA-2020:5408)

    Severity
    Critical4
    Qualys ID
    257063
    Date Published
    March 1, 2021
    Vendor Reference
    CESA-2020:5408 centos 7
    CVE Reference
    CVE-2020-14360, CVE-2020-25712, CVE-2020-14347
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CentOS has released security update for xorg-x11-server to fix the vulnerabilities.

    Affected Products:

    centos 7

    Consequence
    This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2020:5408
  • CVE-2021-22974
    In Development

    F5 BIG-IP ASM,LTM,APM iControl REST Vulnerability (K68652018)

    Severity
    Critical4
    Qualys ID
    375216
    Vendor Reference
    K68652018
    CVE Reference
    CVE-2021-22974
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    F5 BIG-IP ASM (Application Security Manager) is a flexible web application firewall that secures web applications in traditional, virtual, and private cloud environments.
    F5 BIG-IP (LTM) Local Traffic Manager is the most popular module offered on F5 Networks BiG-IP platform. The real power of the LTM is it is a Full Proxy, allowing you to augment client and server side connections. All while making informed load balancing decisions on availability, performance, and persistence.
    F5 BIG-IP Access Policy Manager (APM) is a secure, flexible, high-performance solution that provides unified global access to your network, cloud, and applications.

    Vulnerable Component: BIG-IP ASM, APM,LTM

    Affected Versions:
    16.0.0 - 16.0.1
    15.1.0 - 15.1.1
    14.1.0 - 14.1.3
    13.1.0 - 13.1.3

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    An attacker can exploit the vulnerability to obtain restricted information, modify files, or cause a denial-of-service (DoS).

    Solution
    The vendor has released any patch, for more information please visit: K68652018
    Patches
    K68652018
  • CVE-2021-22979
    Recently Published

    F5 BIG-IP ASM,LTM,APM XSS Vulnerability(K63497634)

    Severity
    Critical4
    Qualys ID
    375217
    Date Published
    March 1, 2021
    Vendor Reference
    K63497634
    CVE Reference
    CVE-2021-22979
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    F5 BIG-IP ASM (Application Security Manager) is a flexible web application firewall that secures web applications in traditional, virtual, and private cloud environments.
    F5 BIG-IP (LTM) Local Traffic Manager is the most popular module offered on F5 Networks BiG-IP platform. The real power of the LTM is it is a Full Proxy, allowing you to augment client and server side connections. All while making informed load balancing decisions on availability, performance, and persistence.
    F5 BIG-IP Access Policy Manager (APM) is a secure, flexible, high-performance solution that provides unified global access to your network, cloud, and applications.

    Vulnerable Component: BIG-IP ASM, APM,LTM

    Affected Versions:
    16.0.0
    15.0.0 - 15.1.0
    14.1.0 - 14.1.2
    13.1.0 - 13.1.3
    12.1.0 - 12.1.5

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    A remote attacker may potentially exploit this vulnerability by sending a specific crafted URL that includes the specific target host name and malicious HTML or JavaScript code to a BIG-IP Configuration utility user, which is then reflected back to the victim and executed by the web browser. If the exploit is successful, an attacker can run JavaScript in the context of the currently logged-in user.

    Solution
    The vendor has released any patch, for more information please visit: K63497634
    Patches
    K63497634
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:0655)

    Severity
    Urgent5
    Qualys ID
    239103
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0655
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.8.0 ESR.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0655 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0655
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:0656)

    Severity
    Urgent5
    Qualys ID
    239102
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0656
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.8.0 ESR.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0656 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0656
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:0659)

    Severity
    Urgent5
    Qualys ID
    239099
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0659
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.8.0 ESR.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0659 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0659
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:0660)

    Severity
    Urgent5
    Qualys ID
    239098
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0660
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.8.0 ESR.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0660 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0660
  • CVE-2021-27135
    Recently Published

    Red Hat Update for xterm (RHSA-2021:0650)

    Severity
    Critical4
    Qualys ID
    239105
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0650
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly.

    Security Fix(es): xterm: crash when processing combining characters (CVE-2021-27135)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0650 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0650
  • CVE-2021-27135
    Recently Published

    Red Hat Update for xterm (RHSA-2021:0651)

    Severity
    Critical4
    Qualys ID
    239104
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0651
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly.

    Security Fix(es): xterm: crash when processing combining characters (CVE-2021-27135)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0651 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0651
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:0657)

    Severity
    Critical4
    Qualys ID
    239101
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0657
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.8.0.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0657 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0657
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:0658)

    Severity
    Critical4
    Qualys ID
    239100
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0658
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.8.0.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0658 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0658
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:0661)

    Severity
    Critical4
    Qualys ID
    239097
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0661
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.8.0.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0661 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0661
  • CVE-2021-23968+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:0662)

    Severity
    Critical4
    Qualys ID
    239096
    Date Published
    March 1, 2021
    Vendor Reference
    RHSA-2021:0662
    CVE Reference
    CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.8.0.

    Security Fix(es): Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968) Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969) Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978) Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0662 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0662
  • CVE-2019-25013+
    Recently Published

    SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2021:0608-1)

    Severity
    Critical4
    Qualys ID
    174664
    Date Published
    March 1, 2021
    Vendor Reference
    SUSE-SU-2021:0608-1
    CVE Reference
    CVE-2019-25013, CVE-2021-3326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for glibc to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0608-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0608-1
  • CVE-2021-23969+
    Recently Published

    MozillaFirefox ESR Multiple Vulnerabilities (MFSA2021-08)

    Severity
    Urgent5
    Qualys ID
    375211
    Date Published
    February 26, 2021
    Vendor Reference
    MFSA2021-08
    CVE Reference
    CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

    CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
    CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
    CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
    CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

    Affected Products :
    Prior to Firefox ESR 78.8

    QID Detection Logic (Authenticated) :
    This checks for vulnerable version of Firefox browser.

    Consequence
    On successful exploitation it could allow an attacker to execute code.
    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA2021-08
    Patches
    MAC OS X MFSA2021-08, Windows MFSA2021-08
  • CVE-2021-23969+
    Recently Published

    MozillaThunderbird Multiple Vulnerabilities (MFSA2021-09)

    Severity
    Urgent5
    Qualys ID
    375210
    Date Published
    February 26, 2021
    Vendor Reference
    MFSA2021-09
    CVE Reference
    CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, CVE-2021-23978
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

    CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
    CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
    CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
    CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8

    Affected Products :
    Prior to Thunderbird 78.8

    QID Detection Logic (Authenticated) :
    This checks for vulnerable version of Firefox browser.

    Consequence
    On successful exploitation it could allow an attacker to execute code.
    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA2021-09
    Patches
    MAC OS X MFSA2021-09, Windows MFSA2021-09
  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 7.x Detected

    Severity
    Urgent5
    Qualys ID
    650043
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 7.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 8.x Detected

    Severity
    Urgent5
    Qualys ID
    650042
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 8.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 9.x Detected

    Severity
    Urgent5
    Qualys ID
    650041
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 9.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 10.x Detected

    Severity
    Urgent5
    Qualys ID
    650040
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 10.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 2017.x Detected

    Severity
    Urgent5
    Qualys ID
    650039
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 2017.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 2018.x Detected

    Severity
    Urgent5
    Qualys ID
    650038
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 2018.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • Recently Published

    EOL/Obsolete Software : JetBrains TeamCity 2019.x Detected

    Severity
    Urgent5
    Qualys ID
    650037
    Date Published
    February 26, 2021
    Vendor Reference
    JetBrains TeamCity Release Cycle End of Support Information
    CVSS Scores
    Base 7.2 / Temporal 6.6
    Description
    JetBrains TeamCity Server is a Java-based build management and continuous integration server from JetBrains. According to JetBrains TeamCity Release Cycle document and JetBrains TeamCity version history page, JetBrains TeamCity 2019.x, is no longer supported and will not be getting regular patches.

    QID Detection Logic (unauthenticated):
    The QID sends a GET /login.html request to verify if the TeamCity Server is running. The version extracted is displayed in the results section.

    QID Detection Logic (authenticated):
    OS: Linux The QID check for running process to extract the install directory of TeamCity. The BUILD file and JetBrains TeamCity Server are checked to extract the version.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates.

    Solution

    Update to the latest version of JetBrains TeamCity.

  • CVE-2021-21972+
    In Development

    VMware vCenter Server 6.5 Update 6.5 U3n Missing (VMSA-2021-0002)

    Severity
    Critical4
    Qualys ID
    216255
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21972, CVE-2021-21973
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    VMware vCenter is the centralized management tool for the vSphere suite.

    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8..

    The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

    Affected Versions:
    VMware vCenter Server 6.5 prior to build 17590285

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware vCenter Server with build version using web service present on target.

    Consequence
    A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
    Solution
    Vmware has released patch for VMware vCenter Server 6.5 , visit VMware vCenter Server 6.5 Update 3n Release Notes

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    VMSA-2021-0002
  • CVE-2021-21972+
    In Development

    VMware vCenter Server 6.7 Update 6.7 U3l Missing (VMSA-2021-0002)

    Severity
    Critical4
    Qualys ID
    216254
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21972, CVE-2021-21973
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    VMware vCenter is the centralized management tool for the vSphere suite.

    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8..

    The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

    Affected Versions:
    VMware vCenter Server 6.7 prior to build 17138064

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware vCenter Server with build version using web service present on target.

    Consequence
    A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
    Solution
    Vmware has released patch for VMware vCenter Server 6.7 , visit VMware vCenter Server 6.7 Update 3l Release Notes

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    VMSA-2021-0002
  • CVE-2021-21972+
    In Development

    VMware vCenter Server 7.0 Update 7.0 U1c Missing (VMSA-2021-0002)

    Severity
    Critical4
    Qualys ID
    216253
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21972, CVE-2021-21973
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    VMware vCenter is the centralized management tool for the vSphere suite.

    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8..

    The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

    Affected Versions:
    VMware vCenter Server 7.0 prior to build 17327517

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware vCenter Server with build version using web service present on target.

    Consequence
    A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
    Solution
    Vmware has released patch for VMware vCenter Server 7.0 , visit VMware vCenter Server 7.0 Update 1c Release Notes

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    VMSA-2021-0002
  • CVE-2021-21261
    Recently Published

    Amazon Linux Security Advisory for flatpak: ALAS2-2021-1597

    Severity
    Critical4
    Qualys ID
    352233
    Date Published
    March 3, 2021
    Vendor Reference
    ALAS-2021-1597
    CVE Reference
    CVE-2021-21261
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    <DIV> Issue Overview:

    A flaw was found in Flatpak. The Flatpak portal D-Bus service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is outside the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-21261 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1597 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 flatpak (1.0.9-10.amzn2) on aarch64 ALAS-2021-1597, Amazon Linux 2 flatpak (1.0.9-10.amzn2) on i686 ALAS-2021-1597, Amazon Linux 2 flatpak (1.0.9-10.amzn2) on src ALAS-2021-1597, Amazon Linux 2 flatpak (1.0.9-10.amzn2) on x86_64 ALAS-2021-1597
  • CVE-2021-1280
    Recently Published

    Cisco AMP and Immunet DLL Hijacking Vulnerability

    Severity
    Critical4
    Qualys ID
    375212
    Date Published
    March 1, 2021
    Vendor Reference
    cisco-sa-amp-imm-dll-5PAZ3hRV
    CVE Reference
    CVE-2021-1280
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    A vulnerability in the loading mechanism of specific DLLs of Cisco Advanced Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need valid credentials on the Windows system.

    Affected Versions:
    Cisco AMP for Endpoints Prior to Version 7.3.3

    Immunet Prior to Version 7.3.12

    QID Detection Logic:
    QID checks for the vulnerable version of Cisco AMP and Immunet

    Consequence
    Successful exploitation could allow an authenticated, local attacker to perform a DLL hijacking attack.

    Solution
    Vendor has released fix to address these vulnerabilities. Refer to cisco-sa-amp-imm-dll-5PAZ3hRV
    Patches
    cisco-sa-amp-imm-dll-5PAZ3hRV
  • CVE-2021-23969+
    Recently Published

    Mozilla Firefox Multiple Vulnerabilities (MFSA2021-07)

    Severity
    Critical4
    Qualys ID
    375209
    Date Published
    February 26, 2021
    Vendor Reference
    MFSA2021-07
    CVE Reference
    CVE-2021-23969, CVE-2021-23970, CVE-2021-23968, CVE-2021-23974, CVE-2021-23971, CVE-2021-23972, CVE-2021-23975, CVE-2021-23973, CVE-2021-23979
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

    CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect.
    CVE-2021-23970: Multithreaded WASM triggered assertions validating separation of script domains.
    CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect.
    CVE-2021-23974: noscript elements could have led to an HTML Sanitizer bypass.
    CVE-2021-23971: A website's Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer.
    CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect is cached.
    CVE-2021-23975: about:memory Measure function caused an incorrect pointer operation.
    CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources.
    CVE-2021-23979: Memory safety bugs fixed in Firefox 86.

    Affected Products:
    Prior to Firefox ESR 86

    QID Detection Logic (Authenticated) :
    This checks for vulnerable version of Firefox browser.

    Consequence
    On successful exploitation it could allow to compromise integrity, availability and confidentiality.
    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA 2021-07
    Patches
    MFSA 2021-07
  • CVE-2021-3345
    Recently Published

    Gentoo Linux Libgcrypt Buffer Overflow Vulnerabilities (767814)

    Severity
    Critical4
    Qualys ID
    375213
    Date Published
    February 26, 2021
    Vendor Reference
    CVE-2021-3345
    CVE Reference
    CVE-2021-3345
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Gentoo Linux is a Linux distribution

    Libgcrypt is affected with buffer overflow vulnerability.

    Affected Package: Libgcrypt

    Affected version : Prior to 1.9.1

    Consequence
    This vulnerability could be exploited to change contents or configuration on the system.
    Solution
    The Vendor has released security update to fix the vulnerability.For more information please visit 767814
    Patches
    gentoo
  • CVE-2021-1361
    Recently Published

    Cisco NX-OS Software Unauthenticated Arbitrary File Actions Vulnerability(cisco-sa-3000-9000-fileaction-QtLzDRy2)

    Severity
    Urgent5
    Qualys ID
    316878
    Date Published
    February 25, 2021
    Vendor Reference
    cisco-sa-3000-9000-fileaction-QtLzDRy2
    CVE Reference
    CVE-2021-1361
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description

    A vulnerability in the implementation of an internal file management service for
    Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode
    that are running Cisco NX-OS Software could allow an unauthenticated,
    remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device.

    Affected Products
    Following Cisco products if they are running Cisco NX-OS Software Release 9.3(5) or Release 9.3(6): Nexus 3000 Series Switches Nexus 9000 Series Switches in standalone NX-OS mode

    QID Detection Logic(Authenticated):
    It checks for vulnerable version of Cisco NX-OS using show version Command.

    Consequence
    A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration.
    Solution

    Customers are advised to refer to cisco-sa-3000-9000-fileaction-QtLzDRy2 for more information.

    Patches
    cisco-sa-3000-9000-fileaction-QtLzDRy2
  • CVE-2021-21974
    Recently Published

    VMware ESXi 6.5 Patch Release ESXi650-202102101-SG Missing (VMSA-2021-0002)

    Severity
    Urgent5
    Qualys ID
    216258
    Date Published
    February 25, 2021
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21974
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    VMware ESXi is an enterprise level computer virtualization product.

    OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

    Affected Versions:
    VMware ESXi 6.5 prior to build 17477841

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware ESXi with build version using web service present on target.

    Consequence
    A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
    Solution
    Vmware has released patch for VMware ESXi 6.5 , visit VMware ESXi 6.5, Patch Release ESXi650-202102001

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    MSA-2021-0002
  • CVE-2021-21974
    Recently Published

    VMware ESXi 6.7 Patch Release ESXi670-202102401-SG Missing (VMSA-2021-0002)

    Severity
    Urgent5
    Qualys ID
    216257
    Date Published
    February 25, 2021
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21974
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    VMware ESXi is an enterprise level computer virtualization product.

    OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

    Affected Versions:
    VMware ESXi 6.7 prior to build 17499825

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware ESXi with build version using web service present on target.

    Consequence
    A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
    Solution
    Vmware has released patch for VMware ESXi 6.7 , visit VMware ESXi 6.7, Patch Release ESXi670-202102001

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    MSA-2021-0002
  • CVE-2021-21974
    Recently Published

    VMware ESXi 7.0 Patch Release ESXi70U1c-17325551 Missing (VMSA-2021-0002)

    Severity
    Urgent5
    Qualys ID
    216256
    Date Published
    February 25, 2021
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21974
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    VMware ESXi is an enterprise level computer virtualization product.

    OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

    Affected Versions:
    VMware ESXi 7.0 prior to build 17325551

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable versions of VMware ESXi with build version using web service present on target.

    Consequence
    A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
    Solution
    Vmware has released patch for VMware ESXi 6.5 , visit VMware ESXi 7.0 Update 1c Release Notes

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    VMSA-2021-0002
  • CVE-2021-1227
    Recently Published

    Cisco NX-OS Software NX-API Cross-Site Request Forgery Vulnerability(cisco-sa-nxos-nxapi-csrf-wRMzWL9z)

    Severity
    Critical4
    Qualys ID
    316879
    Date Published
    February 25, 2021
    Vendor Reference
    cisco-sa-nxos-nxapi-csrf-wRMzWL9z
    CVE Reference
    CVE-2021-1227
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description

    A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an
    unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

    Affected Products
    Following Cisco products if they are running a vulnerable release of Cisco NX-OS Software and have the NX-API configured: MDS 9000 Series Multilayer Switches (CSCvv92342)
    Nexus 3000 Series Switches (CSCvr82908)
    Nexus 5500 Platform Switches (CSCvu67365) Nexus 5600 Platform Switches (CSCvu67365) Nexus 6000 Series Switches (CSCvu67365) Nexus 7000 Series Switches (CSCvv92342) Nexus 9000 Series Switches in standalone NX-OS mode (CSCvr82908) Note: The NX-API feature is disabled by default.

    QID Detection Logic(Authenticated):
    It checks for vulnerable version of Cisco NX-OS using show version Command.

    Consequence

    A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
    The attacker could view and modify the device configuration.

    Solution

    Customers are advised to refer to cisco-sa-nxos-nxapi-csrf-wRMzWL9z for more information.

    Patches
    cisco-sa-nxos-nxapi-csrf-wRMzWL9z
  • CVE-2020-17525
    Recently Published

    Amazon Linux Security Advisory for subversion: ALAS-2021-1483

    Severity
    Critical4
    Qualys ID
    352238
    Date Published
    February 25, 2021
    Vendor Reference
    ALAS-2021-1483
    CVE Reference
    CVE-2020-17525
    CVSS Scores
    Base 0 / Temporal 0
    Description
    <DIV> Issue Overview:

    A null-pointer-dereference flaw was found in mod_authz_svn of subversion. This flaw allows a remote, unauthenticated attacker to cause a denial of service in some server configurations. The highest threat from this vulnerability is to system availability. (CVE-2020-17525 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1483 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux subversion (1.9.7-1.61.amzn1) on i686 ALAS-2021-1483, Amazon Linux subversion (1.9.7-1.61.amzn1) on src ALAS-2021-1483, Amazon Linux subversion (1.9.7-1.61.amzn1) on x86_64 ALAS-2021-1483
  • Recently Published

    EOL/Obsolete Software: Qualys Cloud Agent Detected

    Severity
    Urgent5
    Qualys ID
    105961
    Date Published
    February 25, 2021
    Vendor Reference
    Cloud Agent EOL
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    Qualys Cloud Agent end-of-service for Windows, Linux, AIX and MacOS.

    Affected Versions:
    Qualys Cloud Agent version prior to 2.1 for Windows
    Qualys Cloud Agent version prior to 2.0 for Linux, AIX, MACOS

    It is recommended that customers migrate to latest versions of the Qualys Cloud Agent. See Cloud Agent Platform Availability Matrix.

    Consequence
    Qualys no longer supports these binary versions. Note: these affected versions have no known vulnerabilities.
    Solution
    Customers are advised to upgrade to the latest version by downloading the binary from the Cloud Agent module via the Qualys console. Please refer to sections End-of-Service Cloud Agent Versions and It is easy to install agents from Qualys Cloud Agent Getting Started Guide
    Qualys Cloud Agents support auto upgrade to maintain agents at the latest GA version.
  • CVE-2021-27135
    Recently Published

    Red Hat Update for xterm (RHSA-2021:0611)

    Severity
    Critical4
    Qualys ID
    239092
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0611
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly.

    Security Fix(es): xterm: crash when processing combining characters (CVE-2021-27135)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0611 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0611
  • CVE-2021-27135
    Recently Published

    Red Hat Update for xterm (RHSA-2021:0617)

    Severity
    Critical4
    Qualys ID
    239091
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0617
    CVE Reference
    CVE-2021-27135
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly.

    Security Fix(es): xterm: crash when processing combining characters (CVE-2021-27135)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0617 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0617
  • CVE-2020-1945+
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.6.17 (RHSA-2021:0423)

    Severity
    Critical4
    Qualys ID
    239093
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0423
    CVE Reference
    CVE-2020-1945, CVE-2020-11979, CVE-2021-21602, CVE-2021-21603, CVE-2021-21604, CVE-2021-21605, CVE-2021-21606, CVE-2021-21607, CVE-2021-21608, CVE-2021-21609, CVE-2021-21610, CVE-2021-21611, CVE-2021-21615
    CVSS Scores
    Base 8 / Temporal 7
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift ContainerPlatform 4.6.17. See the following advisory for the container images forthis release:https://access.redhat.com/errata/RHBA-2021:0424

    Security Fix(es): jenkins: XSS vulnerability in notification bar (CVE-2021-21603) jenkins: Improper handling of REST API XML deserialization errors (CVE-2021-21604) jenkins: Path traversal vulnerability in agent names (CVE-2021-21605) jenkins: Stored XSS vulnerability in button labels (CVE-2021-21608) jenkins: Reflected XSS vulnerability in markup formatter preview (CVE-2021-21610) jenkins: Stored XSS vulnerability on new item page (CVE-2021-21611) ant: insecure temporary file vulnerability (CVE-2020-1945) ant: insecure temporary file (CVE-2020-11979) jenkins: Arbitrary file read vulnerability in workspace browsers (CVE-2021-21602) jenkins: Arbitrary file existence check in file fingerprints (CVE-2021-21606) jenkins: Excessive memory allocation in graph URLs leads to denial of service (CVE-2021-21607) jenkins: Filesystem traversal by privileged users (CVE-2021-21615) jenkins: Missing permission check for paths with specific prefix (CVE-2021-21609)

    Affected Products:

    Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.6 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0423 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0423
  • CVE-2021-20230
    Recently Published

    Red Hat Update for stunnel (RHSA-2021:0618)

    Severity
    Critical4
    Qualys ID
    239090
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0618
    CVE Reference
    CVE-2021-20230
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS)
    or to provide an encrypted means of connecting to services that do not natively support encryption.

    Security Fix(es): stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for ARM 64 8 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0618 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0618
  • CVE-2021-20230
    Recently Published

    Red Hat Update for stunnel (RHSA-2021:0619)

    Severity
    Critical4
    Qualys ID
    239089
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0619
    CVE Reference
    CVE-2021-20230
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS)
    or to provide an encrypted means of connecting to services that do not natively support encryption.

    Security Fix(es): stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0619 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0619
  • CVE-2021-20230
    Recently Published

    Red Hat Update for stunnel (RHSA-2021:0620)

    Severity
    Critical4
    Qualys ID
    239088
    Date Published
    February 24, 2021
    Vendor Reference
    RHSA-2021:0620
    CVE Reference
    CVE-2021-20230
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS)
    or to provide an encrypted means of connecting to services that do not natively support encryption.

    Security Fix(es): stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0620 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0620
  • CVE-2019-25013
    Recently Published

    Amazon Linux Security Advisory for glibc: ALAS2-2021-1599

    Severity
    Critical4
    Qualys ID
    352235
    Date Published
    February 24, 2021
    Vendor Reference
    ALAS-2021-1599
    CVE Reference
    CVE-2019-25013
    CVSS Scores
    Base 5.9 / Temporal 4.7
    Description
    <DIV> Issue Overview:

    A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. (CVE-2019-25013 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1599 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 glibc (2.26-40.amzn2) on aarch64 ALAS-2021-1599, Amazon Linux 2 glibc (2.26-40.amzn2) on i686 ALAS-2021-1599, Amazon Linux 2 glibc (2.26-40.amzn2) on src ALAS-2021-1599, Amazon Linux 2 glibc (2.26-40.amzn2) on x86_64 ALAS-2021-1599
  • CVE-2020-13558
    Recently Published

    SUSE Enterprise Linux Security Update for webkit2gtk3 (SUSE-SU-2021:0536-1)

    Severity
    Critical4
    Qualys ID
    174649
    Date Published
    February 24, 2021
    Vendor Reference
    SUSE-SU-2021:0536-1
    CVE Reference
    CVE-2020-13558
    CVSS Scores
    Base 5.6 / Temporal 4.9
    Description
    SUSE has released security update for webkit2gtk3 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Desktop Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0536-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0536-1
  • CVE-2018-17183+
    Recently Published

    Amazon Linux Security Advisory for ghostscript: ALAS2-2021-1598

    Severity
    Critical4
    Qualys ID
    352232
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1598
    CVE Reference
    CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116
    CVSS Scores
    Base 9.8 / Temporal 8.1
    Description
    <DIV> Issue Overview:

    Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183 )

    Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183 . (CVE-2018-17961 )

    Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073 )

    Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284 )

    In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134 )

    An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409 )

    psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. (CVE-2018-19475 )

    psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476 )

    psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477 )

    A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811 )

    A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812 )

    A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access t

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1598 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ghostscript (9.25-5.amzn2) on aarch64 ALAS-2021-1598, Amazon Linux 2 ghostscript (9.25-5.amzn2) on i686 ALAS-2021-1598, Amazon Linux 2 ghostscript (9.25-5.amzn2) on noarch ALAS-2021-1598, Amazon Linux 2 ghostscript (9.25-5.amzn2) on src ALAS-2021-1598, Amazon Linux 2 ghostscript (9.25-5.amzn2) on x86_64 ALAS-2021-1598
  • CVE-2020-15685+
    Recently Published

    Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1603

    Severity
    Critical4
    Qualys ID
    352228
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1603
    CVE Reference
    CVE-2020-15685, CVE-2020-26976, CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    <DIV> Issue Overview:

    The Mozilla Foundation Security Advisory describes these flaws as:

    During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. (CVE-2020-15685 )

    When a HTTPS page was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. (CVE-2020-26976 )

    If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. (CVE-2021-23953 )

    Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. (CVE-2021-23954 )

    Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. (CVE-2021-23960 )

    Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2021-23964 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1603 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 thunderbird (78.7.0-1.amzn2) on aarch64 ALAS-2021-1603, Amazon Linux 2 thunderbird (78.7.0-1.amzn2) on src ALAS-2021-1603, Amazon Linux 2 thunderbird (78.7.0-1.amzn2) on x86_64 ALAS-2021-1603
  • CVE-2020-27825+
    Recently Published

    Amazon Linux Security Advisory for kernel: ALAS2-2021-1600

    Severity
    Critical4
    Qualys ID
    352231
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1600
    CVE Reference
    CVE-2020-27825, CVE-2020-28374, CVE-2021-3178, CVE-2021-3347, CVE-2021-3348
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    <DIV> Issue Overview:

    A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat. (CVE-2020-27825 )

    A flaw was found in the Linux kernel's implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called. (CVE-2020-28374 )

    ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior. (CVE-2021-3178 )

    A flaw was found in the Linux kernel. A use-after-free memory flaw in the Fast Userspace Mutexes functionality allowing a local user to crash the system or escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3347 )

    nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1600 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 kernel (4.14.219-161.340.amzn2) on aarch64 ALAS-2021-1600, Amazon Linux 2 kernel (4.14.219-161.340.amzn2) on i686 ALAS-2021-1600, Amazon Linux 2 kernel (4.14.219-161.340.amzn2) on src ALAS-2021-1600, Amazon Linux 2 kernel (4.14.219-161.340.amzn2) on x86_64 ALAS-2021-1600
  • CVE-2016-10228+
    Recently Published

    Amazon Linux Security Advisory for glibc: ALAS2-2021-1605

    Severity
    Critical4
    Qualys ID
    352226
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1605
    CVE Reference
    CVE-2016-10228, CVE-2019-25013, CVE-2020-29562, CVE-2020-6096
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    <DIV> Issue Overview:

    The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. (CVE-2016-10228 )

    A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. (CVE-2019-25013 )

    A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-29562 )

    A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. (CVE-2020-6096 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1605 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 glibc (2.26-41.amzn2) on aarch64 ALAS-2021-1605, Amazon Linux 2 glibc (2.26-41.amzn2) on i686 ALAS-2021-1605, Amazon Linux 2 glibc (2.26-41.amzn2) on src ALAS-2021-1605, Amazon Linux 2 glibc (2.26-41.amzn2) on x86_64 ALAS-2021-1605
  • CVE-2020-29599
    Recently Published

    Amazon Linux Security Advisory for ImageMagick: ALAS2-2021-1596

    Severity
    Critical4
    Qualys ID
    352234
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1596
    CVE Reference
    CVE-2020-29599
    CVSS Scores
    Base 7.8 / Temporal 6.3
    Description
    <DIV> Issue Overview:

    A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-29599 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1596 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ImageMagick (6.9.10.68-5.amzn2.0.1) on aarch64 ALAS-2021-1596, Amazon Linux 2 ImageMagick (6.9.10.68-5.amzn2.0.1) on i686 ALAS-2021-1596, Amazon Linux 2 ImageMagick (6.9.10.68-5.amzn2.0.1) on src ALAS-2021-1596, Amazon Linux 2 ImageMagick (6.9.10.68-5.amzn2.0.1) on x86_64 ALAS-2021-1596
  • CVE-2015-7697+
    Recently Published

    Amazon Linux Security Advisory for unzip: ALAS2-2021-1604

    Severity
    Critical4
    Qualys ID
    352227
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1604
    CVE Reference
    CVE-2015-7697, CVE-2016-9844, CVE-2018-1000035
    CVSS Scores
    Base 7.8 / Temporal 6.3
    Description
    <DIV> Issue Overview:

    Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive. (CVE-2015-7697 )

    Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. (CVE-2016-9844 )

    A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution. (CVE-2018-1000035 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1604 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 unzip (6.0-43.amzn2) on aarch64 ALAS-2021-1604, Amazon Linux 2 unzip (6.0-43.amzn2) on i686 ALAS-2021-1604, Amazon Linux 2 unzip (6.0-43.amzn2) on src ALAS-2021-1604, Amazon Linux 2 unzip (6.0-43.amzn2) on x86_64 ALAS-2021-1604
  • CVE-2020-36193
    Recently Published

    Amazon Linux Security Advisory for php-pear: ALAS2-2021-1602

    Severity
    Critical4
    Qualys ID
    352229
    Date Published
    February 23, 2021
    Vendor Reference
    ALAS-2021-1602
    CVE Reference
    CVE-2020-36193
    CVSS Scores
    Base 7.5 / Temporal 6
    Description
    <DIV> Issue Overview:

    Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links. (CVE-2020-36193 )

    </DIV>
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory ALAS-2021-1602 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 php-pear (1.10.12-5.amzn2) on noarch ALAS-2021-1602, Amazon Linux 2 php-pear (1.10.12-5.amzn2) on src ALAS-2021-1602
  • CVE-2019-19006
    Under Investigation

    FreePBX Incorrect Access Control Vulnerability (SEC-2019-001)

    Severity
    Critical4
    Qualys ID
    730022
    Vendor Reference
    SEC-2019-001
    CVE Reference
    CVE-2019-19006
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreePBX is a web-based configuration tool for the open-source Asterisk PBX implemented in PHP.

    FreePBX is vulnerable to Incorrect Access Control

    Affected Versions:
    FreePBX 13 prior to v13.0.197.14
    FreePBX 14 prior to v14.0.13.12
    FreePBX 15 prior to v15.0.16.27
    QID Detection Logic:
    This QID checks for the vulnerable version of FreePBX by sending get request to admin/config.php

    Consequence
    Successful exploitation could compromise confidentiality, integrity and availability

    Solution
    The vendor has released advisories and updates to fix these vulnerabilities. Refer to the following link for details: Security Vulnerability Notice.
    Patches
    SEC-2019-001
  • CVE-2019-17455
    Recently Published

    Fedora Security Update for libntlm (FEDORA-2020-1f643c272c)

    Severity
    Critical4
    Qualys ID
    280998
    Date Published
    February 23, 2021
    Vendor Reference
    FEDORA-2020-1f643c272c Fedora 32
    CVE Reference
    CVE-2019-17455
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for libntlm to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2020-1f643c272c
  • CVE-2021-3177+
    Recently Published

    Fedora Security Update for python3.6 (FEDORA-2021-7547ad987f)

    Severity
    Critical4
    Qualys ID
    280983
    Date Published
    February 23, 2021
    Vendor Reference
    FEDORA-2021-7547ad987f Fedora 33
    CVE Reference
    CVE-2021-3177, CVE-2021-23336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.6 to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-7547ad987f
  • CVE-2021-3177+
    Recently Published

    Fedora Security Update for python3.7 (FEDORA-2021-f4fd9372c7)

    Severity
    Critical4
    Qualys ID
    280982
    Date Published
    February 23, 2021
    Vendor Reference
    FEDORA-2021-f4fd9372c7 Fedora 33
    CVE Reference
    CVE-2021-3177, CVE-2021-23336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.7 to fix the vulnerability.

    Affected OS:
    Fedora 33

    Note : The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-f4fd9372c7
  • CVE-2015-8011+
    Recently Published

    Debian Security Update for openvswitch (DLA 2571-1)

    Severity
    Critical4
    Qualys ID
    178419
    Date Published
    February 22, 2021
    Vendor Reference
    DLA 2571-1
    CVE Reference
    CVE-2015-8011, CVE-2017-9214, CVE-2018-17204, CVE-2018-17206, CVE-2020-27827, CVE-2020-35498
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for openvswitch to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DLA 2571-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2571-1
  • CVE-2021-26937
    Recently Published

    Debian Security Update for screen (DLA 2570-1)

    Severity
    Critical4
    Qualys ID
    178418
    Date Published
    February 22, 2021
    Vendor Reference
    DLA 2570-1
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for screen to fix the vulnerabilities.

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Debian LTS Announce DLA 2570-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2570-1
  • CVE-2011-5325+
    In Development

    Debian Security Update for busybox (DLA 2559-1)

    Severity
    Critical4
    Qualys ID
    178402
    Vendor Reference
    DLA 2559-1
    CVE Reference
    CVE-2011-5325, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2017-15873, CVE-2017-16544, CVE-2018-1000517, CVE-2013-1813, CVE-2014-4607, CVE-2014-9645, CVE-2015-9621
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for busybox to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DLA 2559-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2559-1
  • CVE-2017-14120+
    In Development

    Debian Security Update for unrar-free (DLA 2567-1)

    Severity
    Critical4
    Qualys ID
    178410
    Vendor Reference
    DLA 2567-1
    CVE Reference
    CVE-2017-14120, CVE-2017-14121, CVE-2017-14122
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Debian has released security update for unrar-free to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DLA 2567-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2567-1
  • CVE-2020-25639+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:0532-1)

    Severity
    Critical4
    Qualys ID
    174647
    Date Published
    February 23, 2021
    Vendor Reference
    SUSE-SU-2021:0532-1
    CVE Reference
    CVE-2020-25639, CVE-2020-27835, CVE-2020-29568, CVE-2020-29569, CVE-2021-0342, CVE-2021-20177, CVE-2021-3347, CVE-2021-3348
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released security update for the linux kernel to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Module for Live Patching 15-SP1

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0532-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0532-1
  • CVE-2021-21289
    In Development

    Debian Security Update for ruby-mechanize (DLA 2561-1)

    Severity
    Critical4
    Qualys ID
    178405
    Vendor Reference
    DLA 2561-1
    CVE Reference
    CVE-2021-21289
    CVSS Scores
    Base 8.3 / Temporal 7.2
    Description
    Debian has released security update for ruby-mechanize to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DLA 2561-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2561-1
  • CVE-2021-21289
    In Development

    Debian Security Update for ruby-mechanize (DLA 2561-1)

    Severity
    Critical4
    Qualys ID
    178403
    Vendor Reference
    DLA 2561-1
    CVE Reference
    CVE-2021-21289
    CVSS Scores
    Base 8.3 / Temporal 7.2
    Description
    Debian has released security update for ruby-mechanize to fix the vulnerabilities.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Refer to Debian LTS Announce DLA 2561-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2561-1
  • CVE-2020-25681+
    Recently Published

    Fedora Security Update for dnsmasq (FEDORA-2021-2e4c3d5a9d)

    Severity
    Critical4
    Qualys ID
    280997
    Date Published
    February 23, 2021
    Vendor Reference
    FEDORA-2021-2e4c3d5a9d Fedora 32
    CVE Reference
    CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for dnsmasq to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-2e4c3d5a9d
  • CVE-2021-0326
    Recently Published

    Fedora Security Update for wpa_supplicant (FEDORA-2021-1a2443baa0)

    Severity
    Critical4
    Qualys ID
    280993
    Date Published
    February 23, 2021
    Vendor Reference
    FEDORA-2021-1a2443baa0 Fedora 32
    CVE Reference
    CVE-2021-0326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for wpa_supplicant to fix the vulnerability.

    Affected OS:
    Fedora 32

    Note : "The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues."

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-1a2443baa0
  • CVE-2019-25017+
    Recently Published

    SUSE Enterprise Linux Security Update for krb5-appl (SUSE-SU-2021:0527-1)

    Severity
    Critical4
    Qualys ID
    174646
    Date Published
    February 23, 2021
    Vendor Reference
    SUSE-SU-2021:0527-1
    CVE Reference
    CVE-2019-25017, CVE-2019-25018
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for krb5-appl to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0527-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0527-1
  • CVE-2021-21702
    Recently Published

    SUSE Enterprise Linux Security Update for php74 (SUSE-SU-2021:0522-1)

    Severity
    Critical4
    Qualys ID
    174641
    Date Published
    February 23, 2021
    Vendor Reference
    SUSE-SU-2021:0522-1
    CVE Reference
    CVE-2021-21702
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for php74 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Module for Web Scripting 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0522-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0522-1
  • CVE-2020-11947+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:0521-1)

    Severity
    Critical4
    Qualys ID
    174640
    Date Published
    February 23, 2021
    Vendor Reference
    SUSE-SU-2021:0521-1
    CVE Reference
    CVE-2020-11947, CVE-2021-20181, CVE-2021-20203, CVE-2021-20221
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    SUSE has released security update for qemu to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0521-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0521-1
  • CVE-2021-23840+
    Recently Published

    FreeBSD Security Update for OpenSSL (96a21236-707b-11eb-96d8-d4c9ef517024)

    Severity
    Critical4
    Qualys ID
    375205
    Date Published
    February 22, 2021
    Vendor Reference
    96a21236-707b-11eb-96d8-d4c9ef517024
    CVE Reference
    CVE-2021-23840, CVE-2021-23841, CVE-2021-23839
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:
    openssl prior to 1.1.1j,1
    openssl-devel prior to 3.0.0a12

    QID Detection Logic:(Authenticated)
    It checks for versions of the packages to check for the vulnerable packages

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 96a21236-707b-11eb-96d8-d4c9ef517024 to address this issue and obtain further details.
    Patches
    96a21236-707b-11eb-96d8-d4c9ef517024
  • CVE-2021-0326
    Recently Published

    Debian Security Update for wpa (DLA 2572-1)

    Severity
    Critical4
    Qualys ID
    178420
    Date Published
    February 22, 2021
    Vendor Reference
    DLA 2572-1
    CVE Reference
    CVE-2021-0326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released security update for wpa to fix the vulnerabilities.

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system.
    Solution
    Refer to Debian LTS Announce DLA 2572-1 to address this issue and obtain further details.
    Patches
    Debian DLA 2572-1
  • CVE-2019-10130+
    Recently Published

    Oracle Enterprise Linux Security Update for postgresql:9.6 (ELSA-2020-5619-1)

    Severity
    Critical4
    Qualys ID
    158963
    Date Published
    March 5, 2021
    Vendor Reference
    ELSA-2020-5619-1
    CVE Reference
    CVE-2019-10130, CVE-2019-10208, CVE-2020-1720, CVE-2020-14350, CVE-2020-25694, CVE-2020-25696, CVE-2020-25695
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for postgresql:9.6 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5619-1.
    Patches
    Oracle Linux ELSA-2020-5619-1
  • CVE-2020-14349+
    Recently Published

    Oracle Enterprise Linux Security Update for postgresql:12 (ELSA-2020-5620-1)

    Severity
    Critical4
    Qualys ID
    158964
    Date Published
    March 4, 2021
    Vendor Reference
    ELSA-2020-5620-1
    CVE Reference
    CVE-2020-14349, CVE-2020-1720, CVE-2020-14350, CVE-2020-25694, CVE-2020-25695, CVE-2020-25696
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for postgresql:12 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5620-1.
    Patches
    Oracle Linux ELSA-2020-5620-1
  • CVE-2020-10543+
    Recently Published

    Oracle Enterprise Linux Security Update for perl (ELSA-2021-0343)

    Severity
    Critical4
    Qualys ID
    159001
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0343
    CVE Reference
    CVE-2020-10543, CVE-2020-10878, CVE-2020-12723
    CVSS Scores
    Base 8.6 / Temporal 6.9
    Description
    Oracle Enterprise Linux has released security update for perl to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0343.
    Patches
    Oracle Linux ELSA-2021-0343
  • CVE-2020-26217
    Recently Published

    Oracle Enterprise Linux Security Update for xstream (ELSA-2021-0162)

    Severity
    Urgent5
    Qualys ID
    158983
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-0162
    CVE Reference
    CVE-2020-26217
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for xstream to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-0162.
    Patches
    Oracle Linux ELSA-2021-0162
  • CVE-2019-14895+
    Recently Published

    Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2021-9002)

    Severity
    Critical4
    Qualys ID
    158985
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2021-9002
    CVE Reference
    CVE-2019-14895, CVE-2020-10711, CVE-2020-12464, CVE-2020-12652, CVE-2019-19447, CVE-2019-19037, CVE-2020-14305, CVE-2020-25668, CVE-2020-28915, CVE-2020-28974, CVE-2019-20934, CVE-2020-15436, CVE-2020-14351, CVE-2020-25705
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released security update for Unbreakable Enterprise kernel to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 6
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-9002.
    Patches
    Oracle Linux ELSA-2021-9002
  • CVE-2020-25694+
    Recently Published

    Oracle Enterprise Linux Security Update for postgresql:10 (ELSA-2020-5567-1)

    Severity
    Critical4
    Qualys ID
    158961
    Date Published
    March 3, 2021
    Vendor Reference
    ELSA-2020-5567-1
    CVE Reference
    CVE-2020-25694, CVE-2020-25696, CVE-2020-25695
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released security update for postgresql:10 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2020-5567-1.
    Patches
    Oracle Linux ELSA-2020-5567-1
  • Recently Published

    Gurobi remote services API with default credentials detected

    Severity
    Critical4
    Qualys ID
    12999
    Date Published
    March 3, 2021
    CVSS Scores
    Base / Temporal
    Description
    The Gurobi Remote Services API can be used to view and modify configuration parameters, and to view system information about the Gurobi host that it is associated with. By not changing the default credentials, any individual who discovers the service and is able to discover the system's documentation is able to perform information gathering and change configuration parameters of the server.
    QID detection logic:
    This QID sends crafted HTTP POST request to check if the target is vulnerable or not.
    Consequence
    Successful exploitation allows access to the Gurobi remote services and can result in sensitive data disclosure.
    Solution
    It is recommended to update the affected product to latest version.
  • Under Investigation

    RE_USE

    Severity
    Urgent5
    Qualys ID
    375108
    Date Published
    February 26, 2021
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    NA
    Consequence
    NA
    Solution
    NA
  • Under Investigation

    RE_USE

    Severity
    Urgent5
    Qualys ID
    375107
    Date Published
    February 26, 2021
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    NA
    Consequence
    NA
    Solution
    NA
  • Under Investigation

    RE-USE

    Severity
    Urgent5
    Qualys ID
    375106
    Date Published
    February 26, 2021
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    NA
    Consequence
    NA
    Solution
    NA
    Patches
    APSB21-11
  • CVE-2020-10773+
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2021-1079)

    Severity
    Critical4
    Qualys ID
    374970
    Date Published
    February 26, 2021
    Vendor Reference
    EulerOS-SA-2021-1079
    CVE Reference
    CVE-2020-10773, CVE-2019-9458, CVE-2019-20934, CVE-2020-29660, CVE-2020-14305, CVE-2020-29661, CVE-2020-29371, CVE-2020-15436, CVE-2020-15437, CVE-2020-29370, CVE-2020-14351, CVE-2020-28915, CVE-2020-28974, CVE-2020-12352, CVE-2020-0305, CVE-2020-25643, CVE-2019-3701, CVE-2019-9456, CVE-2020-12114, CVE-2020-25645, CVE-2020-0431, CVE-2020-0433, CVE-2020-25211, CVE-2020-14314, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-14386
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1079
    Patches
    EulerOS-SA-2021-1079
  • CVE-2020-12695
    Recently Published

    EulerOS Security Update for wpa_supplicant (EulerOS-SA-2021-1131)

    Severity
    Critical4
    Qualys ID
    375023
    Date Published
    February 26, 2021
    Vendor Reference
    EulerOS-SA-2021-1131
    CVE Reference
    CVE-2020-12695
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Euler has released security update for wpa_supplicant to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1131
    Patches
    EulerOS-SA-2021-1131
  • CVE-2020-1927+
    Recently Published

    IBM HTTP Server Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    87419
    Date Published
    February 26, 2021
    Vendor Reference
    Security Bulletin 6191631
    CVE Reference
    CVE-2020-1927, CVE-2020-1934
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    IBM HTTP Server powered by Apache is based on the Apache HTTP Server available for multiple platforms.

    Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. (CVE-2020-1927)
    Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.(CVE-2020-1934)

    Affected Versions:
    IBM HTTP Server V9.0.0.0 through 9.0.5.3
    IBM HTTP Server V8.5.0.0 through 8.5.5.17
    IBM HTTP Server V8.0.0.0 through 8.0.0.15
    IBM HTTP Server V7.0.0.0 through 7.0.0.45

    QID Detection Logic (Un-Authenticated):
    This checks for vulnerable version of IBM HTTP server.

    Consequence
    A remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
    Solution
    The vendor has released advisories and updates to fix these vulnerabilities. Refer to the following link for further details: 6191631
    Patches
    Unix 6191631
  • CVE-2018-13093+
    Recently Published

    Ubuntu Security Notification for Linux, Linux-lts-xenial Vulnerabilities (USN-4708-1)

    Severity
    Critical4
    Qualys ID
    198235
    Date Published
    February 25, 2021
    Vendor Reference
    USN-4708-1
    CVE Reference
    CVE-2018-13093, CVE-2019-19813, CVE-2019-19816, CVE-2020-25669, CVE-2020-27777
    CVSS Scores
    Base 7.8 / Temporal 6.3
    Description

    It was discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations.

    It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations.

    It was discovered a use-after-free in the Sun keyboard driver implementation in the Linux kernel.

    It was discovered that PowerPC RTAS implementation in the Linux kernel did not properly restrict memory accesses in some situations.

    Consequence

    An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093)

    An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2019-19813, CVE-2019-19816)

    A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2020-25669)

    A privileged local attacker could use this to arbitrarily modify kernel memory, potentially bypassing kernel lockdown restrictions. (CVE-2020-27777)

    Solution
    Refer to Ubuntu advisory USN-4708-1 for affected packages and patching details, or update with your package manager.
    Patches
    16.04 (Xenial) on src linux-image-4.4.0-201-generic USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-generic-lpae USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-lowlatency USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-powerpc-e500mc USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-powerpc-smp USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-powerpc64-emb USN-4708-1, 16.04 (Xenial) on src linux-image-4.4.0-201-powerpc64-smp USN-4708-1, 16.04 (Xenial) on src linux-image-generic USN-4708-1, 16.04 (Xenial) on src linux-image-generic-lpae USN-4708-1, 16.04 (Xenial) on src linux-image-lowlatency USN-4708-1, 16.04 (Xenial) on src linux-image-powerpc-e500mc USN-4708-1, 16.04 (Xenial) on src linux-image-powerpc-smp USN-4708-1, 16.04 (Xenial) on src linux-image-powerpc64-emb USN-4708-1, 16.04 (Xenial) on src linux-image-powerpc64-smp USN-4708-1, 16.04 (Xenial) on src linux-image-virtual USN-4708-1
  • CVE-2020-7472
    Recently Published

    SugarCRM Install module Remote Code Execution Vulnerability (sugarcrm-sa-2020-043)

    Severity
    Critical4
    Qualys ID
    11715
    Date Published
    February 25, 2021
    Vendor Reference
    sugarcrm-sa-2020-043
    CVE Reference
    CVE-2020-7472
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    Sugar is a complete CRM solution that automates core sales, customer service and marketing processes, with a focus on the individual.

    A RCE (Remote Code Execution) vulnerability has been identified in the Install module. Using a specially crafted request, custom PHP code can be injected through the Install module because of missing input validation. Any user privileges can exploit this vulnerability.

    Affected Versions:
    SugarCRM 9.0 prior to 9.0.4 SugarCRM 8.0 prior to 8.0.7.

    QID detection logic:
    This unauthenticated QID checks "sugar_version.json" for vulnerable versions.

    Consequence
    Successful exploitation will allow remote attackers to execute arbitrary code.
    Solution
    For more details please refer to the sugarcrm-sa-2020-043
    Patches
    sugarcrm-sa-2020-043
  • CVE-2021-21972+
    Recently Published

    VMware vCenter Server Remote Code Execution Vulnerability (VMSA-2021-0002)

    Severity
    Urgent5
    Qualys ID
    11699
    Date Published
    February 25, 2021
    Vendor Reference
    VMSA-2021-0002
    CVE Reference
    CVE-2021-21972, CVE-2021-21973
    CVSS Scores
    Base 9.8 / Temporal 9.1
    Description
    VMware vCenter is the centralized management tool for the vSphere suite.

    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8..

    Affected Versions:
    VMware vCenter Server 7.0 prior to build 17327517
    VMware vCenter Server 6.7 prior to build 17138064
    VMware vCenter Server 6.5 prior to build 17590285

    QID Detection Logic (Unauthenticated):
    This QID is sending POST request to " ui/vropspluginui/rest/services/uploadova" to detect if the target is vulnerable or not .

    Consequence
    A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
    Solution
    VMware has released patch for VMware vCenter Server 7.0/6.7/6.5 ,

    Refer to VMware advisory VMSA-2021-0002 for more information.

    Patches
    VMSA-2021-0002
  • CVE-2020-26829+
    Recently Published

    SAP NetWeaver AS Java and AS ABAP Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    87442
    Date Published
    February 24, 2021
    Vendor Reference
    SAP Security Patch Day - December 2020
    CVE Reference
    CVE-2020-26829, CVE-2020-26816, CVE-2020-26835
    CVSS Scores
    Base 10 / Temporal 8.7
    Description
    SAP NetWeaver Application Server (AS) or SAP Web Application Server is a component of the solution which works as a web application server to SAP solutions.

    SAP NetWeaver Application Server Java and ABAP are exposed to following vulnerabilities:

    Missing Authentication Check In SAP NetWeaver AS JAVA (P2P Cluster Communication) (CVE-2020-26829) Missing Encryption in SAP NetWeaver AS Java (Key Storage Service) (CVE-2020-26816).

    Affected Versions
    SAP NetWeaver AS JAVA Versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40 , 7.50. SAP NetWeaver AS ABAP, Versions - 740, 750, 751, 752, 753, 754

    QID Detection Logic(s):
    Scan initiates HTTP request on Web Server and determines version based on the Server Header.

    Consequence
    A successful exploit could give an unauthenticated attacker full access to the affected SAP system.
    Solution
    Customers are advised to follow the SAP Security Patch Day - December 2020 for remediation instructions.
    Patches
    SAP SAP Security Patch Day – December 2020
  • Recently Published

    Splunk Accessible Using Default Credentials

    Severity
    Urgent5
    Qualys ID
    11406
    Date Published
    February 23, 2021
    Vendor Reference
    Splunk
    CVSS Scores
    Base 9.8 / Temporal 9.3
    Description
    Splunk Inc. is an American public multinational corporation based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated big data via a Web-style interface.

    QID Detection Logic:
    QID checks if the login page can be accessible using default credentials (username: admin, password: changeme).

    Consequence

    A remote attacker could exploit this to perform sensitive actions and take control over the device.

    Solution

    Customers are advised not to use default credentials for Splunk.

  • CVE-2020-14803+
    Recently Published

    SUSE Enterprise Linux Security Update for java-1_7_1-ibm (SUSE-SU-2021:0512-1)

    Severity
    Critical4
    Qualys ID
    174639
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0512-1
    CVE Reference
    CVE-2020-14803, CVE-2020-27221
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for java-1_7_1-ibm to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0512-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0512-1
  • CVE-2021-26937
    Recently Published

    SUSE Enterprise Linux Security Update for screen (SUSE-SU-2021:0492-1)

    Severity
    Critical4
    Qualys ID
    174633
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0492-1
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for screen to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Basesystem 15-SP3
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0492-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0492-1
  • CVE-2021-26937
    Recently Published

    SUSE Enterprise Linux Security Update for screen (SUSE-SU-2021:0491-1)

    Severity
    Critical4
    Qualys ID
    174632
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0491-1
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for screen to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0491-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0491-1
  • CVE-2019-20916+
    Recently Published

    SUSE Enterprise Linux Security Update for python (SUSE-SU-2021:0432-1)

    Severity
    Critical4
    Qualys ID
    174612
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0432-1
    CVE Reference
    CVE-2019-20916, CVE-2021-3177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released security update for python to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0432-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0432-1
  • CVE-2018-10902+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:0452-1)

    Severity
    Critical4
    Qualys ID
    174624
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0452-1
    CVE Reference
    CVE-2018-10902, CVE-2019-20934, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-11668, CVE-2020-15436, CVE-2020-15437, CVE-2020-25211, CVE-2020-25285, CVE-2020-25669, CVE-2020-27068, CVE-2020-27777, CVE-2020-27786, CVE-2020-27825, CVE-2020-27835, CVE-2020-28915, CVE-2020-28974, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2020-4788, CVE-2021-3347
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released security update for the linux kernel to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0452-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0452-1
  • CVE-2019-20806+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:0438-1)

    Severity
    Critical4
    Qualys ID
    174619
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0438-1
    CVE Reference
    CVE-2019-20806, CVE-2019-20934, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-10781, CVE-2020-11668, CVE-2020-15436, CVE-2020-15437, CVE-2020-25211, CVE-2020-25639, CVE-2020-25669, CVE-2020-27068, CVE-2020-27777, CVE-2020-27786, CVE-2020-27825, CVE-2020-27835, CVE-2020-28374, CVE-2020-28915, CVE-2020-28974, CVE-2020-29371, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2020-4788, CVE-2021-3347, CVE-2021-3348
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released security update for the linux kernel to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Live Patching 15

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0438-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0438-1
  • CVE-2019-19063+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:0437-1)

    Severity
    Critical4
    Qualys ID
    174614
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0437-1
    CVE Reference
    CVE-2019-19063, CVE-2019-20934, CVE-2019-6133, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-11668, CVE-2020-15436, CVE-2020-15437, CVE-2020-25211, CVE-2020-25285, CVE-2020-25668, CVE-2020-25669, CVE-2020-27068, CVE-2020-27673, CVE-2020-27777, CVE-2020-27786, CVE-2020-27825, CVE-2020-28915, CVE-2020-28974, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2021-3347
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released security update for the linux kernel to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0437-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0437-1
  • CVE-2019-20934+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:0434-1)

    Severity
    Critical4
    Qualys ID
    174611
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0434-1
    CVE Reference
    CVE-2019-20934, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-15436, CVE-2020-15437, CVE-2020-25211, CVE-2020-25639, CVE-2020-25669, CVE-2020-27068, CVE-2020-27777, CVE-2020-27786, CVE-2020-27825, CVE-2020-27835, CVE-2020-28374, CVE-2020-28915, CVE-2020-28974, CVE-2020-29371, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2020-4788, CVE-2021-3347, CVE-2021-3348
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released security update for the linux kernel to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0434-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0434-1
  • CVE-2020-8625
    Recently Published

    SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:0503-1)

    Severity
    Critical4
    Qualys ID
    174638
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0503-1
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    SUSE has released security update for bind to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0503-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0503-1
  • CVE-2020-8625
    Recently Published

    SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:0504-1)

    Severity
    Critical4
    Qualys ID
    174637
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0504-1
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    SUSE has released security update for bind to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0504-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0504-1
  • CVE-2020-8625
    Recently Published

    SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:0507-1)

    Severity
    Critical4
    Qualys ID
    174636
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0507-1
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    SUSE has released security update for bind to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0507-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0507-1
  • CVE-2020-27828+
    Recently Published

    SUSE Enterprise Linux Security Update for jasper (SUSE-SU-2021:0488-1)

    Severity
    Critical4
    Qualys ID
    174631
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0488-1
    CVE Reference
    CVE-2020-27828, CVE-2021-3272
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released security update for jasper to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Desktop Applications 15-SP3
    SUSE Linux Enterprise Module for Desktop Applications 15-SP2
    SUSE Linux Enterprise Module for Basesystem 15-SP3
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0488-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0488-1
  • CVE-2020-27828+
    Recently Published

    SUSE Enterprise Linux Security Update for jasper (SUSE-SU-2021:0489-1)

    Severity
    Critical4
    Qualys ID
    174630
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0489-1
    CVE Reference
    CVE-2020-27828, CVE-2021-3272
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released security update for jasper to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0489-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0489-1
  • CVE-2021-21702
    Recently Published

    SUSE Enterprise Linux Security Update for php72 (SUSE-SU-2021:0498-1)

    Severity
    Critical4
    Qualys ID
    174635
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0498-1
    CVE Reference
    CVE-2021-21702
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for php72 to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Software Development Kit 12-SP5
    SUSE Linux Enterprise Module for Web Scripting 12

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0498-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0498-1
  • CVE-2021-0326
    Recently Published

    SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2021:0477-1)

    Severity
    Critical4
    Qualys ID
    174627
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0477-1
    CVE Reference
    CVE-2021-0326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for wpa_supplicant to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0477-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0477-1
  • CVE-2019-16275+
    Recently Published

    SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2021:0478-1)

    Severity
    Critical4
    Qualys ID
    174626
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0478-1
    CVE Reference
    CVE-2019-16275, CVE-2021-0326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for wpa_supplicant to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4
    SUSE Linux Enterprise Server for SAP 12-SP3
    SUSE Linux Enterprise Server for SAP 12-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0478-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0478-1
  • CVE-2020-35498
    Recently Published

    SUSE Enterprise Linux Security Update for openvswitch (SUSE-SU-2021:0479-1)

    Severity
    Critical4
    Qualys ID
    174625
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0479-1
    CVE Reference
    CVE-2020-35498
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for openvswitch to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP4

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0479-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0479-1
  • CVE-2020-35498
    Recently Published

    SUSE Enterprise Linux Security Update for openvswitch (SUSE-SU-2021:0451-1)

    Severity
    Critical4
    Qualys ID
    174623
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0451-1
    CVE Reference
    CVE-2020-35498
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for openvswitch to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0451-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0451-1
  • CVE-2020-35498
    Recently Published

    SUSE Enterprise Linux Security Update for openvswitch (SUSE-SU-2021:0446-1)

    Severity
    Critical4
    Qualys ID
    174621
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0446-1
    CVE Reference
    CVE-2020-35498
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for openvswitch to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 12-SP3

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0446-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0446-1
  • CVE-2021-0326
    Recently Published

    SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2021:0443-1)

    Severity
    Critical4
    Qualys ID
    174618
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0443-1
    CVE Reference
    CVE-2021-0326
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for wpa_supplicant to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Server for SAP 15
    SUSE Linux Enterprise Module for Basesystem 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0443-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0443-1
  • CVE-2020-35498
    Recently Published

    SUSE Enterprise Linux Security Update for openvswitch (SUSE-SU-2021:0436-1)

    Severity
    Critical4
    Qualys ID
    174617
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0436-1
    CVE Reference
    CVE-2020-35498
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for openvswitch to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Server Applications 15-SP2
    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0436-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0436-1
  • CVE-2020-35498
    Recently Published

    SUSE Enterprise Linux Security Update for openvswitch (SUSE-SU-2021:0440-1)

    Severity
    Critical4
    Qualys ID
    174616
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0440-1
    CVE Reference
    CVE-2020-35498
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released security update for openvswitch to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0440-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0440-1
  • CVE-2020-28473
    Recently Published

    SUSE Enterprise Linux Security Update for python-bottle (SUSE-SU-2021:0483-1)

    Severity
    Critical4
    Qualys ID
    174628
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0483-1
    CVE Reference
    CVE-2020-28473
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    SUSE has released security update for python-bottle to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Module for Python2 15-SP2
    SUSE Linux Enterprise Module for Desktop Applications 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0483-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0483-1
  • CVE-2020-15257+
    Recently Published

    SUSE Enterprise Linux Security Update for containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2021:0435-1)

    Severity
    Critical4
    Qualys ID
    174613
    Date Published
    February 22, 2021
    Vendor Reference
    SUSE-SU-2021:0435-1
    CVE Reference
    CVE-2020-15257, CVE-2021-21284, CVE-2021-21285
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    SUSE has released security update for containerd, docker, docker-runc, golang-github-docker-libnetwork to fix the vulnerabilities.

    Affected Products:
    SUSE Linux Enterprise Server for SAP 15-SP1
    SUSE Linux Enterprise Module for Containers 15-SP3
    SUSE Linux Enterprise Module for Containers 15-SP2

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to Suse security advisory SUSE-SU-2021:0435-1 to address this issue and obtain further details.

    Patches
    SUSE Enterprise Linux SUSE-SU-2021:0435-1
  • CVE-2020-14355+
    Recently Published

    EulerOS Security Update for spice-gtk (EulerOS-SA-2021-1233)

    Severity
    Urgent5
    Qualys ID
    375169
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1233
    CVE Reference
    CVE-2020-14355, CVE-2017-12194
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for spice-gtk to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1233
    Patches
    EulerOS-SA-2021-1233
  • CVE-2017-1000082+
    Recently Published

    EulerOS Security Update for systemd (EulerOS-SA-2021-1258)

    Severity
    Urgent5
    Qualys ID
    375144
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1258
    CVE Reference
    CVE-2017-1000082, CVE-2020-13776
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for systemd to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1258
    Patches
    EulerOS-SA-2021-1258
  • CVE-2017-1000082+
    Recently Published

    EulerOS Security Update for systemd (EulerOS-SA-2021-1277)

    Severity
    Urgent5
    Qualys ID
    375123
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1277
    CVE Reference
    CVE-2017-1000082, CVE-2020-13776
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for systemd to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1277
    Patches
    EulerOS-SA-2021-1277
  • CVE-2016-4738
    Recently Published

    EulerOS Security Update for libxslt (EulerOS-SA-2021-1211)

    Severity
    Urgent5
    Qualys ID
    375191
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1211
    CVE Reference
    CVE-2016-4738
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Euler has released security update for libxslt to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1211
    Patches
    EulerOS-SA-2021-1211
  • CVE-2016-9942+
    Recently Published

    EulerOS Security Update for libvncserver (EulerOS-SA-2021-1208)

    Severity
    Critical4
    Qualys ID
    375194
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1208
    CVE Reference
    CVE-2016-9942, CVE-2017-18922
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for libvncserver to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1208
    Patches
    EulerOS-SA-2021-1208
  • CVE-2017-7467
    Recently Published

    EulerOS Security Update for minicom (EulerOS-SA-2021-1214)

    Severity
    Critical4
    Qualys ID
    375188
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1214
    CVE Reference
    CVE-2017-7467
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for minicom to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1214
    Patches
    EulerOS-SA-2021-1214
  • CVE-2017-14040+
    Recently Published

    EulerOS Security Update for openjpeg (EulerOS-SA-2021-1220)

    Severity
    Critical4
    Qualys ID
    375182
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1220
    CVE Reference
    CVE-2017-14040, CVE-2017-14041, CVE-2017-17479
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for openjpeg to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1220
    Patches
    EulerOS-SA-2021-1220
  • CVE-2016-1246+
    Recently Published

    EulerOS Security Update for perl-DBD-MySQL (EulerOS-SA-2021-1223)

    Severity
    Critical4
    Qualys ID
    375179
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1223
    CVE Reference
    CVE-2016-1246, CVE-2017-10788, CVE-2016-1249, CVE-2015-3152, CVE-2017-10789
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for perl-DBD-MySQL to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1223
    Patches
    EulerOS-SA-2021-1223
  • CVE-2020-27619+
    Recently Published

    EulerOS Security Update for python (EulerOS-SA-2021-1226)

    Severity
    Critical4
    Qualys ID
    375176
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1226
    CVE Reference
    CVE-2020-27619, CVE-2020-26116
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for python to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1226
    Patches
    EulerOS-SA-2021-1226
  • CVE-2020-35653+
    Recently Published

    EulerOS Security Update for python-pillow (EulerOS-SA-2021-1254)

    Severity
    Critical4
    Qualys ID
    375148
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1254
    CVE Reference
    CVE-2020-35653, CVE-2020-5313, CVE-2020-10994, CVE-2020-5311, CVE-2020-11538, CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312, CVE-2020-10379, CVE-2019-16865, CVE-2020-10378, CVE-2020-10177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for python-pillow to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1254
    Patches
    EulerOS-SA-2021-1254
  • CVE-2020-35653+
    Recently Published

    EulerOS Security Update for python-pillow (EulerOS-SA-2021-1273)

    Severity
    Critical4
    Qualys ID
    375129
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1273
    CVE Reference
    CVE-2020-35653, CVE-2020-5313, CVE-2020-10994, CVE-2020-5311, CVE-2020-11538, CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312, CVE-2020-10379, CVE-2019-16865, CVE-2020-10378, CVE-2020-10177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released security update for python-pillow to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1273
    Patches
    EulerOS-SA-2021-1273
  • CVE-2020-14374+
    Recently Published

    EulerOS Security Update for dpdk (EulerOS-SA-2021-1241)

    Severity
    Critical4
    Qualys ID
    375161
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1241
    CVE Reference
    CVE-2020-14374, CVE-2020-14375, CVE-2020-14376, CVE-2020-14377, CVE-2020-14378
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Euler has released security update for dpdk to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1241
    Patches
    EulerOS-SA-2021-1241
  • CVE-2020-28374+
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2021-1246)

    Severity
    Critical4
    Qualys ID
    375156
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1246
    CVE Reference
    CVE-2020-28374, CVE-2020-29568, CVE-2020-29569, CVE-2020-36158
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Euler has released security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1246
    Patches
    EulerOS-SA-2021-1246
  • CVE-2016-2342+
    Recently Published

    EulerOS Security Update for quagga (EulerOS-SA-2021-1227)

    Severity
    Critical4
    Qualys ID
    375175
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1227
    CVE Reference
    CVE-2016-2342, CVE-2016-4049, CVE-2017-3224, CVE-2017-3224
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Euler has released security update for quagga to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1227
    Patches
    EulerOS-SA-2021-1227
  • CVE-2020-25681+
    Recently Published

    EulerOS Security Update for dnsmasq (EulerOS-SA-2021-1244)

    Severity
    Critical4
    Qualys ID
    375158
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1244
    CVE Reference
    CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685, CVE-2020-25686, CVE-2020-25684, CVE-2020-25684, CVE-2020-25685, CVE-2020-25684, CVE-2020-25686, CVE-2020-25687
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for dnsmasq to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1244
    Patches
    EulerOS-SA-2021-1244
  • CVE-2020-25681+
    Recently Published

    EulerOS Security Update for dnsmasq (EulerOS-SA-2021-1263)

    Severity
    Critical4
    Qualys ID
    375139
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1263
    CVE Reference
    CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25685, CVE-2020-25686, CVE-2020-25684, CVE-2020-25684, CVE-2020-25685, CVE-2020-25684, CVE-2020-25686, CVE-2020-25687
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for dnsmasq to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1263
    Patches
    EulerOS-SA-2021-1263
  • CVE-2020-28374+
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2021-1265)

    Severity
    Critical4
    Qualys ID
    375137
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1265
    CVE Reference
    CVE-2020-28374, CVE-2020-36158, CVE-2021-0342, CVE-2020-14351, CVE-2021-3178
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Euler has released security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1265
    Patches
    EulerOS-SA-2021-1265
  • CVE-2019-14868
    Recently Published

    EulerOS Security Update for ksh (EulerOS-SA-2021-1247)

    Severity
    Critical4
    Qualys ID
    375155
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1247
    CVE Reference
    CVE-2019-14868
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Euler has released security update for ksh to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1247
    Patches
    EulerOS-SA-2021-1247
  • CVE-2021-23239+
    Recently Published

    EulerOS Security Update for sudo (EulerOS-SA-2021-1257)

    Severity
    Critical4
    Qualys ID
    375145
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1257
    CVE Reference
    CVE-2021-23239, CVE-2021-3156, CVE-2021-23240
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    Euler has released security update for sudo to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1257
    Patches
    EulerOS-SA-2021-1257
  • CVE-2019-14868
    Recently Published

    EulerOS Security Update for ksh (EulerOS-SA-2021-1266)

    Severity
    Critical4
    Qualys ID
    375136
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1266
    CVE Reference
    CVE-2019-14868
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Euler has released security update for ksh to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1266
    Patches
    EulerOS-SA-2021-1266
  • CVE-2021-23239+
    Recently Published

    EulerOS Security Update for sudo (EulerOS-SA-2021-1276)

    Severity
    Critical4
    Qualys ID
    375124
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1276
    CVE Reference
    CVE-2021-23239, CVE-2021-3156, CVE-2021-23240
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    Euler has released security update for sudo to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1276
    Patches
    EulerOS-SA-2021-1276
  • CVE-2020-24455
    Recently Published

    EulerOS Security Update for tpm2-tss (EulerOS-SA-2021-1259)

    Severity
    Critical4
    Qualys ID
    375143
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1259
    CVE Reference
    CVE-2020-24455
    CVSS Scores
    Base 6.7 / Temporal 5.8
    Description
    Euler has released security update for tpm2-tss to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1259
    Patches
    EulerOS-SA-2021-1259
  • CVE-2020-24455
    Recently Published

    EulerOS Security Update for tpm2-tss (EulerOS-SA-2021-1278)

    Severity
    Critical4
    Qualys ID
    375122
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1278
    CVE Reference
    CVE-2020-24455
    CVSS Scores
    Base 6.7 / Temporal 5.8
    Description
    Euler has released security update for tpm2-tss to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1278
    Patches
    EulerOS-SA-2021-1278
  • CVE-2017-0393
    Recently Published

    EulerOS Security Update for libvpx (EulerOS-SA-2021-1209)

    Severity
    Critical4
    Qualys ID
    375193
    Date Published
    February 22, 2021
    Vendor Reference
    EulerOS-SA-2021-1209
    CVE Reference
    CVE-2017-0393
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Euler has released security update for libvpx to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP5

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1209
    Patches
    EulerOS-SA-2021-1209
  • CVE-2020-17525
    Recently Published

    Red Hat Update for subversion:1.10 (RHSA-2021:0508)

    Severity
    Critical4
    Qualys ID
    239086
    Date Published
    February 22, 2021
    Vendor Reference
    RHSA-2021:0508
    CVE Reference
    CVE-2020-17525
    CVSS Scores
    Base / Temporal
    Description
    Subversion (SVN)
    is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.

    Security Fix(es): subversion: Remote unauthenticated denial of service in mod_authz_svn (CVE-2020-17525)

    Affected Products :

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Consequence
    On successful exploitation it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0508 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0508
  • CVE-2020-17525
    Recently Published

    Red Hat Update for subversion:1.10 (RHSA-2021:0509)

    Severity
    Critical4
    Qualys ID
    239085
    Date Published
    February 22, 2021
    Vendor Reference
    RHSA-2021:0509
    CVE Reference
    CVE-2020-17525
    CVSS Scores
    Base / Temporal
    Description
    Subversion (SVN)
    is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.

    Security Fix(es): subversion: Remote unauthenticated denial of service in mod_authz_svn (CVE-2020-17525)

    Affected Products :

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Consequence
    On successful exploitation it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:0509 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:0509
  • CVE-2020-26217+
    Recently Published

    Ubuntu Security Notification for Libxstream-java Vulnerabilities (USN-4714-1)

    Severity
    Critical4
    Qualys ID
    198243
    Date Published
    February 22, 2021
    Vendor Reference
    USN-4714-1
    CVE Reference
    CVE-2020-26217, CVE-2020-26258, CVE-2020-26259
    CVSS Scores
    Base 8.8 / Temporal 7
    Description

    It was discovered that XStream was vulnerable to remote code execution.

    It was discovered that XStream was vulnerable to server-side forgery attacks.

    It was discovered that XStream was vulnerable to arbitrary file deletion on the localhost.

    Consequence

    A remote attacker could run arbitrary shell commands by manipulating the processed input stream. (CVE-2020-26217)

    A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream. (CVE-2020-26258)

    A remote attacker could use this to delete arbitrary known files on the host as long as the executing process had sufficient rights only by manipulating the processed input stream. (CVE-2020-26259)

    Solution
    Refer to Ubuntu advisory USN-4714-1 for affected packages and patching details, or update with your package manager.
    Patches
    18.04 (bionic) on src libxstream-java USN-4714-1, 20.04 (focal) on src libxstream-java USN-4714-1
Last updated: