Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

150 results
CVE
Title
Severity
  • CVE-2021-30499+
    In Development

    Ubuntu Security Notification for libcaca Vulnerabilities (USN-5119-1)

    Severity
    Critical4
    Qualys ID
    198545
    Vendor Reference
    USN-5119-1
    CVE Reference
    CVE-2021-30499, CVE-2021-30498
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Libcaca incorrectly handled certain images.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    an attacker could possibly use this issue to cause a crash. (
    Cve-2021-30498, cve-2021-30499).
    Solution
    Refer to Ubuntu advisory: USN-5119-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5119-1
  • CVE-2021-40490+
    In Development

    Ubuntu Security Notification for Linux kernel (Azure) Vulnerabilities (USN-5120-1)

    Severity
    Critical4
    Qualys ID
    198548
    Vendor Reference
    USN-5120-1
    CVE Reference
    CVE-2021-40490, CVE-2021-3759, CVE-2021-22543, CVE-2019-19449, CVE-2021-38207, CVE-2020-26541, CVE-2020-36311, CVE-2021-3612, CVE-2021-38199
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The f2fs file system in the linux kernel did not properly validate metadata in some situations.
    The linux kernel did not properly enforce certain types of entries in the secure boot forbidden signature database (aka dbx) protection mechanism.
    The kvm hypervisor implementation for amd processors in the linux kernel did not ensure enough processing time was given to perform cleanups of large sev vms.
    The kvm hypervisor implementation in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.
    The joystick device interface in the linux kernel did not properly validate data passed via an ioctl().the linux kernel did not properly account for the memory usage of certain ipc objects.
    The nfsv4 client implementation in the linux kernel did not properly order connection setup operations.
    The xilinx ll temac device driver in the linux kernel did not properly calculate the number of buffers to be used in certain situations.
    The ext4 file system in the linux kernel contained a race condition when writing xattrs to an inode.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    an attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (
    Cve-2019-19449).
    An attacker could use this to bypass uefi secure boot restrictions. (
    Cve-2020-26541).
    A local attacker could use this to cause a denial of service (soft lockup) (cve-2020-36311).
    An attacker who could start and control a vm could possibly use this to expose sensitive information or execute arbitrary code. (
    Cve-2021-22543).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (
    Cve-2021-3612).
    A local attacker could use this to cause a denial of service (memory exhaustion) (cve-2021-3759).
    An attacker controlling a remote nfs server could use this to cause a denial of service on the client. (
    Cve-2021-38199).
    A remote attacker could use this to cause a denial of service (system crash) (cve-2021-38207).
    A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (
    Cve-2021-40490).
    Solution
    Refer to Ubuntu advisory: USN-5120-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5120-1
  • CVE-2021-32028+
    In Development

    SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2021:3481-1)

    Severity
    Critical4
    Qualys ID
    751264
    Vendor Reference
    SUSE-SU-2021:3481-1
    CVE Reference
    CVE-2021-32028, CVE-2021-32027
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for postgresql10 fixes the following issues: - fix for build with llvm12 on s390x. (
    Bsc#1185952) - re-enable 'icu' for postgresql 10. (
    Bsc#1179945) - add postgresqlxx-server-devel as a dependency for postgresql13-server-devel. (
    Bsc#1187751) - upgrade to version 10.18. (
    Bsc#1190177) upgrade to version 10.17 (already released for suse linux enterprise 12 sp5): - cve-2021-32027: fixed integer overflows in array subscripting calculations (bsc#1185924).
    - cve-2021-32028: fixed mishandling of junk columns in insert ... on conflict ... update target lists (bsc#1185925).
    - don't use %_stop_on_removal, because it was meant to be private and got removed from opensuse. %_
    Restart_on_update is also private, but still supported and needed for now (bsc#1183168).
    - re-enable build of the llvmjit subpackage on sle, but it will only be delivered on packagehub for now (bsc#1183118).
    - disable icu for postgresql 10 (and older) on tw (bsc#1179945).
    - fixed an issue droping irregular warning messages by removing the package. (
    Bsc#1178961) - fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (
    Bsc#1179765) - fix recently-added timetz test case so it works when the usa is not observing daylight savings time.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3481-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3481-1
  • CVE-2021-21798
    In Development

    Nitro Pro Code Execution Vulnerability

    Severity
    Critical4
    Qualys ID
    375973
    Vendor Reference
    gonitro
    CVE Reference
    CVE-2021-21798
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Nitro Pro allow you to create PDF files, collaborate and review, fill and save forms, add text to pages and sign PDF files.

    Affected Software:
    Nitro Pro v 13.47.4.957 and earlier

    QID Detection Logic:
    It checks for vulnerable version of Nitro Pro by checking the file version of NitroPDF.exe.

    Consequence
    Successful exploitation of vulnerability allows code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability.

    Solution
    Customers are advised to install the latest versions of Nitro Pro to remediate this vulnerability.
    Patches
    CVE-2021-21798
  • CVE-2021-39148+
    In Development

    OpenSUSE Security Update for xstream (openSUSE-SU-2021:3476-1)

    Severity
    Critical4
    Qualys ID
    751258
    Vendor Reference
    openSUSE-SU-2021:3476-1
    CVE Reference
    CVE-2021-39148, CVE-2021-39146, CVE-2021-39141, CVE-2021-39139, CVE-2021-39150, CVE-2021-39154, CVE-2021-39151, CVE-2021-39147, CVE-2021-39153, CVE-2021-39149, CVE-2021-39140, CVE-2021-39152, CVE-2021-39144, CVE-2021-39145
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for xstream to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3476-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3476-1
  • CVE-2021-32626+
    Recently Published

    Red Hat Update for redis:5 (RHSA-2021:3918)

    Severity
    Critical4
    Qualys ID
    239688
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3918
    CVE Reference
    CVE-2021-32626, CVE-2021-32627, CVE-2021-32628, CVE-2021-32675, CVE-2021-32687, CVE-2021-41099
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

    Security Fix(es): redis: Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) redis: Integer overflow issue with Streams (CVE-2021-32627) redis: Integer overflow bug in the ziplist data structure (CVE-2021-32628) redis: Denial of service via Redis Standard Protocol (RESP)
    request (CVE-2021-32675) redis: Integer overflow issue with intsets (CVE-2021-32687) redis: Integer overflow issue with strings (CVE-2021-41099)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3918 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3918
  • CVE-2021-41133
    In Development

    OpenSUSE Security Update for flatpak (openSUSE-SU-2021:3472-1)

    Severity
    Critical4
    Qualys ID
    751256
    Vendor Reference
    openSUSE-SU-2021:3472-1
    CVE Reference
    CVE-2021-41133
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    OpenSUSE has released a security update for flatpak to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3472-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3472-1
  • CVE-2021-41991+
    In Development

    OpenSUSE Security Update for strongswan (openSUSE-SU-2021:3467-1)

    Severity
    Critical4
    Qualys ID
    751259
    Vendor Reference
    openSUSE-SU-2021:3467-1
    CVE Reference
    CVE-2021-41991, CVE-2021-41990
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for strongswan to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3467-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3467-1
  • CVE-2021-20270
    In Development

    SUSE Enterprise Linux Security Update for python-Pygments (SUSE-SU-2021:3473-1)

    Severity
    Critical4
    Qualys ID
    751253
    Vendor Reference
    SUSE-SU-2021:3473-1
    CVE Reference
    CVE-2021-20270
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for python-pygments fixes the following issues: - cve-2021-20270: fixed an infinite loop in the sml lexer (bsc#1183169).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3473-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3473-1
  • CVE-2021-41991
    In Development

    SUSE Enterprise Linux Security Update for strongswan (SUSE-SU-2021:3468-1)

    Severity
    Critical4
    Qualys ID
    751250
    Vendor Reference
    SUSE-SU-2021:3468-1
    CVE Reference
    CVE-2021-41991
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for strongswan fixes the following issues: - cve-2021-41991: fixed an integer overflow when replacing certificates in cache. (
    Bsc#1191435)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3468-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3468-1
  • CVE-2021-35666+
    In Development

    Oracle HTTP Server Multiple Vulnerabilities(CPUOCT2021)

    Severity
    Critical4
    Qualys ID
    375965
    Vendor Reference
    cpuoct2021
    CVE Reference
    CVE-2021-35666, CVE-2020-1971, CVE-2021-2480
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description

    Oracle HTTP Server is the Web server component for Oracle Fusion Middleware. It provides a listener for Oracle WebLogic Server and the framework for hosting static pages, dynamic pages, and applications over the Web.

    Affected Versions:
    Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.4.0

    QID Detection Logic (Authenticated):
    This QID checks the vulnerable version of Oracle HTTP Server from file "inventory.xml" from the Home Directory.

    Consequence
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data.
    Solution
    Refer to vendor advisory Oracle HTTP Server OCT 2021
    Patches
    Linux CPUOCT2021, Windows CPUOCT2021
  • CVE-2021-42013+
    Recently Published

    Amazon Linux Security Advisory for httpd: ALAS2-2021-1716

    Severity
    Critical4
    Qualys ID
    352858
    Date Published
    October 22, 2021
    Vendor Reference
    ALAS2-2021-1716
    CVE Reference
    CVE-2021-42013, CVE-2021-41773, CVE-2021-41524, CVE-2021-34798, CVE-2021-39275, CVE-2021-33193, CVE-2021-40438, CVE-2021-36160
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description

    A null pointer dereference was found in apache httpd mod_h2.
    The highest threat from this flaw is to system integrity. (
    ( CVE-2021-33193) a null pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed http requests.
    The highest threat from this vulnerability is to system availability. (
    ( CVE-2021-34798) an out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request.
    ( CVE-2021-36160)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1716 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1716
  • CVE-2021-42013+
    Recently Published

    Amazon Linux Security Advisory for httpd24: ALAS-2021-1543

    Severity
    Critical4
    Qualys ID
    352857
    Date Published
    October 22, 2021
    Vendor Reference
    ALAS-2021-1543
    CVE Reference
    CVE-2021-42013, CVE-2021-41773, CVE-2021-41524, CVE-2021-34798, CVE-2021-39275, CVE-2021-33193, CVE-2021-40438, CVE-2021-36160
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description

    A null pointer dereference was found in apache httpd mod_h2.
    The highest threat from this flaw is to system integrity. (
    ( CVE-2021-33193) a null pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed http requests.
    The highest threat from this vulnerability is to system availability. (
    ( CVE-2021-34798) an out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request.
    ( CVE-2021-36160) an out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function. (
    ( CVE-2021-39275)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS-2021-1543 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux ALAS-2021-1543
  • CVE-2021-3246
    Recently Published

    Amazon Linux Security Advisory for libsndfile: ALAS2-2021-1713

    Severity
    Critical4
    Qualys ID
    352854
    Date Published
    October 22, 2021
    Vendor Reference
    ALAS2-2021-1713
    CVE Reference
    CVE-2021-3246
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A heap buffer overflow flaw was found in libsndfile.
    This flaw allows an attacker to execute arbitrary code via a crafted wav file.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (
    ( CVE-2021-3246)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1713 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1713
  • CVE-2021-3621
    Recently Published

    Amazon Linux Security Advisory for sssd: ALAS2-2021-1715

    Severity
    Critical4
    Qualys ID
    352852
    Date Published
    October 22, 2021
    Vendor Reference
    ALAS2-2021-1715
    CVE Reference
    CVE-2021-3621
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description

    A flaw was found in sssd, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands.
    This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (
    ( CVE-2021-3621)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1715 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1715
  • CVE-2021-34715
    Recently Published

    Cisco Expressway Series and TelePresence Video Communication Server Image Verification Vulnerability (cisco-sa-ewver-c6WZPXRx)

    Severity
    Urgent5
    Qualys ID
    38850
    Date Published
    October 21, 2021
    Vendor Reference
    cisco-sa-ewver-c6WZPXRx
    CVE Reference
    CVE-2021-34715
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description

    A vulnerability in the image verification function of Cisco Expressway Series and
    Cisco TelePresence Video Communication Server (VCS) could
    allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system.

    Affected Products
    Cisco Expressway Series and Cisco TelePresence VCS if they were running a release
    from x8.8 Prior to 14.0.3 release. Note: This vulnerability was introduced when support for
    validation of SHA512 checksums was introduced in Release X8.8.

    QID Detection Logic (Unauthenticated):
    The check matches version of Cisco TelePresence Video Communication Server Expressway on the exposed banner information under the SIP banner.

    Consequence
    A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.
    Solution

    Customers are advised to refer to cisco-sa-ewver-c6WZPXRx for more information.

    Patches
    cisco-sa-ewver-c6WZPXRx
  • CVE-2021-35538+
    Recently Published

    Oracle Virtualized Manager (VM) VirtualBox Privilege Escalation Vulnerability (CPUOCT2021)

    Severity
    Critical4
    Qualys ID
    375969
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35538, CVE-2021-35545, CVE-2021-35540, CVE-2021-35542, CVE-2021-2475
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Oracle VM VirtualBox is an x86 virtualization software package.

    Affected Versions:-
    Oracle VM VirtualBox prior to 6.1.28

    QID Detection Logic (Authenticated):
    This QID checks the vulnerable version of Oracle VM VirtualBox by checking the file version of file "VirtualBox.exe".

    Consequence
    Allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
    Solution
    Refer to vendor advisory Oracle VM VirtualBox OCT2021
    Patches
    cpuoct2021
  • CVE-2021-39226
    Recently Published

    Red Hat Update for grafana (RHSA-2021:3769)

    Severity
    Critical4
    Qualys ID
    239696
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3769
    CVE Reference
    CVE-2021-39226
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB.

    Security Fix(es): grafana: Snapshot authentication bypass (CVE-2021-39226)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3769 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3769
  • CVE-2021-39226
    Recently Published

    Red Hat Update for grafana (RHSA-2021:3770)

    Severity
    Critical4
    Qualys ID
    239695
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3770
    CVE Reference
    CVE-2021-39226
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB.

    Security Fix(es):
    grafana: Snapshot authentication bypass (CVE-2021-39226)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3770 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3770
  • CVE-2021-35599+
    Recently Published

    Oracle Database 12.1.0.2 Critical Patch Update - October 2021 (Unauthenticated)

    Severity
    Urgent5
    Qualys ID
    20238
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35599, CVE-2021-35619, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.1.0.2

    QID Detection Logic (Unauthenticated):
    This QID connects the remote server's Oracle listener and reviews the Oracle banner version.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    COUOCT2021
  • CVE-2021-35599+
    Recently Published

    Oracle Database 12.1.0.2 Critical Patch Update - October 2021

    Severity
    Urgent5
    Qualys ID
    20237
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35599, CVE-2021-35619, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.1.0.2

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    COUOCT2021
  • CVE-2021-35599+
    Recently Published

    Oracle Database 12.2.0.1 Critical Patch Update - October 2021 (Unauthenticated)

    Severity
    Urgent5
    Qualys ID
    20235
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35599, CVE-2021-25122, CVE-2021-35619, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.0.1

    QID Detection Logic (Unauthenticated):
    This QID connects the remote server's Oracle listener and reviews the Oracle banner version.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    CPUOCT2021
  • CVE-2021-35599+
    Recently Published

    Oracle Database 12.2.0.1 Critical Patch Update - October 2021

    Severity
    Urgent5
    Qualys ID
    20234
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35599, CVE-2021-25122, CVE-2021-35619, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    COUOCT2021
  • CVE-2021-35599+
    In Development

    Oracle Database 21c Critical Patch Update - October 2021

    Severity
    Urgent5
    Qualys ID
    20232
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35599, CVE-2021-25122, CVE-2021-35619, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 21c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    CPUOCT2021
  • CVE-2021-25122+
    Recently Published

    Oracle Database 19c Critical Patch Update - October 2021

    Severity
    Urgent5
    Qualys ID
    20233
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-25122, CVE-2021-35619, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-26272
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    CPUOCT2021
  • CVE-2021-35620+
    Recently Published

    Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2021)

    Severity
    Critical4
    Qualys ID
    87467
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35620, CVE-2021-35617, CVE-2021-29425, CVE-2020-7226, CVE-2019-12400, CVE-2021-35552, CVE-2020-11022, CVE-2018-10237, CVE-2018-8088
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services.
    The Oracle WebLogic Server component in Oracle Fusion Middleware for versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0 has fixes for multiple vulnerabilities.

    Affected Versions:
    Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.3,12.2.1.4 and 14.1.1.0

    QID Detection Logic (Authenticated):
    Operating System: Linux
    This QID checks to see if Oracle WebLogic Server process is listening on any of the TCP ports. If so, for version 12.x it gets the "Oracle_Home" path, navigates to that directory and reads "registry.xml" and the patch files found in the directory "Oracle_Home"\inventory\patches to check if the installed version is patched.
    For version 10.3.6.x, it gets the "Oracle_Home" path, navigates to that directory and reads "registry.xml" and the file "Oracle_Home"\patch_wls1036\registry\patch-registry.xml to check if the installed version is patched.

    QID Detection Logic (Authenticated):
    Operating System: Windows
    For affected 12.x version
    The QID checks the "Oracle_Home" path with help of the registry key "HKLM\Software\Oracle". The QID verifies if the affected WebLogic version is installed on the host and then checks if the corresponding patch is applied or not.

    For 10.3.6.0
    The QID checks if WebLogic v10.3.6.0 is installed by looking at the file WLS_HOME\wlserver_10.3\.product.properties. The QID then checks if the corresponding patch is applied or not. The WLS_HOME is check using the file "systemdrive"\bea\beahomelist.

    Patch IDs checked:
    WebLogic Server 14.1.1.0 - Patch 33416881
    WebLogic Server 12.2.1.4 - Patch 33416868
    WebLogic Server 12.2.1.3 - Patch 33412599
    WebLogic Server 12.1.3.0 - Patch 33172866
    WebLogic Server 10.3.6.0 - Patch 33172858

    QID Detection Logic (Unauthenticated) :
    The qid sends a "GET console/login/LoginForm.jsp" request to retrieve the WebLogic version installed.

    Consequence
    Successful exploitation could allow an attacker to affect the confidentiality, integrity and availability of data on the target system.

    Solution
    The vendor has released patches for these issues. Customers are advised to refer to Oracle CPUOCT2021 for detailed information.

    Patches
    CPUOCT2021
  • CVE-2021-29983+
    Recently Published

    OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:1367-1)

    Severity
    Critical4
    Qualys ID
    751246
    Date Published
    October 20, 2021
    Vendor Reference
    openSUSE-SU-2021:1367-1
    CVE Reference
    CVE-2021-29983, CVE-2021-29988, CVE-2021-29991, CVE-2021-29980, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-29987, CVE-2021-38496, CVE-2021-32810, CVE-2021-29990, CVE-2021-38495, CVE-2021-29989, CVE-2021-38501, CVE-2021-29981, CVE-2021-38492, CVE-2021-29985, CVE-2021-29982, CVE-2021-29984, CVE-2021-29986
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for MozillaFirefox to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1367-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1367-1
  • CVE-2020-9068
    Recently Published

    Huawei Router Improper Authentication Vulnerability (huawei-sa-20200422-01-authentication-en)

    Severity
    Critical4
    Qualys ID
    43877
    Date Published
    October 20, 2021
    Vendor Reference
    huawei-sa-20200422-01-authentication-en
    CVE Reference
    CVE-2020-9068
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Huawei products have an improper authentication vulnerability. Attackers need to perform some operations to exploit the vulnerability. A successful exploit may obtain certain permissions on the device. (Vulnerability ID: HWPSIRT-2020-04035)
    Consequence
    Attackers can exploit this vulnerability to obtain certain device permissions.
    Solution
    Refer to Huawei security advisory huawei-sa-20200422-01-authentication-en for updates and patch information.
    Patches
    huawei-sa-20200422-01-authentication-en
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:3838)

    Severity
    Critical4
    Qualys ID
    239685
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3838
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38502
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 91.2.0.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) Mozilla: Downgrade attack on SMTP STARTTLS connections (CVE-2021-38502) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3838 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3838
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:3839)

    Severity
    Critical4
    Qualys ID
    239684
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3839
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38502
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 91.2.0.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) Mozilla: Downgrade attack on SMTP STARTTLS connections (CVE-2021-38502) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3839 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3839
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:3840)

    Severity
    Critical4
    Qualys ID
    239683
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3840
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38502
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 91.2.0.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) Mozilla: Downgrade attack on SMTP STARTTLS connections (CVE-2021-38502) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3840 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3840
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:3841)

    Severity
    Critical4
    Qualys ID
    239682
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3841
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38502
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 91.2.0.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) Mozilla: Downgrade attack on SMTP STARTTLS connections (CVE-2021-38502) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3841 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3841
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:3791)

    Severity
    Critical4
    Qualys ID
    239677
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3791
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 91.2.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3791 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3791
  • CVE-2016-4658
    Recently Published

    Red Hat Update for libxml2 (RHSA-2021:3810)

    Severity
    Critical4
    Qualys ID
    239673
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3810
    CVE Reference
    CVE-2016-4658
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The libxml2 library is a development toolbox providing the implementation of various XML standards.

    Security Fix(es): libxml2: Use after free via namespace node in XPointer ranges (CVE-2016-4658)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3810 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3810
  • CVE-2021-26691+
    Recently Published

    Red Hat Update for httpd:2.4 (RHSA-2021:3816)

    Severity
    Critical4
    Qualys ID
    239671
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3816
    CVE Reference
    CVE-2021-26691, CVE-2021-40438
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438) httpd: mod_session: Heap overflow via a crafted SessionHeader value (CVE-2021-26691)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3816 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3816
  • CVE-2021-35537+
    Recently Published

    Oracle MySQL October 2021 Critical Patch Update (CPU October 2021)

    Severity
    Critical4
    Qualys ID
    20236
    Date Published
    October 20, 2021
    Vendor Reference
    MySQL CPUOCT2021
    CVE Reference
    CVE-2021-35537, CVE-2021-35583, CVE-2021-35629, CVE-2021-3711, CVE-2021-22926, CVE-2021-35604, CVE-2021-35624, CVE-2021-2478, CVE-2021-2479, CVE-2021-2481, CVE-2021-35546, CVE-2021-35575, CVE-2021-35577, CVE-2021-35591, CVE-2021-35596, CVE-2021-35597, CVE-2021-35602, CVE-2021-35607, CVE-2021-35608, CVE-2021-35610, CVE-2021-35612, CVE-2021-35622, CVE-2021-35623, CVE-2021-35625, CVE-2021-35626, CVE-2021-35627, CVE-2021-35628, CVE-2021-35630, CVE-2021-35631, CVE-2021-35632, CVE-2021-35633, CVE-2021-35634, CVE-2021-35635, CVE-2021-35636, CVE-2021-35637, CVE-2021-35638, CVE-2021-35639, CVE-2021-35640, CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645, CVE-2021-35646, CVE-2021-35647, CVE-2021-35648, CVE-2021-36222
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This Critical Patch Update contains 47 new security patches for Oracle MySQL.

    Affected Versions:
    MySQL Server, versions 5.7.35 and prior, 8.0.26 and prior.

    QID Detection Logic (Unauthenticated):
    This QID detects vulnerable versions of MySQL via the banner exposed by the service.

    Consequence
    Successful exploitation could allow an attacker to affect the confidentiality, integrity, and availability of data on the target system.
    Solution
    Refer to vendor advisory Oracle MySQL October 2021 .
    Patches
    Oracle MySQL April 2021 Critical Patch Update (CPUOCT2021)
  • CVE-2020-22617
    In Development

    Ubuntu Security Notification for Ardour Vulnerability (USN-5110-1)

    Severity
    Critical4
    Qualys ID
    198538
    Vendor Reference
    USN-5110-1
    CVE Reference
    CVE-2020-22617
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Ardour incorrectly handled certain xml files.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    an attacker could possibly use this issue to cause a crash or execute arbitrary code..
    Solution
    Refer to Ubuntu advisory: USN-5110-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5110-1
  • CVE-2021-40438
    Recently Published

    Red Hat Update for httpd:2.4 (RHSA-2021:3836)

    Severity
    Critical4
    Qualys ID
    239687
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3836
    CVE Reference
    CVE-2021-40438
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3836 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3836
  • CVE-2021-40438
    Recently Published

    Red Hat Update for httpd:2.4 (RHSA-2021:3837)

    Severity
    Critical4
    Qualys ID
    239686
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3837
    CVE Reference
    CVE-2021-40438
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3837 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3837
  • CVE-2021-40438
    Recently Published

    Red Hat Update for httpd (RHSA-2021:3856)

    Severity
    Critical4
    Qualys ID
    239681
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3856
    CVE Reference
    CVE-2021-40438
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.6 x86_64
    Red Hat Enterprise Linux Server - AUS 7.4 x86_64
    Red Hat Enterprise Linux Server - AUS 7.3 x86_64
    Red Hat Enterprise Linux Server - AUS 7.2 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server - TUS 7.6 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3856 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3856
  • CVE-2021-30858+
    Recently Published

    OpenSUSE Security Update for webkit2gtk3 (openSUSE-SU-2021:1369-1)

    Severity
    Critical4
    Qualys ID
    751247
    Date Published
    October 20, 2021
    Vendor Reference
    openSUSE-SU-2021:1369-1
    CVE Reference
    CVE-2021-30858, CVE-2021-21806
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for webkit2gtk3 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1369-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1369-1
  • CVE-2021-3653+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:3801)

    Severity
    Critical4
    Qualys ID
    239676
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3801
    CVE Reference
    CVE-2021-3653, CVE-2021-3656, CVE-2021-22543, CVE-2021-37576
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) kernel: powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576) kernel: SVM nested virtualization issue in KVM (AVIC support)
    (CVE-2021-3653) kernel: SVM nested virtualization issue in KVM (VMLOAD/VMSAVE)
    (CVE-2021-3656)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le
    Red Hat Virtualization Host 4 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3801 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3801
  • CVE-2021-3653+
    Recently Published

    Red Hat Update for kernel-rt (RHSA-2021:3802)

    Severity
    Critical4
    Qualys ID
    239675
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3802
    CVE Reference
    CVE-2021-3653, CVE-2021-3656, CVE-2021-22543
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

    Security Fix(es): kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) kernel: SVM nested virtualization issue in KVM (AVIC support)
    (CVE-2021-3653) kernel: SVM nested virtualization issue in KVM (VMLOAD/VMSAVE)
    (CVE-2021-3656)

    Affected Products:

    Red Hat Enterprise Linux for Real Time 7 x86_64
    Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3802 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3802
  • CVE-2021-38160+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (SUSE-SU-2021:3459-1)

    Severity
    Critical4
    Qualys ID
    751238
    Date Published
    October 20, 2021
    Vendor Reference
    SUSE-SU-2021:3459-1
    CVE Reference
    CVE-2021-38160, CVE-2021-3640, CVE-2021-3715, CVE-2021-3573
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for the linux kernel 4.4.180-94_147 fixes several issues.
    The following security issues were fixed: - cve-2021-3715: fixed a user-after-free in the linux kernel's traffic control networking subsystem which could lead to local privilege escalation. (
    Bsc#1190350).
    - cve-2021-38160: fixed a bug that could lead to a data corruption or loss.
    This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - cve-2021-3640: fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation.
    (bsc#1188613) - cve-2021-3573: fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation.
    (bsc#1187054).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3459-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3459-1
  • CVE-2021-39226
    In Development

    Fedora Security Update for grafana (FEDORA-2021-dd83dc8b0b)

    Severity
    Critical4
    Qualys ID
    281995
    Vendor Reference
    FEDORA-2021-dd83dc8b0b
    CVE Reference
    CVE-2021-39226
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Fedora has released a security update for grafana to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-dd83dc8b0b
  • CVE-2021-3421+
    Recently Published

    OpenSUSE Security Update for rpm (openSUSE-SU-2021:1366-1)

    Severity
    Critical4
    Qualys ID
    751248
    Date Published
    October 20, 2021
    Vendor Reference
    openSUSE-SU-2021:1366-1
    CVE Reference
    CVE-2021-3421, CVE-2021-20266, CVE-2021-20271
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for rpm to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1366-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1366-1
  • CVE-2021-3744+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:1365-1)

    Severity
    Critical4
    Qualys ID
    751245
    Date Published
    October 20, 2021
    Vendor Reference
    openSUSE-SU-2021:1365-1
    CVE Reference
    CVE-2021-3744, CVE-2020-3702, CVE-2021-3669, CVE-2021-3752, CVE-2021-40490, CVE-2021-3764
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1365-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1365-1
  • CVE-2021-35539+
    Recently Published

    Oracle Solaris 11.4 Support Repository Update (SRU) 38.101.6 Missing (CPUOCT2021)

    Severity
    Critical4
    Qualys ID
    296054
    Date Published
    October 20, 2021
    Vendor Reference
    CPUOCT2021, Oracle Solaris Third Party Bulletin - October 2021
    CVE Reference
    CVE-2021-35539, CVE-2021-35589, CVE-2021-35549
    CVSS Scores
    Base 6.5 / Temporal 6
    Description
    The target does not have Solaris 11.4 SRU 38.101.6 applied. The Support Repository Updates provide patch bundles/updates that primarily contain bug fixes for the system and third party software.

    QID Detection Logic (Authenticated):
    This QID lists installed patch to check if the patches are missing.

    Consequence
    This Critical Patch Update contains 5 new security patches for Oracle Systems. Two of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
    Solution
    Apply Solaris 11.4 SRU38.101.6. Refer to Oracle Solaris 11.3 SRU 38.101.6 for more information.

    Patches
    CPUOCT2021
  • In Development

    Fedora Security Update for thunderbird (FEDORA-2021-5b9128d9fd)

    Severity
    Critical4
    Qualys ID
    281994
    Vendor Reference
    FEDORA-2021-5b9128d9fd
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for thunderbird to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-5b9128d9fd
  • CVE-2021-3620
    Recently Published

    Red Hat Update for Ansible (RHSA-2021:3871)

    Severity
    Critical4
    Qualys ID
    239680
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3871
    CVE Reference
    CVE-2021-3620
    CVSS Scores
    Base / Temporal
    Description
    Ansible is a simple model-driven configuration management, multi-nodedeployment, and remote-task execution system. Solution For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Ansible Engine 2.9 for RHEL 8 x86_64 Red Hat Ansible Engine 2.9 for RHEL 8 s390x Red Hat Ansible Engine 2.9 for RHEL 8 ppc64le Red Hat Ansible Engine 2.9 for RHEL 8 aarch64 Red Hat Ansible Engine 2.9 for RHEL 7 x86_64 Red Hat Ansible Engine 2.9 for RHEL 7 s390x Red Hat Ansible Engine 2.9 for RHEL 7 ppc64le Fixes BZ - 1975767 - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message CVEs CVE-2021-3620 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Ansible Engine 2.9 for RHEL 8 x86_64
    Red Hat Ansible Engine 2.9 for RHEL 8 s390x
    Red Hat Ansible Engine 2.9 for RHEL 8 ppc64le
    Red Hat Ansible Engine 2.9 for RHEL 8 aarch64
    Red Hat Ansible Engine 2.9 for RHEL 7 x86_64
    Red Hat Ansible Engine 2.9 for RHEL 7 s390x
    Red Hat Ansible Engine 2.9 for RHEL 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3871 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3871
  • CVE-2021-3620
    Recently Published

    Red Hat Update for Ansible (RHSA-2021:3872)

    Severity
    Critical4
    Qualys ID
    239679
    Date Published
    October 20, 2021
    Vendor Reference
    RHSA-2021:3872
    CVE Reference
    CVE-2021-3620
    CVSS Scores
    Base / Temporal
    Description
    Ansible is a simple model-driven configuration management, multi-nodedeployment, and remote-task execution system. Solution For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Ansible Engine 2 for RHEL 8 x86_64 Red Hat Ansible Engine 2 for RHEL 8 s390x Red Hat Ansible Engine 2 for RHEL 8 ppc64le Red Hat Ansible Engine 2 for RHEL 8 aarch64 Red Hat Ansible Engine 2 for RHEL 7 x86_64 Red Hat Ansible Engine 2 for RHEL 7 s390x Red Hat Ansible Engine 2 for RHEL 7 ppc64le Fixes BZ - 1975767 - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message CVEs CVE-2021-3620 Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Ansible Engine 2 for RHEL 8 x86_64
    Red Hat Ansible Engine 2 for RHEL 8 s390x
    Red Hat Ansible Engine 2 for RHEL 8 ppc64le
    Red Hat Ansible Engine 2 for RHEL 8 aarch64
    Red Hat Ansible Engine 2 for RHEL 7 x86_64
    Red Hat Ansible Engine 2 for RHEL 7 s390x
    Red Hat Ansible Engine 2 for RHEL 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3872 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3872
  • Recently Published

    Fedora Security Update for httpd (FEDORA-2021-ae829e54ab)

    Severity
    Critical4
    Qualys ID
    281991
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-ae829e54ab
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for httpd to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-ae829e54ab
  • CVE-2021-37978+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-116eff380f)

    Severity
    Critical4
    Qualys ID
    281987
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-116eff380f
    CVE Reference
    CVE-2021-37978, CVE-2021-37979, CVE-2021-37976, CVE-2021-37974, CVE-2021-37975, CVE-2021-37977, CVE-2021-37980
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-116eff380f
  • CVE-2021-41611
    Recently Published

    Fedora Security Update for squid (FEDORA-2021-de5e6c60c2)

    Severity
    Critical4
    Qualys ID
    281985
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-de5e6c60c2
    CVE Reference
    CVE-2021-41611
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for squid to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-de5e6c60c2
  • CVE-2021-41611
    Recently Published

    Fedora Security Update for squid (FEDORA-2021-4d2e7691ca)

    Severity
    Critical4
    Qualys ID
    281984
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-4d2e7691ca
    CVE Reference
    CVE-2021-41611
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for squid to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-4d2e7691ca
  • CVE-2021-38562
    Recently Published

    Fedora Security Update for rt (FEDORA-2021-05feb8a8b2)

    Severity
    Critical4
    Qualys ID
    281983
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-05feb8a8b2
    CVE Reference
    CVE-2021-38562
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for rt to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-05feb8a8b2
  • CVE-2021-38562
    Recently Published

    Fedora Security Update for rt (FEDORA-2021-7ddc28a14b)

    Severity
    Critical4
    Qualys ID
    281982
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-7ddc28a14b
    CVE Reference
    CVE-2021-38562
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for rt to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-7ddc28a14b
  • CVE-2021-39153+
    Recently Published

    Fedora Security Update for xstream (FEDORA-2021-fbad11014a)

    Severity
    Critical4
    Qualys ID
    281981
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-fbad11014a
    CVE Reference
    CVE-2021-39153, CVE-2021-21343, CVE-2020-26258, CVE-2021-39146, CVE-2021-21347, CVE-2021-39152, CVE-2021-21344, CVE-2021-21345, CVE-2021-39147, CVE-2021-21342, CVE-2021-21346, CVE-2021-21341, CVE-2021-21348, CVE-2021-39154, CVE-2021-39148, CVE-2021-39150, CVE-2021-21350, CVE-2020-26259, CVE-2021-39145, CVE-2021-39149, CVE-2021-39139, CVE-2021-29505, CVE-2021-21351, CVE-2021-39144, CVE-2021-39141, CVE-2021-39140, CVE-2021-21349, CVE-2021-39151
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Fedora has released a security update for xstream to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-fbad11014a
  • CVE-2021-39153+
    Recently Published

    Fedora Security Update for xstream (FEDORA-2021-d894ca87dc)

    Severity
    Critical4
    Qualys ID
    281980
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-d894ca87dc
    CVE Reference
    CVE-2021-39153, CVE-2021-21343, CVE-2020-26258, CVE-2021-39146, CVE-2021-21347, CVE-2021-39152, CVE-2021-21344, CVE-2021-21345, CVE-2021-39147, CVE-2021-21342, CVE-2021-21346, CVE-2021-21341, CVE-2021-21348, CVE-2021-39154, CVE-2021-39148, CVE-2021-39150, CVE-2021-21350, CVE-2020-26259, CVE-2021-39145, CVE-2021-39149, CVE-2021-39139, CVE-2021-29505, CVE-2021-21351, CVE-2021-39144, CVE-2021-39141, CVE-2021-39140, CVE-2021-21349, CVE-2021-39151
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Fedora has released a security update for xstream to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-d894ca87dc
  • CVE-2021-42013+
    Recently Published

    Fedora Security Update for httpd (FEDORA-2021-2a10bc68a4)

    Severity
    Critical4
    Qualys ID
    281975
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-2a10bc68a4
    CVE Reference
    CVE-2021-42013, CVE-2021-41773
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    Fedora has released a security update for httpd to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-2a10bc68a4
  • CVE-2021-41133
    Recently Published

    Fedora Security Update for flatpak (FEDORA-2021-4b201d15e6)

    Severity
    Critical4
    Qualys ID
    281974
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-4b201d15e6
    CVE Reference
    CVE-2021-41133
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for flatpak to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-4b201d15e6
  • CVE-2021-37972
    Recently Published

    Fedora Security Update for libjpeg (FEDORA-2021-359a715688)

    Severity
    Critical4
    Qualys ID
    281971
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-359a715688
    CVE Reference
    CVE-2021-37972
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for libjpeg to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-359a715688
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-2c74a1d70c)

    Severity
    Urgent5
    Qualys ID
    281966
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-2c74a1d70c
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-2c74a1d70c
  • CVE-2019-17455
    Recently Published

    Ubuntu Security Notification for libntlm Vulnerability (USN-5108-1)

    Severity
    Critical4
    Qualys ID
    198536
    Date Published
    October 20, 2021
    Vendor Reference
    USN-5108-1
    CVE Reference
    CVE-2019-17455
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Libntlm incorrectly handled specially crafted ntml requests.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    an attacker could possibly use this issue to cause a denial of service or another unspecified impact..
    Solution
    Refer to Ubuntu advisory: USN-5108-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5108-1
  • CVE-2021-30542+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-ab09a05562)

    Severity
    Critical4
    Qualys ID
    281967
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-ab09a05562
    CVE Reference
    CVE-2021-30542, CVE-2021-37958, CVE-2021-37970, CVE-2021-30543, CVE-2021-37965, CVE-2021-37972, CVE-2021-37971, CVE-2021-30627, CVE-2021-30558, CVE-2021-30626, CVE-2021-30625, CVE-2021-37963, CVE-2021-37959, CVE-2021-30633, CVE-2021-37961, CVE-2021-37966, CVE-2021-30629, CVE-2021-37969, CVE-2021-30631, CVE-2021-37962, CVE-2021-30630, CVE-2021-30628, CVE-2021-37967, CVE-2021-37968, CVE-2021-37960, CVE-2021-37964, CVE-2021-30632, CVE-2021-37957, CVE-2021-37973, CVE-2021-37956
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-ab09a05562
  • CVE-2021-41524+
    Recently Published

    Fedora Security Update for httpd (FEDORA-2021-5d2d4b6ac5)

    Severity
    Critical4
    Qualys ID
    281962
    Date Published
    October 20, 2021
    Vendor Reference
    FEDORA-2021-5d2d4b6ac5
    CVE Reference
    CVE-2021-41524, CVE-2021-33193
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for httpd to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-5d2d4b6ac5
  • CVE-2021-42013
    Recently Published

    Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)

    Severity
    Urgent5
    Qualys ID
    150374
    Date Published
    October 19, 2021
    Vendor Reference
    Apache HTTP Server
    CVE Reference
    CVE-2021-42013
    CVSS Scores
    Base 9.8 / Temporal 8.1
    Description
    The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software.

    The Apache HTTP Server for versions 2.4.49, 2.4.50 has fixes for multiple vulnerabilities.

    Vulnerabilities:
    Apache HTTP Server Remote Code Execution
    Apache HTTP Server Path Traversal

    QID Detection Logic(s):
    This QID sends an HTTP GET request on Web Server and determines version based on the Server Header.

    Consequence
    Successful exploitation could allow an attacker to affect the confidentiality, integrity and availability of data on the target system.

    Solution
    Customers are advised to update to Apache HTTP Server. For more information refer to Apache HTTP Server

    Patches
    Apache HTTP Server
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:3755)

    Severity
    Critical4
    Qualys ID
    239666
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3755
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 91.2.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3755 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3755
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:3756)

    Severity
    Critical4
    Qualys ID
    239665
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3756
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 91.2.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3756 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3756
  • CVE-2021-32810+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:3757)

    Severity
    Critical4
    Qualys ID
    239664
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3757
    CVE Reference
    CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 91.2.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in MessageTask (CVE-2021-38496) Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 (CVE-2021-38500) Mozilla: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 (CVE-2021-38501) rust-crossbeam-deque: race condition may lead to double free (CVE-2021-32810) Mozilla: Validation message could have been overlaid on another origin (CVE-2021-38497) Mozilla: Use-after-free of nsLanguageAtomService object (CVE-2021-38498)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3757 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3757
  • CVE-2021-40438
    Recently Published

    Red Hat Update for Red Hat JBoss Core Services Apache Hypertext Transfer Protocol Server (HTTP Server) 2.4.37 SP9 (RHSA-2021:3746)

    Severity
    Critical4
    Qualys ID
    239668
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3746
    CVE Reference
    CVE-2021-40438
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    This release adds the new Apache HTTP Server 2.4.37 Service Pack 9 packages that are part of the JBoss Core Services offering.This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 8 and includes an important security update. Refer to the Release Notes for information on the security fix included in this release.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path (CVE-2021-40438)

    Affected Products:

    Red Hat JBoss Core Services 1 for RHEL 8 x86_64
    Red Hat JBoss Core Services 1 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3746 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3746
  • CVE-2021-40438
    Recently Published

    Red Hat Update for httpd24-httpd (RHSA-2021:3754)

    Severity
    Critical4
    Qualys ID
    239667
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3754
    CVE Reference
    CVE-2021-40438
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es): httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438)

    Affected Products:

    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
    Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3754 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3754
  • CVE-2021-22543+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:3768)

    Severity
    Critical4
    Qualys ID
    239663
    Date Published
    October 19, 2021
    Vendor Reference
    RHSA-2021:3768
    CVE Reference
    CVE-2021-22543, CVE-2021-37576
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) kernel: powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3768 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3768
  • CVE-2021-29989+
    Recently Published

    OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:3451-1)

    Severity
    Critical4
    Qualys ID
    751237
    Date Published
    October 19, 2021
    Vendor Reference
    openSUSE-SU-2021:3451-1
    CVE Reference
    CVE-2021-29989, CVE-2021-38492, CVE-2021-29984, CVE-2021-29990, CVE-2021-29991, CVE-2021-38495, CVE-2021-38498, CVE-2021-29987, CVE-2021-38497, CVE-2021-29983, CVE-2021-29981, CVE-2021-29986, CVE-2021-38496, CVE-2021-29982, CVE-2021-38501, CVE-2021-29988, CVE-2021-29985, CVE-2021-29980, CVE-2021-38500, CVE-2021-32810
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for MozillaFirefox to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3451-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3451-1
  • CVE-2021-41773
    Recently Published

    Apache HTTP Server Remote Code Execution (CVE-2021-41773)

    Severity
    Urgent5
    Qualys ID
    150373
    Date Published
    October 19, 2021
    Vendor Reference
    Apache HTTP Server
    CVE Reference
    CVE-2021-41773
    CVSS Scores
    Base 7.5 / Temporal 6.7
    Description
    The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software.

    The affected version of the Apache server allows remote attackers to read files via a Path Traversal vulnerability. This vulnerability only impacts Apache HTTP Server version 2.4.49 with the Require all denied access control configuration disabled. When mod_cgi module is enabled for these aliased paths, it leads to Remote Code Execution on the target server.

    QID Detection Logic (Unauthenticated) :
    This QID sends a crafted HTTP POST request to /bin/sh with payload to check if the target is exploitable.

    Consequence
    Successful exploitation of the vulnerability will allow remote attacker to execute arbitrary code on the target system.

    Solution
    Customers are advised to update to Apache HTTP Server. For more information refer to Apache HTTP Server

    Patches
    Apache HTTP Server
  • CVE-2021-37974+
    In Development

    OpenSUSE Security Update for opera (openSUSE-SU-2021:1358-1)

    Severity
    Critical4
    Qualys ID
    751232
    Vendor Reference
    openSUSE-SU-2021:1358-1
    CVE Reference
    CVE-2021-37974, CVE-2021-37976, CVE-2021-37975
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for opera to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3:NonFree
    openSUSE Leap 15.2:NonFree


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1358-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1358-1
  • CVE-2021-3669+
    In Development

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:3447-1)

    Severity
    Critical4
    Qualys ID
    751235
    Vendor Reference
    openSUSE-SU-2021:3447-1
    CVE Reference
    CVE-2021-3669, CVE-2021-40490, CVE-2020-3702, CVE-2021-3744, CVE-2021-3752, CVE-2021-3764
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3447-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3447-1
  • CVE-2021-3669+
    In Development

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:1357-1)

    Severity
    Critical4
    Qualys ID
    751234
    Vendor Reference
    openSUSE-SU-2021:1357-1
    CVE Reference
    CVE-2021-3669, CVE-2021-40490, CVE-2020-3702, CVE-2021-3744, CVE-2021-3752, CVE-2021-3764
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1357-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1357-1
  • In Development

    OpenSUSE Security Update for rpm (openSUSE-SU-2021:3445-1)

    Severity
    Critical4
    Qualys ID
    751236
    Vendor Reference
    openSUSE-SU-2021:3445-1
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for rpm to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3445-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3445-1
  • Recently Published

    SUSE Enterprise Linux Security Update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags (SUSE-SU-2021:3450-1)

    Severity
    Critical4
    Qualys ID
    751231
    Date Published
    October 19, 2021
    Vendor Reference
    SUSE-SU-2021:3450-1
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags contains the following fixes: changes in mysql-connector-java: - restrict license to gpl-2.0-only - fix readme adjustments - depend on log4j rather than log4j-mini and adjust log4j dependencies to account for the lack of log4j12 provides in some code streams.
    - add missing group tag - update to 8.0.25 (soc-11543) changes in 8.0.25.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3450-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3450-1
  • CVE-2021-38496+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:3446-1)

    Severity
    Critical4
    Qualys ID
    751230
    Date Published
    October 19, 2021
    Vendor Reference
    SUSE-SU-2021:3446-1
    CVE Reference
    CVE-2021-38496, CVE-2021-38500, CVE-2021-38501, CVE-2021-38498, CVE-2021-32810, CVE-2021-38497
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 91.2.0 esr * fixed: various stability, functionality, and security fixes mfsa 2021-45 (bsc#1191332) * cve-2021-38496: use-after-free in messagetask * cve-2021-38497: validation message could have been overlaid on another origin * cve-2021-38498: use-after-free of nslanguageatomservice object * cve-2021-32810: fixed data race in crossbeam-deque * cve-2021-38500: memory safety bugs fixed in firefox 93, firefox esr 78.15, and firefox esr 91.2 * cve-2021-38501: memory safety bugs fixed in firefox 93 and firefox esr 91.2 - fixed crash in fips mode (bsc#1190710)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3446-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3446-1
  • CVE-2016-4658
    In Development

    Oracle Enterprise Linux Security Update for libxml2 (ELSA-2021-3810)

    Severity
    Urgent5
    Qualys ID
    159417
    Vendor Reference
    ELSA-2021-3810
    CVE Reference
    CVE-2016-4658
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for libxml2 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-3810.
    Patches
    Oracle Linux ELSA-2021-3810
  • CVE-2018-9517+
    In Development

    Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2021-9473)

    Severity
    Urgent5
    Qualys ID
    159420
    Vendor Reference
    ELSA-2021-9473
    CVE Reference
    CVE-2018-9517, CVE-2019-3901, CVE-2019-19074, CVE-2019-19063, CVE-2019-19066, CVE-2020-12771, CVE-2019-10220, CVE-2017-18216
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released a security update for Unbreakable Enterprise kernel to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 6
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-9473.
    Patches
    Oracle Linux ELSA-2021-9473
  • CVE-2021-22930
    Recently Published

    OpenSUSE Security Update for nodejs8 (openSUSE-SU-2021:1343-1)

    Severity
    Critical4
    Qualys ID
    751229
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:1343-1
    CVE Reference
    CVE-2021-22930
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for nodejs8 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1343-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1343-1
  • CVE-2021-29987+
    Recently Published

    OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:3331-1)

    Severity
    Critical4
    Qualys ID
    751226
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:3331-1
    CVE Reference
    CVE-2021-29987, CVE-2021-29991, CVE-2021-29982, CVE-2021-38496, CVE-2021-29990, CVE-2021-29983, CVE-2021-38497, CVE-2021-29986, CVE-2021-32810, CVE-2021-29988, CVE-2021-38500, CVE-2021-29989, CVE-2021-38501, CVE-2021-29985, CVE-2021-29984, CVE-2021-38498, CVE-2021-29981, CVE-2021-38492, CVE-2021-29980, CVE-2021-38495
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for MozillaFirefox to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3331-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3331-1
  • CVE-2021-26691+
    In Development

    Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2021-3816)

    Severity
    Critical4
    Qualys ID
    159418
    Vendor Reference
    ELSA-2021-3816
    CVE Reference
    CVE-2021-26691, CVE-2021-40438
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for httpd:2.4 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-3816.
    Patches
    Oracle Linux ELSA-2021-3816
  • CVE-2021-37968+
    Recently Published

    OpenSUSE Security Update for chromium (openSUSE-SU-2021:1350-1)

    Severity
    Critical4
    Qualys ID
    751222
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:1350-1
    CVE Reference
    CVE-2021-37968, CVE-2021-37957, CVE-2021-37967, CVE-2021-37956, CVE-2021-37971, CVE-2021-37979, CVE-2021-37969, CVE-2021-37976, CVE-2021-37966, CVE-2021-37963, CVE-2021-37970, CVE-2021-37959, CVE-2021-37980, CVE-2021-37975, CVE-2021-37962, CVE-2021-37964, CVE-2021-37960, CVE-2021-37974, CVE-2021-37961, CVE-2021-37972, CVE-2021-37965, CVE-2021-37973, CVE-2021-37958, CVE-2021-37977, CVE-2021-37978
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    OpenSUSE has released a security update for chromium to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1350-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1350-1
  • CVE-2021-30858+
    Recently Published

    OpenSUSE Security Update for webkit2gtk3 (openSUSE-SU-2021:3353-1)

    Severity
    Critical4
    Qualys ID
    751221
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:3353-1
    CVE Reference
    CVE-2021-30858, CVE-2021-21806
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for webkit2gtk3 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3353-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3353-1
  • CVE-2020-16600+
    Recently Published

    OpenSUSE Security Update for mupdf (openSUSE-SU-2021:1341-1)

    Severity
    Critical4
    Qualys ID
    751225
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:1341-1
    CVE Reference
    CVE-2020-16600, CVE-2020-19609
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    OpenSUSE has released a security update for mupdf to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1341-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1341-1
  • CVE-2021-3752+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:3338-1)

    Severity
    Critical4
    Qualys ID
    751223
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:3338-1
    CVE Reference
    CVE-2021-3752, CVE-2020-3702, CVE-2021-3744, CVE-2021-3764, CVE-2021-40490, CVE-2021-3669
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3338-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3338-1
  • CVE-2021-3752+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:3387-1)

    Severity
    Critical4
    Qualys ID
    751217
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:3387-1
    CVE Reference
    CVE-2021-3752, CVE-2020-3702, CVE-2021-3744, CVE-2021-3764, CVE-2021-40490, CVE-2021-3759, CVE-2021-3669
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3387-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3387-1
  • CVE-2021-39293
    Recently Published

    OpenSUSE Security Update for go1.16 (openSUSE-SU-2021:1342-1)

    Severity
    Critical4
    Qualys ID
    751228
    Date Published
    October 18, 2021
    Vendor Reference
    openSUSE-SU-2021:1342-1
    CVE Reference
    CVE-2021-39293
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for go1.16 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1342-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1342-1
  • CVE-2021-41773
    Recently Published

    Apache HTTP Server Path Traversal (CVE-2021-41773)

    Severity
    Critical4
    Qualys ID
    150372
    Date Published
    October 19, 2021
    Vendor Reference
    Apache HTTP Server
    CVE Reference
    CVE-2021-41773
    CVSS Scores
    Base 7.5 / Temporal 6.7
    Description
    The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software.

    The affected version of the Apache server allows remote attackers to read files via a path traversal vulnerability. This vulnerability only impacts Apache HTTP Server version 2.4.49 with the Require all denied access control configuration disabled.

    QID Detection Logic (Unauthenticated) :
    This QID sends an HTTP GET request to access the server file /etc/passwd and based on the response confirms if the target is vulnerable.

    Consequence
    Successful exploitation of the vulnerability may allow remote attackers to read sensitive files on the target server.

    Solution
    Customers are advised to update to Apache HTTP Server. For more information refer to Apache HTTP Server

    Patches
    Apache HTTP Server
  • CVE-2020-14343
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for pyyaml (c7ec6375-c3cf-11eb-904f-14dae9d5a9d2)

    Severity
    Urgent5
    Qualys ID
    690117
    Date Published
    October 19, 2021
    Vendor Reference
    c7ec6375-c3cf-11eb-904f-14dae9d5a9d2
    CVE Reference
    CVE-2020-14343
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 5.4 for package py36-yaml
    Version range 0.0.0 to 5.4 for package py37-yaml
    Version range 0.0.0 to 5.4 for package py38-yaml
    Version range 0.0.0 to 5.4 for package py39-yaml

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory c7ec6375-c3cf-11eb-904f-14dae9d5a9d2 for updates and patch information
    Patches
    "FreeBSD" c7ec6375-c3cf-11eb-904f-14dae9d5a9d2
  • CVE-2021-3711+
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (96811d4a-04ec-11ec-9b84-d4c9ef517024)

    Severity
    Critical4
    Qualys ID
    690055
    Date Published
    October 19, 2021
    Vendor Reference
    96811d4a-04ec-11ec-9b84-d4c9ef517024
    CVE Reference
    CVE-2021-3711, CVE-2021-3712
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 1.1.1l,1 for package openssl
    Version range 0.0.0 to 3.0.0.b3 for package openssl-devel
    Version range 13.0 to 13.0_4 for package FreeBSD
    Version range 12.2 to 12.2_10 for package FreeBSD

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 96811d4a-04ec-11ec-9b84-d4c9ef517024 for updates and patch information
    Patches
    "FreeBSD" 96811d4a-04ec-11ec-9b84-d4c9ef517024
  • CVE-2021-21704+
    Recently Published

    Debian Security Update for php7.0 (DLA 2708-1)

    Severity
    Critical4
    Qualys ID
    178707
    Date Published
    October 19, 2021
    Vendor Reference
    DLA 2708-1
    CVE Reference
    CVE-2021-21704, CVE-2019-18218, CVE-2021-21702, CVE-2021-21705, CVE-2020-7071
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for php7.0 to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2708-1 for updates and patch information.
    Patches
    Debian DLA 2708-1
  • CVE-2021-41073+
    Recently Published

    Ubuntu Security Notification for Linux kernel (OEM) Vulnerabilities (USN-5106-1)

    Severity
    Critical4
    Qualys ID
    198533
    Date Published
    October 18, 2021
    Vendor Reference
    USN-5106-1
    CVE Reference
    CVE-2021-41073, CVE-2020-26541, CVE-2021-22543, CVE-2021-3612, CVE-2021-38199, CVE-2021-38160
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The io_uring subsystem in the linux kernel could be coerced to free adjacent memory.
    The linux kernel did not properly enforce certain types of entries in the secure boot forbidden signature database (aka dbx) protection mechanism.
    The kvm hypervisor implementation in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.
    The joystick device interface in the linux kernel did not properly validate data passed via an ioctl().the virtio console implementation in the linux kernel did not properly validate input lengths in some situations.
    The nfsv4 client implementation in the linux kernel did not properly order connection setup operations.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a local attacker could use this to execute arbitrary code. (
    Cve-2021-41073).
    An attacker could use this to bypass uefi secure boot restrictions. (
    Cve-2020-26541).
    An attacker who could start and control a vm could possibly use this to expose sensitive information or execute arbitrary code. (
    Cve-2021-22543).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (
    Cve-2021-3612).
    A local attacker could possibly use this to cause a denial of service (system crash) (cve-2021-38160).
    An attacker controlling a remote nfs server could use this to cause a denial of service on the client. (
    Cve-2021-38199).
    Solution
    Refer to Ubuntu advisory: USN-5106-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5106-1
  • CVE-2021-40438+
    Recently Published

    SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2021:3335-1)

    Severity
    Critical4
    Qualys ID
    751216
    Date Published
    October 14, 2021
    Vendor Reference
    SUSE-SU-2021:3335-1
    CVE Reference
    CVE-2021-40438, CVE-2021-36160, CVE-2021-34798, CVE-2021-39275, CVE-2021-33193
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for apache2 fixes the following issues: - cve-2021-40438: fixed a srf via a crafted request uri-path. (
    Bsc#1190703) - cve-2021-36160: fixed an out-of-bounds read via a crafted request uri-path. (
    Bsc#1190702) - cve-2021-39275: fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (
    Bsc#1190666) - cve-2021-34798: fixed a null pointer dereference via malformed requests.
    (bsc#1190669) - cve-2021-33193: fixed request splitting via http/2 method injection and mod_proxy. (
    Bsc#1189387)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3335-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3335-1
  • CVE-2021-3764+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:3386-1)

    Severity
    Critical4
    Qualys ID
    751215
    Date Published
    October 14, 2021
    Vendor Reference
    SUSE-SU-2021:3386-1
    CVE Reference
    CVE-2021-3764, CVE-2021-40490, CVE-2021-3752, CVE-2020-3702, CVE-2021-3744
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The suse linux enterprise 12 sp56 kernel was updated.
    The following security bugs were fixed: - cve-2020-3702: fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a wlan device that lead to improper layer 2 wi-fi encryption with a consequent possibility of information disclosure. (
    Bnc#1191193) - cve-2021-3752: fixed a use after free vulnerability in the linux kernel's bluetooth module. (
    Bsc#1190023) - cve-2021-40490: fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (
    Bnc#1190159) - cve-2021-3744: fixed a bug which could allows attackers to cause a denial of service. (
    Bsc#1189884) - cve-2021-3764: fixed a bug which could allows attackers to cause a denial of service. (
    Bsc#1190534)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3386-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3386-1
  • CVE-2021-3764+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:3389-1)

    Severity
    Critical4
    Qualys ID
    751214
    Date Published
    October 14, 2021
    Vendor Reference
    SUSE-SU-2021:3389-1
    CVE Reference
    CVE-2021-3764, CVE-2021-40490, CVE-2021-3752, CVE-2020-3702, CVE-2021-3744
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    The suse linux enterprise 12 sp5 kernel was updated.
    The following security bugs were fixed: - cve-2020-3702: fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a wlan device that lead to improper layer 2 wi-fi encryption with a consequent possibility of information disclosure. (
    Bnc#1191193) - cve-2021-3752: fixed a use after free vulnerability in the linux kernel's bluetooth module. (
    Bsc#1190023) - cve-2021-40490: fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (
    Bnc#1190159) - cve-2021-3744: fixed a bug which could allows attackers to cause a denial of service. (
    Bsc#1189884) - cve-2021-3764: fixed a bug which could allows attackers to cause a denial of service. (
    Bsc#1190534)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3389-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3389-1
  • CVE-2021-29989+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:3331-1)

    Severity
    Critical4
    Qualys ID
    751210
    Date Published
    October 14, 2021
    Vendor Reference
    SUSE-SU-2021:3331-1
    CVE Reference
    CVE-2021-29989, CVE-2021-29981, CVE-2021-29986, CVE-2021-38496, CVE-2021-29987, CVE-2021-38498, CVE-2021-38492, CVE-2021-38501, CVE-2021-29985, CVE-2021-38495, CVE-2021-32810, CVE-2021-38500, CVE-2021-29990, CVE-2021-29991, CVE-2021-38497, CVE-2021-29983, CVE-2021-29980, CVE-2021-29982, CVE-2021-29984, CVE-2021-29988
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for mozilla firefox fixes the following issues: this update contains the firefox extended support release 91.2.0 esr.
    firefox extended support release 91.2.0 esr * fixed: various stability, functionality, and security fixes mfsa 2021-45 (bsc#1191332) * cve-2021-38496: use-after-free in messagetask * cve-2021-38497: validation message could have been overlaid on another origin * cve-2021-38498: use-after-free of nslanguageatomservice object * cve-2021-32810: data race in crossbeam-deque j-wgcw) * cve-2021-38500 (bmo#1725854, bmo#1728321) memory safety bugs fixed in firefox 93, firefox esr 78.15, and firefox esr 91.2 * cve-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) memory safety bugs fixed in firefox 93 and firefox esr 91.2 - fixed crash in fips mode (bsc#1190710) * fixed: various stability, functionality, and security fixes mfsa 2021-40 (bsc#1190269, bsc#1190274): * cve-2021-38492: navigating to `mk:` url scheme could load internet explorer * cve-2021-38495: memory safety bugs fixed in firefox 92 and firefox esr 91.1 firefox extended support release 91.0.1 esr * fixed: fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) * fixed: fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) * fixed: various stability fixes * fixed: security fix mfsa 2021-37 (bsc#1189547) * cve-2021-29991 (bmo#1724896) header splitting possible with http/3 responses firefox extended support release 91.0 esr * new: some of the highlights of the new extended support release are: - a number of user interface changes.
    For more information, see the firefox 89 release notes.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3331-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3331-1
  • CVE-2016-9877
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for rabbitmq (b1aa54ae-74cb-42a0-b462-cbb6831c5c50)

    Severity
    Critical4
    Qualys ID
    690144
    Date Published
    October 14, 2021
    Vendor Reference
    b1aa54ae-74cb-42a0-b462-cbb6831c5c50
    CVE Reference
    CVE-2016-9877
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 3.8.16 for package rabbitmq

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory b1aa54ae-74cb-42a0-b462-cbb6831c5c50 for updates and patch information
    Patches
    "FreeBSD" b1aa54ae-74cb-42a0-b462-cbb6831c5c50
  • CVE-2021-33204
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for pg partition manager (58b22f3a-bc71-11eb-b9c9-6cc21735f730)

    Severity
    Critical4
    Qualys ID
    690132
    Date Published
    October 14, 2021
    Vendor Reference
    58b22f3a-bc71-11eb-b9c9-6cc21735f730
    CVE Reference
    CVE-2021-33204
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 4.5.1 for package pg_partman

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 58b22f3a-bc71-11eb-b9c9-6cc21735f730 for updates and patch information
    Patches
    "FreeBSD" 58b22f3a-bc71-11eb-b9c9-6cc21735f730
  • CVE-2019-13132
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for libzmq4 (6954a2b0-bda8-11eb-a04e-641c67a117d8)

    Severity
    Critical4
    Qualys ID
    690129
    Date Published
    October 14, 2021
    Vendor Reference
    6954a2b0-bda8-11eb-a04e-641c67a117d8
    CVE Reference
    CVE-2019-13132
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 4.3.2 for package libzmq4

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 6954a2b0-bda8-11eb-a04e-641c67a117d8 for updates and patch information
    Patches
    "FreeBSD" 6954a2b0-bda8-11eb-a04e-641c67a117d8
  • CVE-2021-31535
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for libx11 (58d6ed66-c2e8-11eb-9fb0-6451062f0f7a)

    Severity
    Critical4
    Qualys ID
    690123
    Date Published
    October 14, 2021
    Vendor Reference
    58d6ed66-c2e8-11eb-9fb0-6451062f0f7a
    CVE Reference
    CVE-2021-31535
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 1.7.1 for package libX11

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 58d6ed66-c2e8-11eb-9fb0-6451062f0f7a for updates and patch information
    Patches
    "FreeBSD" 58d6ed66-c2e8-11eb-9fb0-6451062f0f7a
  • CVE-2019-18609
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for rabbitmq-c (7c555ce3-658d-4589-83dd-4b6a31c5d610)

    Severity
    Critical4
    Qualys ID
    690097
    Date Published
    October 14, 2021
    Vendor Reference
    7c555ce3-658d-4589-83dd-4b6a31c5d610
    CVE Reference
    CVE-2019-18609
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 0.10.0 for package rabbitmq-c
    Version range 0.0.0 to 0.10.0 for package rabbitmq-c-devel

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 7c555ce3-658d-4589-83dd-4b6a31c5d610 for updates and patch information
    Patches
    "FreeBSD" 7c555ce3-658d-4589-83dd-4b6a31c5d610
  • CVE-2021-23017
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for nginx (0882f019-bd60-11eb-9bdd-8c164567ca3c)

    Severity
    Critical4
    Qualys ID
    690131
    Date Published
    October 14, 2021
    Vendor Reference
    0882f019-bd60-11eb-9bdd-8c164567ca3c
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base 9.4 / Temporal 8.2
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 1.20.1,2 for package nginx
    Version range 0.0.0 to 1.21.0 for package nginx-devel

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 0882f019-bd60-11eb-9bdd-8c164567ca3c for updates and patch information
    Patches
    "FreeBSD" 0882f019-bd60-11eb-9bdd-8c164567ca3c
  • CVE-2021-29627
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for freebsd (f8e1e2a6-9791-11eb-b87a-901b0ef719ab)

    Severity
    Critical4
    Qualys ID
    690181
    Date Published
    October 14, 2021
    Vendor Reference
    f8e1e2a6-9791-11eb-b87a-901b0ef719ab
    CVE Reference
    CVE-2021-29627
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 12.2 to 12.2_6 for package FreeBSD-kernel

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory f8e1e2a6-9791-11eb-b87a-901b0ef719ab for updates and patch information
    Patches
    "FreeBSD" f8e1e2a6-9791-11eb-b87a-901b0ef719ab
  • CVE-2021-28165
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (e358b470-b37d-4e47-bc8a-2cd9adbeb63c)

    Severity
    Critical4
    Qualys ID
    690163
    Date Published
    October 14, 2021
    Vendor Reference
    e358b470-b37d-4e47-bc8a-2cd9adbeb63c
    CVE Reference
    CVE-2021-28165
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.286 for package jenkins
    Version range 0.0.0 to 2.277.3 for package jenkins-lts

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory e358b470-b37d-4e47-bc8a-2cd9adbeb63c for updates and patch information
    Patches
    "FreeBSD" e358b470-b37d-4e47-bc8a-2cd9adbeb63c
  • CVE-2021-3515
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for pglogical (45b8716b-c707-11eb-b9a0-6805ca0b3d42)

    Severity
    Critical4
    Qualys ID
    690110
    Date Published
    October 14, 2021
    Vendor Reference
    45b8716b-c707-11eb-b9a0-6805ca0b3d42
    CVE Reference
    CVE-2021-3515
    CVSS Scores
    Base 6.7 / Temporal 5.8
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.3.4 for package pglogical

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 45b8716b-c707-11eb-b9a0-6805ca0b3d42 for updates and patch information
    Patches
    "FreeBSD" 45b8716b-c707-11eb-b9a0-6805ca0b3d42
  • CVE-2020-8492
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for tauthon (c7855866-c511-11eb-ae1d-b42e991fc52e)

    Severity
    Critical4
    Qualys ID
    690114
    Date Published
    October 14, 2021
    Vendor Reference
    c7855866-c511-11eb-ae1d-b42e991fc52e
    CVE Reference
    CVE-2020-8492
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.8.3 for package tauthon

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory c7855866-c511-11eb-ae1d-b42e991fc52e for updates and patch information
    Patches
    "FreeBSD" c7855866-c511-11eb-ae1d-b42e991fc52e
  • CVE-2020-36326
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for mantis (9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3)

    Severity
    Critical4
    Qualys ID
    690089
    Date Published
    October 14, 2021
    Vendor Reference
    9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3
    CVE Reference
    CVE-2020-36326
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.25.2,1 for package mantis-php73
    Version range 0.0.0 to 2.25.2,1 for package mantis-php74
    Version range 0.0.0 to 2.25.2,1 for package mantis-php80

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3 for updates and patch information
    Patches
    "FreeBSD" 9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3
  • CVE-2021-20307
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for libpano13 (15e74795-0fd7-11ec-9f2e-dca632b19f10)

    Severity
    Critical4
    Qualys ID
    690043
    Date Published
    October 14, 2021
    Vendor Reference
    15e74795-0fd7-11ec-9f2e-dca632b19f10
    CVE Reference
    CVE-2021-20307
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.9.20 for package libpano13

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 15e74795-0fd7-11ec-9f2e-dca632b19f10 for updates and patch information
    Patches
    "FreeBSD" 15e74795-0fd7-11ec-9f2e-dca632b19f10
  • CVE-2021-33193+
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (882a38f9-17dd-11ec-b335-d4c9ef517024)

    Severity
    Critical4
    Qualys ID
    690025
    Date Published
    October 14, 2021
    Vendor Reference
    882a38f9-17dd-11ec-b335-d4c9ef517024
    CVE Reference
    CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.4.49 for package apache24

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 882a38f9-17dd-11ec-b335-d4c9ef517024 for updates and patch information
    Patches
    "FreeBSD" 882a38f9-17dd-11ec-b335-d4c9ef517024
  • CVE-2021-26119+
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for bacula-web (f05dbd1f-2599-11ec-91be-001b217b3468)

    Severity
    Critical4
    Qualys ID
    690018
    Date Published
    October 14, 2021
    Vendor Reference
    f05dbd1f-2599-11ec-91be-001b217b3468
    CVE Reference
    CVE-2021-26119, CVE-2021-26120
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 8.4.2 for package bacula-web

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory f05dbd1f-2599-11ec-91be-001b217b3468 for updates and patch information
    Patches
    "FreeBSD" f05dbd1f-2599-11ec-91be-001b217b3468
  • CVE-2020-2696
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for x11/cde (848bdd06-f93a-11eb-9f7d-206a8a720317)

    Severity
    Critical4
    Qualys ID
    690065
    Date Published
    October 14, 2021
    Vendor Reference
    848bdd06-f93a-11eb-9f7d-206a8a720317
    CVE Reference
    CVE-2020-2696
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.4.0 for package cde

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 848bdd06-f93a-11eb-9f7d-206a8a720317 for updates and patch information
    Patches
    "FreeBSD" 848bdd06-f93a-11eb-9f7d-206a8a720317
  • CVE-2021-41387
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for seatd-launch (49c35943-0eeb-421c-af4f-78e04582e5fb)

    Severity
    Critical4
    Qualys ID
    690036
    Date Published
    October 14, 2021
    Vendor Reference
    49c35943-0eeb-421c-af4f-78e04582e5fb
    CVE Reference
    CVE-2021-41387
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.6.0 to 0.6.2 for package seatd

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 49c35943-0eeb-421c-af4f-78e04582e5fb for updates and patch information
    Patches
    "FreeBSD" 49c35943-0eeb-421c-af4f-78e04582e5fb
  • CVE-2020-15012
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for nexus2-oss (b2f1f86f-20e6-11ec-a574-080027eedc6a)

    Severity
    Critical4
    Qualys ID
    690024
    Date Published
    October 14, 2021
    Vendor Reference
    b2f1f86f-20e6-11ec-a574-080027eedc6a
    CVE Reference
    CVE-2020-15012
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.14.19 for package nexus2-oss

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory b2f1f86f-20e6-11ec-a574-080027eedc6a for updates and patch information
    Patches
    "FreeBSD" b2f1f86f-20e6-11ec-a574-080027eedc6a
  • CVE-2021-29630
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for FreeBSD (3e9d2fde-0567-11ec-b69d-4062311215d5)

    Severity
    Critical4
    Qualys ID
    690053
    Date Published
    October 14, 2021
    Vendor Reference
    3e9d2fde-0567-11ec-b69d-4062311215d5
    CVE Reference
    CVE-2021-29630
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 13.0 to 13.0_4 for package FreeBSD
    Version range 12.2 to 12.2_10 for package FreeBSD
    Version range 11.4 to 11.4_13 for package FreeBSD

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory 3e9d2fde-0567-11ec-b69d-4062311215d5 for updates and patch information
    Patches
    "FreeBSD" 3e9d2fde-0567-11ec-b69d-4062311215d5
  • CVE-2021-29631
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for FreeBSD (a6d5d4c1-0564-11ec-b69d-4062311215d5)

    Severity
    Critical4
    Qualys ID
    690054
    Date Published
    October 14, 2021
    Vendor Reference
    a6d5d4c1-0564-11ec-b69d-4062311215d5
    CVE Reference
    CVE-2021-29631
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 13.0 to 13.0_4 for package FreeBSD
    Version range 12.2 to 12.2_10 for package FreeBSD
    Version range 11.4 to 11.4_13 for package FreeBSD

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory a6d5d4c1-0564-11ec-b69d-4062311215d5 for updates and patch information
    Patches
    "FreeBSD" a6d5d4c1-0564-11ec-b69d-4062311215d5
  • CVE-2021-3487
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for binutils (f4c54b81-bcc8-11eb-a7a6-080027f515ea)

    Severity
    Critical4
    Qualys ID
    690062
    Date Published
    October 14, 2021
    Vendor Reference
    f4c54b81-bcc8-11eb-a7a6-080027f515ea
    CVE Reference
    CVE-2021-3487
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

    FreeBSD has released a security update.
    Affected versions:

    Version range 0.0.0 to 2.33.1_5 for package binutils

    QID Detection Logic: (Authenticated)
    It checks package versions to check for the vulnerable packages.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Please refer to FreeBSD security advisory f4c54b81-bcc8-11eb-a7a6-080027f515ea for updates and patch information
    Patches
    "FreeBSD" f4c54b81-bcc8-11eb-a7a6-080027f515ea
  • CVE-2021-22714
    Recently Published

    Schneider Electric PowerLogic Buffer Overflow Vulnerability (SEVD-2021-068-02)

    Severity
    Critical4
    Qualys ID
    590539
    Date Published
    October 14, 2021
    Vendor Reference
    SEVD-2021-068-02
    CVE Reference
    CVE-2021-22714
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    The PowerLogic metering products are revenue and power quality meters for utility and industrial electrical network monitoring.
    AFFECTED PRODUCTS
    Schneider Electric is aware of a vulnerability in its PowerLogic ION7400, PM8000 and ION9000 products:All versions prior to V3.0.0

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of this vulnerability could cause the meter to reboot or allow for remote code execution..
    Solution

    Customers are advised to refer to CERT MITIGATIONS section SEVD-2021-068-02 for affected packages and patching details.

    Patches
    SEVD-2021-068-02
  • CVE-2017-7689+
    Recently Published

    Schneider Electric homeLYnk Controller (Update A) Multiple Vulnerabilities (ICSA-17-019-01A)

    Severity
    Urgent5
    Qualys ID
    590518
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-17-019-01A
    CVE Reference
    CVE-2017-7689, CVE-2017-5157
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    AFFECTED PRODUCTS
    Schneider Electric reports that the vulnerability affects the following products:
    homeLYnk Controller, LSS100100, all versions prior to V1.5.0

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    An attacker may be able to exploit this vulnerability to cause execution of java script code.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-17-019-01A for affected packages and patching details.

    Patches
    ICSA-17-019-01A
  • CVE-2011-4859
    Recently Published

    Schneider Electric Quantum Ethernet Module Hard-Coded Credentials (Update B) Vulnerability (ICSA-12-018-01B)

    Severity
    Urgent5
    Qualys ID
    590517
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-12-018-01B
    CVE Reference
    CVE-2011-4859
    CVSS Scores
    Base / Temporal
    Description

    AFFECTED PRODUCTS
    The following products and versions are affected:
    Quantum
    140NOE77101 Firmware V4.9 and all previous versions,
    140NOE77111 Firmware V5.0 and all previous versions,
    140NOE77100 Firmware V3.4 and all previous versions,
    140NOE77110 Firmware V3.3 and all previous versions,
    140CPU65150 Firmware V3.5 and all previous versions,
    140CPU65160 Firmware V3.5 and all previous versions,
    140CPU65260 Firmware V3.5 and all previous versions,
    140NOC77100 Firmware V1.01 and all previous versions, and
    140NOC77101 Firmware V1.01 and all previous versions.
    Any available conformal-coated versions of the above part numbers.
    Premium
    TSXETY4103 Firmware V5.0 and all previous versions,
    TSXETY5103 Firmware V5.0 and all previous versions,
    TSXP571634M Firmware V4.9 and all previous versions,
    TSXP572634M Firmware V4.9 and all previous versions,
    TSXP573634M Firmware V4.9 and all previous versions,
    TSXP574634M Firmware V3.5 and all previous versions,
    TSXP575634M Firmware V3.5 and all previous versions,
    TSXP576634M Firmware V3.5 and all previous versions, and
    TSXETC101 Firmware V1.01 and all previous versions.
    Any available conformal-coated versions of the above part numbers.
    M340
    BMXNOE0100 Firmware V2.3 and all previous versions,
    BMXNOE0110 Firmware V4.65 and all previous versions, and
    BMXNOC0401 Firmware V1.01 and all previous versions.
    The following products are affected by the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities)
    :
    STBNIC2212 Firmware V2.10 and all previous versions,
    STBNIP2311 Firmware V3.01 and all previous versions,
    STBNIP2212 Firmware V2.73 and all previous versions,
    BMXP342020 Firmware V2.2 and all previous versions, and
    BMXP342030 Firmware V2.2 and all previous versions.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities may allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-12-018-01B for affected packages and patching details.

    Patches
    ICSA-12-018-01B
  • CVE-2014-5414+
    Recently Published

    Beckhoff Embedded PC Images and TwinCAT Components Multiple Vulnerabilities (ICSA-16-278-02)

    Severity
    Urgent5
    Qualys ID
    590502
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-16-278-02
    CVE Reference
    CVE-2014-5414, CVE-2014-5415
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description

    AFFECTED PRODUCTS
    Beckhoff reports that the vulnerabilities may affect the following products:
    All Beckhoff Embedded PC Images with a creation date prior to October 22, 2014, and
    All TwinCAT Components featuring Automation Device Specification (ADS) communication.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    If used without proper protection, an attacker may misuse those services to gain unauthorized access to systems or read and manipulate transmitted information, especially passwords. Attackers may use ADS protocol to rapidly probe a large number of user or password combinations.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-16-278-02 for affected packages and patching details.

    Patches
    ICSA-16-278-02
  • CVE-2015-7937
    Recently Published

    Schneider Electric Modicon M340 Buffer Overflow Vulnerability Vulnerability (ICSA-15-351-01)

    Severity
    Urgent5
    Qualys ID
    590492
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-15-351-01
    CVE Reference
    CVE-2015-7937
    CVSS Scores
    Base / Temporal
    Description

    AFFECTED PRODUCTS
    Schneider Electric reports that the vulnerability affects the following Modicon M340 PLC products:
    BMXNOC0401,
    BMXNOE0100,
    BMXNOE0100H,
    BMXNOE0110,
    BMXNOE0110H,
    BMXNOR0200,
    BMXNOR0200H,
    BMXP342020,
    BMXP342020H,
    BMXP342030,
    BMXP3420302,
    BMXP3420302H, and
    BMXPRA0100.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of this vulnerability could cause the device that the attacker is accessing to crash; a buffer overflow condition may allow remote code execution.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-15-351-01 for affected packages and patching details.

    Patches
    ICSA-15-351-01
  • CVE-2014-9197+
    Recently Published

    Schneider Electric ETG3000 FactoryCast HMI Gateway Multiple Vulnerabilities (ICSA-15-020-02)

    Severity
    Urgent5
    Qualys ID
    590491
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-15-020-02
    CVE Reference
    CVE-2014-9197, CVE-2014-9198
    CVSS Scores
    Base / Temporal
    Description

    AFFECTED PRODUCTS
    The following ETG3000 FactoryCast HMI Gateways are affected:
    TSXETG3000 all versions,
    TSXETG3010 all versions,
    TSXETG3021 all versions, and
    TSXETG3022 all versions.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    The vulnerabilities allow unauthorized remote access to the gateways files and FTP account.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-15-020-02 for affected packages and patching details.

    Patches
    ICSA-15-020-02
  • CVE-2019-5075+
    Recently Published

    WAGO I/O-CHECK Multiple Vulnerabilities (ICSA-20-065-01)

    Severity
    Urgent5
    Qualys ID
    590455
    Date Published
    October 14, 2021
    Vendor Reference
    ICSA-20-065-01
    CVE Reference
    CVE-2019-5075, CVE-2019-5074, CVE-2019-5082, CVE-2019-5073, CVE-2019-5078, CVE-2019-5077, CVE-2019-5080, CVE-2019-5081, CVE-2019-5079
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    AFFECTED PRODUCTS
    The following versions of I/O-CHECK software are affected by the listed vulnerabilities:
    Series PFC100 (750-81xx/xxx-xxx)
    Series PFC200 (750-82xx/xxx-xxx)
    750-852, 750-831/xxx-xxx, 750-881, 750-880/xxx-xxx, 750-889
    750-823, 750-832/xxx-xxx, 750-862, 750-890/xxx-xxx, 750-891

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities could allow an attacker to change settings, delete the application, run remote code, cause a system crash, cause a denial-of-service condition, revert to factory settings, and overwrite MAC addresses.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-20-065-01 for affected packages and patching details.

    Patches
    ICSA-20-065-01
  • CVE-2021-40719+
    Recently Published

    Adobe Connect Multiple Vulnerabilities (APSB21-91)

    Severity
    Critical4
    Qualys ID
    730231
    Date Published
    October 13, 2021
    Vendor Reference
    APSB21-91
    CVE Reference
    CVE-2021-40719, CVE-2021-40721
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Adobe Connect is software used to create information and general presentations, online training materials, web conferencing, learning modules, and user desktop sharing.

    CVE-2021-40719: Deserialization of Untrusted Data
    CVE-2021-40721: Cross-site Scripting (Reflected XSS)

    Affected Versions:
    Adobe Connect 11.2.2 and earlier versions

    QID Detection Logic (Unauthenticated):
    his QID reads the version.txt file in an unauthenticated request to see if it's vulnerable.

    Consequence
    Successful exploitation of these vulnerability may allow an attacker to execute arbitrary code on the target system.
    Solution
    Customers are advised to follow the patch procedure provided by Adobe. Furthermore information can be obtained from Adobe Connect 11.2.3
    Patches
    APSB21-91
  • CVE-2021-26427+
    Recently Published

    Microsoft Exchange Server Multiple Vulnerabilities October 2021

    Severity
    Critical4
    Qualys ID
    50115
    Date Published
    October 13, 2021
    Vendor Reference
    KB5007011, KB5007012
    CVE Reference
    CVE-2021-26427, CVE-2021-34453, CVE-2021-41348, CVE-2021-41350
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Microsoft Exchange Server is prone to multiple vulnerabilities:

    Microsoft Exchange Server Elevation of Privilege Vulnerability
    Microsoft Exchange Server Information Disclosure Vulnerability
    Microsoft Exchange Server Remote Code Execution Vulnerability

    KB Articles associated with this update are: KB5004780,KB5004779,KB5004778

    Affected Versions:
    Microsoft Exchange Server 2019 Cumulative Update 10
    Microsoft Exchange Server 2019 Cumulative Update 11
    Microsoft Exchange Server 2016 Cumulative Update 21
    Microsoft Exchange Server 2016 Cumulative Update 22
    Microsoft Exchange Server 2013 Cumulative Update 23

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe.

    Consequence
    Successful exploitation allows attackers to execute remote code.
    Solution
    Customers are advised to refer to KB5007012, KB5007011 for information pertaining to this vulnerability.
    Patches
    KB5007011, KB5007012
  • CVE-2021-40461+
    Recently Published

    Microsoft Windows Hyper-V Remote Code Execution (RCE) Vulnerability October 2021

    Severity
    Critical4
    Qualys ID
    91827
    Date Published
    October 13, 2021
    Vendor Reference
    KB5006674, KB5006699
    CVE Reference
    CVE-2021-40461, CVE-2021-38672
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    Microsoft releases the security update for Windows October 2021

    The KB Articles associated with the update:
    KB5006674
    KB5006699

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe with their corresponding KBs are verified:
    KB5006674-10.0.22000.258
    KB5006699-10.0.20348.288

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Please refer to theKB5006674
    KB5006699
    Workaround:
    10.0.22000.258
    Patches
    KB5006674, KB5006699
  • CVE-2021-41346+
    Recently Published

    Microsoft Windows Security Update for October 2021

    Severity
    Critical4
    Qualys ID
    91824
    Date Published
    October 13, 2021
    Vendor Reference
    KB5006667, KB5006669, KB5006670, KB5006671, KB5006672, KB5006674, KB5006675, KB5006699, KB5006714, KB5006715, KB5006728, KB5006729, KB5006732, KB5006736, KB5006739, KB5006743
    CVE Reference
    CVE-2021-41346, CVE-2021-41345, CVE-2021-41361, CVE-2021-36953, CVE-2021-40455, CVE-2021-41347, CVE-2021-36970, CVE-2021-41343, CVE-2021-41342, CVE-2021-41357, CVE-2021-41340, CVE-2021-41339, CVE-2021-41338, CVE-2021-41337, CVE-2021-41335, CVE-2021-41334, CVE-2021-41332, CVE-2021-41331, CVE-2021-41330, CVE-2021-26442, CVE-2021-26441, CVE-2021-40489, CVE-2021-40488, CVE-2021-40478, CVE-2021-40477, CVE-2021-40476, CVE-2021-40475, CVE-2021-40470, CVE-2021-40467, CVE-2021-40466, CVE-2021-40465, CVE-2021-40468, CVE-2021-40463, CVE-2021-40464, CVE-2021-40462, CVE-2021-40460, CVE-2021-40461, CVE-2021-40456, CVE-2021-40449, CVE-2021-40450, CVE-2021-40454, CVE-2021-40443, CVE-2021-38663, CVE-2021-38662
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    Microsoft releases the security update for Windows October 2021

    The KB Articles associated with the update:
    KB5006670
    KB5006675
    KB5006674
    KB5006669
    KB5006699
    KB5006743
    KB5006728
    KB5006714
    KB5006729
    KB5006739
    KB5006732
    KB5006736
    KB5006715
    KB5006667
    KB5006672

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe and Win32k.sys with their corresponding KBs are verified:
    KB5006670-10.0.19041.1288
    KB5006675-10.0.10240.19086
    KB5006674-10.0.22000.258
    KB5006669-10.0.14393.4704
    KB5006699-10.0.20348.288
    KB5006743-6.1.7601.25740
    KB5006728-6.1.7601.25740
    KB5006714-6.3.9600.20144
    KB5006729-6.3.9600.20143
    KB5006739-6.2.9200.23489
    KB5006732-6.2.9200.23489
    KB5006736-6.0.6003.21251
    KB5006715-6.0.6003.21251
    KB5006667-10.0.18362.1854
    KB5006672-10.0.17763.2237

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Please refer to the KB5006670
    KB5006675
    KB5006674
    KB5006669
    KB5006699
    KB5006743
    KB5006728
    KB5006714
    KB5006729
    KB5006739
    KB5006732
    KB5006736
    KB5006715
    KB5006667
    KB5006672
    Patches
    KB5006667, KB5006669, KB5006670, KB5006672, KB5006674, KB5006675, KB5006699, KB5006714, KB5006715, KB5006728, KB5006729, KB5006732, KB5006736, KB5006739, KB5006743
  • CVE-2021-41344+
    Recently Published

    Microsoft SharePoint Enterprise Server Multiple Vulnerabilities October 2021

    Severity
    Critical4
    Qualys ID
    110392
    Date Published
    October 13, 2021
    Vendor Reference
    KB4493202, KB5001924, KB5002006, KB5002028, KB5002029, KB5002042
    CVE Reference
    CVE-2021-41344, CVE-2021-40484, CVE-2021-40487, CVE-2021-40486, CVE-2021-40483, CVE-2021-40482, CVE-2021-40485
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Microsoft has released October security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5002028
    KB5002042
    KB5002029
    KB5002006
    KB4493202
    KB5001924

    QID Detection Logic:
    This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system.

    Consequence
    Successful exploitation allows remote code execution.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    KB5002028
    KB5002042
    KB5002029
    KB5002006
    KB4493202
    KB5001924

    Patches
    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2021
  • CVE-2021-40486+
    Recently Published

    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2021

    Severity
    Critical4
    Qualys ID
    110393
    Date Published
    October 13, 2021
    Vendor Reference
    KB4018332, KB4461476, KB5001960, KB5001982, KB5001985, KB5002004, KB5002027, KB5002030, KB5002036, KB5002043
    CVE Reference
    CVE-2021-40486, CVE-2021-40474, CVE-2021-40472, CVE-2021-40485, CVE-2021-40454, CVE-2021-40479, CVE-2021-40471, CVE-2021-40481, CVE-2021-40480, CVE-2021-40473
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Microsoft has released September 2021 security updates to fix multiple security vulnerabilities.

    This security update contains the following:

    MacOS Release Notes
    Office Click-2-Run and Office 365 Release Notes
    KB5002004
    KB5001960
    KB5002036
    KB5002027
    KB5001982
    KB4461476
    KB5001985
    KB4018332
    KB5002030
    KB5002043

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    MacOS Release Notes
    Office Click-2-Run and Office 365 Release Notes
    KB5002004
    KB5001960
    KB5002036
    KB5002027
    KB5001982
    KB4461476
    KB5001985
    KB4018332
    KB5002030
    KB5002043

    Patches
    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2021
  • CVE-2019-7482
    Recently Published

    SonicWall Secure Mobile Access 100 series Pre-Authentication Stack Buffer Overflow Vulnerability (SNWLID-2019-0017)

    Severity
    Critical4
    Qualys ID
    730222
    Date Published
    October 13, 2021
    Vendor Reference
    SNWLID-2019-0017
    CVE Reference
    CVE-2019-7482
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    SonicWall Secure Mobile Access (SMA) is a unified secure access gateway.

    Stack-based buffer overflow in SonicWall SMA100 allows an unauthenticated user to execute arbitrary code in function libSys.so.

    Affected version:
    SonicWall SMA100 9.0.0.3 and earlier.

    QID Detection Logic (Unauthenticated):
    This QID detects the vulnerable firmware version from Web interface.

    Consequence

    Successful exploitation of the vulnerability may allow complete system compromise

    Solution
    Customers are advised to update to SonicWall SMA100 9.0.0.4 or later. For more details, please refer to SNWLID-2019-0017
    Patches
    SNWLID-2019-0017
  • CVE-2021-29921
    Recently Published

    Ubuntu Security Notification for Python Vulnerability (USN-4973-2)

    Severity
    Critical4
    Qualys ID
    198529
    Date Published
    October 13, 2021
    Vendor Reference
    USN-4973-2
    CVE Reference
    CVE-2021-29921
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Usn-4973-1 fixed this vulnerability previously, but it was re-introduced in python3the python stdlib ipaddress api incorrectly handled octal strings.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    8 in focal because of the sru in lp: #1928057.
    This update fixes the problem.
    A remote attacker could possibly use this issue to perform a wide variety of attacks, including bypassing certain access restrictions..
    Solution
    Refer to Ubuntu advisory: USN-4973-2 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4973-2
  • CVE-2021-1886+
    Recently Published

    Google Android October 2021 Security Patch Missing for LGE

    Severity
    Urgent5
    Qualys ID
    610376
    Date Published
    October 12, 2021
    Vendor Reference
    SMR-October-2021
    CVE Reference
    CVE-2021-1886, CVE-2021-1888, CVE-2021-1889, CVE-2021-1890, CVE-2021-1933, CVE-2021-1946, CVE-2021-0695, CVE-2021-0680, CVE-2021-0681, CVE-2021-1941, CVE-2021-1948, CVE-2021-1974, CVE-2021-30290, CVE-2021-30294, CVE-2021-1909, CVE-2021-1923, CVE-2021-1934, CVE-2021-1935, CVE-2021-1952, CVE-2021-1971, CVE-2021-30295, CVE-2020-26558, CVE-2021-0703, CVE-2021-0652, CVE-2021-0705, CVE-2021-0708, CVE-2020-15358, CVE-2021-0702, CVE-2021-0651, CVE-2021-0483, CVE-2021-0643, CVE-2021-0706
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2021-1886, CVE-2021-1888, CVE-2021-1889, CVE-2021-1890, CVE-2021-1933, CVE-2021-1946,CVE-2021-0695, CVE-2021-0680, CVE-2021-0681, CVE-2021-1941, CVE-2021-1948, CVE-2021-1974, CVE-2021-30290, CVE-2021-30294, CVE-2021-1909, CVE-2021-1923, CVE-2021-1934, CVE-2021-1935, CVE-2021-1952, CVE-2021-1971, CVE-2021-30295, CVE-2020-26558, CVE-2021-0703, CVE-2021-0652, CVE-2021-0705, CVE-2021-0708, CVE-2020-15358, CVE-2021-0702, CVE-2021-0651, CVE-2021-0483, CVE-2021-0643, CVE-2021-0706

    Affected Products :
    G series (G5, G6, G7, G8), V series(V10, V20, V30, V35, V40, V50) , Q Series(Q6, Q8) , X Series(X300, X400, X500, X cam), CV Series(CV1, CV3, CV5, CV7, CV1S, CV7AS), MH(K40, K50, Q60, Q70)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to LGE Security advisory SMR-October-2021 to address this issue and obtain more information.
    Patches
    Android SMR-October-2021
  • CVE-2021-1886+
    Recently Published

    Google Android October 2021 Security Patch Missing for Samsung

    Severity
    Urgent5
    Qualys ID
    610375
    Date Published
    October 12, 2021
    Vendor Reference
    SMR-October-2021
    CVE Reference
    CVE-2021-1886, CVE-2021-1889, CVE-2021-1888, CVE-2021-1890, CVE-2021-1933, CVE-2021-1946, CVE-2021-1923, CVE-2021-1909, CVE-2021-1935, CVE-2021-1952, CVE-2021-1934, CVE-2021-30290, CVE-2021-30294, CVE-2021-30295, CVE-2021-0695, CVE-2021-1948, CVE-2021-1941, CVE-2021-1974, CVE-2021-1971, CVE-2020-26558, CVE-2021-0703, CVE-2021-0652, CVE-2021-0705, CVE-2021-0708, CVE-2020-15358, CVE-2021-0702, CVE-2021-0651, CVE-2021-0483, CVE-2021-0643, CVE-2021-0706, CVE-2021-0534, CVE-2021-0568, CVE-2021-0554, CVE-2021-0563, CVE-2021-0535, CVE-2021-0543, CVE-2021-0544, CVE-2021-0545, CVE-2021-0546, CVE-2021-0541, CVE-2021-0542, CVE-2021-0551
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2021-1886, CVE-2021-1889, CVE-2021-1888, CVE-2021-1890, CVE-2021-1933, CVE-2021-1946,CVE-2021-1923, CVE-2021-1909, CVE-2021-1935, CVE-2021-1952, CVE-2021-1934, CVE-2021-30290, CVE-2021-30294, CVE-2021-30295, CVE-2021-0695, CVE-2021-1948, CVE-2021-1941, CVE-2021-1974, CVE-2021-1971, CVE-2020-26558, CVE-2021-0703, CVE-2021-0652, CVE-2021-0705, CVE-2021-0708, CVE-2020-15358, CVE-2021-0702, CVE-2021-0651, CVE-2021-0483, CVE-2021-0643, CVE-2021-0706,CVE-2021-0534, CVE-2021-0568, CVE-2021-0554, CVE-2021-0563, CVE-2021-0535, CVE-2021-0543, CVE-2021-0544, CVE-2021-0545, CVE-2021-0546, CVE-2021-0541, CVE-2021-0542, CVE-2021-0551

    Affected Products :
    G series (G5, G6, G7, G8), V series(V10, V20, V30, V35, V40, V50) , Q Series(Q6, Q8) , X Series(X300, X400, X500, X cam), CV Series(CV1, CV3, CV5, CV7, CV1S, CV7AS), MH(K40, K50, Q60, Q70)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Samsung Security advisory SMR-October-2021 to address this issue and obtain more information.
    Patches
    Android SMR-October-2021
  • CVE-2021-0687+
    Recently Published

    Google Android October 2021 Security Patch Missing for Huawei EMUI

    Severity
    Urgent5
    Qualys ID
    610374
    Date Published
    October 12, 2021
    Vendor Reference
    October 2021
    CVE Reference
    CVE-2021-0687, CVE-2021-0644, CVE-2021-0682, CVE-2021-0683, CVE-2021-0684, CVE-2021-0686, CVE-2021-0598, CVE-2021-0688, CVE-2021-0689, CVE-2021-0690, CVE-2021-0595, CVE-2020-26558, CVE-2021-0695, CVE-2021-0680, CVE-2021-0681, CVE-2019-10581, CVE-2021-0518, CVE-2021-30290, CVE-2021-30294, CVE-2021-1941, CVE-2021-1948, CVE-2021-1974, CVE-2021-0869, CVE-2021-30290, CVE-2021-30294, CVE-2021-0685, CVE-2021-0693, CVE-2021-0869, CVE-2021-1957, CVE-2021-1961
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2021-0687,CVE-2021-0644, CVE-2021-0682, CVE-2021-0683, CVE-2021-0684, CVE-2021-0686, CVE-2021-0598, CVE-2021-0688, CVE-2021-0689, CVE-2021-0690, CVE-2021-0595, CVE-2020-26558, CVE-2021-0695, CVE-2021-0680, CVE-2021-0681, CVE-2019-10581, CVE-2021-0518, CVE-2021-30290, CVE-2021-30294, CVE-2021-1941, CVE-2021-1948, CVE-2021-1974, CVE-2021-0869, CVE-2021-30290, CVE-2021-30294, CVE-2021-0685, CVE-2021-0693, CVE-2021-0869,CVE-2021-1957, CVE-2021-1961

    Affected Devices :
    HUAWEI P series: P30 Pro, P30, P20 Pro, P20
    HUAWEI Mate series: Mate 20 X, Mate 20 Pro, Mate 20, Mate 20 RS, Mate 10 Pro, Mate 10, PORSCHE DESIGN HUAWEI Mate RS

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to HUAWEI Security advisory October 2021 to address this issue and obtain more information.
    Patches
    Android October 2021
  • CVE-2021-0941+
    Recently Published

    Google Pixel Android October 2021 Security Patch Missing

    Severity
    Urgent5
    Qualys ID
    610372
    Date Published
    October 12, 2021
    Vendor Reference
    Pixel Update Bulletin October2021
    CVE Reference
    CVE-2021-0941, CVE-2021-0935, CVE-2021-0936, CVE-2021-0937, CVE-2021-20292, CVE-2021-31916, CVE-2021-0940, CVE-2021-3489, CVE-2021-1966, CVE-2021-1967, CVE-2021-0938, CVE-2021-3490, CVE-2021-0939, CVE-2021-1969, CVE-2020-25285, CVE-2021-29155, CVE-2019-25045, CVE-2021-1968, CVE-2021-29646, CVE-2021-38166
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2021-0941,CVE-2021-0935,CVE-2021-0936,CVE-2021-0937,CVE-2021-20292,CVE-2021-31916,CVE-2021-0940,CVE-2021-3489,CVE-2021-1966,CVE-2021-1967,CVE-2021-0938,CVE-2021-3490,CVE-2021-0939,CVE-2021-1969,CVE-2020-25285,CVE-2021-29155,CVE-2019-25045,CVE-2021-1968,CVE-2021-29646,CVE-2021-38166

    Affected Products :
    Pixel 4 XL, Pixel 4, Pixel 3a XL, Pixel 3a, Pixel 3 XL, Pixel 3, Pixel 2 XL, Pixel 2

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Google Pixel advisory Google Pixel Android October2021 to address this issue and obtain more information.
    Patches
    Android October 2021
  • CVE-2021-30883
    Recently Published

    Apple iOS 15.0.2 and iPadOS 15.0.2 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610371
    Date Published
    October 12, 2021
    Vendor Reference
    HT212846
    CVE Reference
    CVE-2021-30883
    CVSS Scores
    Base / Temporal
    Description
    iOS is a mobile operating system created and developed by Apple Inc.

    Following security issues are observed :
    A memory corruption issue was addressed with improved memory handling. CVE-2021-30883

    Affected Devices
    iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT212846 for patching details.
    Patches
    iOS HT212846
  • CVE-2020-15358+
    Recently Published

    Google Android Devices October 2021 Security Patch Missing

    Severity
    Critical4
    Qualys ID
    610373
    Date Published
    October 12, 2021
    Vendor Reference
    Android Security Bulletin October2021
    CVE Reference
    CVE-2020-15358, CVE-2021-1936, CVE-2021-30292, CVE-2021-30291, CVE-2021-0651, CVE-2021-0652, CVE-2021-1949, CVE-2021-1983, CVE-2021-1980, CVE-2020-24587, CVE-2021-1984, CVE-2021-1985, CVE-2020-11301, CVE-2021-30288, CVE-2020-11303, CVE-2020-24588, CVE-2020-11264, CVE-2020-26145, CVE-2021-30256, CVE-2020-26147, CVE-2020-26146, CVE-2020-26141, CVE-2020-26140, CVE-2020-10768, CVE-2021-29647, CVE-2021-30258, CVE-2021-0870, CVE-2021-0483, CVE-2021-1932, CVE-2020-29660, CVE-2021-1913, CVE-2021-30257, CVE-2021-1917, CVE-2021-27666, CVE-2021-0702, CVE-2021-1977, CVE-2021-0643, CVE-2021-0705, CVE-2021-30312, CVE-2021-0708, CVE-2021-1959, CVE-2021-30305, CVE-2021-0703, CVE-2021-30306, CVE-2021-30310, CVE-2021-30302, CVE-2020-26139, CVE-2021-30297, CVE-2021-0706
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2020-15358,CVE-2021-1936,CVE-2021-30292,CVE-2021-30291,CVE-2021-0651,CVE-2021-0652,CVE-2021-1949,CVE-2021-1983,CVE-2021-1980,CVE-2020-24587,CVE-2021-1984,CVE-2021-1985,CVE-2020-11301,CVE-2021-30288,CVE-2020-11303,CVE-2020-24588,CVE-2020-11264,CVE-2020-26145,CVE-2021-30256,CVE-2020-26147,CVE-2020-26146,CVE-2020-26141,CVE-2020-26140,CVE-2020-10768,CVE-2021-29647,CVE-2021-30258,CVE-2021-0870,CVE-2021-0483,CVE-2021-1932,CVE-2020-29660,CVE-2021-1913,CVE-2021-30257,CVE-2021-1917,CVE-2021-27666,CVE-2021-0702,CVE-2021-1977,CVE-2021-0643,CVE-2021-0705,CVE-2021-30312,CVE-2021-0708,CVE-2021-1959,CVE-2021-30305,CVE-2021-0703,CVE-2021-30306,CVE-2021-30310,CVE-2021-30302,CVE-2020-26139,CVE-2021-30297,CVE-2021-0706

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Google advisory Google Android October2021 to address this issue and obtain more information.
    Patches
    Android October 2021
  • CVE-2021-42013
    Recently Published

    Apache Hypertext Transfer Protocol (HTTP) Server Path Traversal Vulnerability

    Severity
    Urgent5
    Qualys ID
    87466
    Date Published
    October 11, 2021
    Vendor Reference
    Apache HTTP Server
    CVE Reference
    CVE-2021-42013
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description

    Apache HTTP Server is an HTTP web server application.

    The fix for Path Traversal Vulnerability (CVE-2021-41773) in Apache HTTP Server 2.4.50 was insufficient and could be bypassed.

    Affected Versions:
    Apache Server version 2.4.49
    Apache Server version 2.4.50

    QID Detections Logic:
    The QID sends a crafted GET request to see if the contents of /etc/passwd are revealed in the response.

    Consequence

    A remote unauthenticated user could exploit this vulnerability to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

    Solution

    Customers are advised to upgrade to Apache HTTP Server 2.4.51. For more information refer to Apache HTTP Server

    Patches
    Apache HTTP Server
  • CVE-2021-22930
    Recently Published

    OpenSUSE Security Update for nodejs8 (openSUSE-SU-2021:3294-1)

    Severity
    Critical4
    Qualys ID
    751204
    Date Published
    October 11, 2021
    Vendor Reference
    openSUSE-SU-2021:3294-1
    CVE Reference
    CVE-2021-22930
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for nodejs8 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3294-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3294-1
  • CVE-2021-40438+
    Recently Published

    SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2021:3299-1)

    Severity
    Critical4
    Qualys ID
    751198
    Date Published
    October 11, 2021
    Vendor Reference
    SUSE-SU-2021:3299-1
    CVE Reference
    CVE-2021-40438, CVE-2021-39275, CVE-2021-34798
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for apache2 fixes the following issues: - cve-2021-40438: fixed a srf via a crafted request uri-path. (
    Bsc#1190703) - cve-2021-39275: fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (
    Bsc#1190666) - cve-2021-34798: fixed a null pointer dereference via malformed requests.
    (bsc#1190669)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3299-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3299-1
  • CVE-2021-30858+
    Recently Published

    SUSE Enterprise Linux Security Update for webkit2gtk3 (SUSE-SU-2021:3296-1)

    Severity
    Critical4
    Qualys ID
    751194
    Date Published
    October 11, 2021
    Vendor Reference
    SUSE-SU-2021:3296-1
    CVE Reference
    CVE-2021-30858, CVE-2021-21806
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for webkit2gtk3 fixes the following issues: - update to version 2.32.4 - cve-2021-30858: fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (
    Bsc#1190701) - cve-2021-21806: fixed an exploitable use-after-free vulnerability via specially crafted html web page. (
    Bsc#1188697)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3296-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3296-1
  • CVE-2021-39365
    Recently Published

    SUSE Enterprise Linux Security Update for grilo (SUSE-SU-2021:3295-1)

    Severity
    Critical4
    Qualys ID
    751193
    Date Published
    October 11, 2021
    Vendor Reference
    SUSE-SU-2021:3295-1
    CVE Reference
    CVE-2021-39365
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    This update for grilo fixes the following issues: - cve-2021-39365: fixed missing tls certificate verification (bsc#1189839).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3295-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:3295-1
  • CVE-2021-39293
    Recently Published

    OpenSUSE Security Update for go1.16 (openSUSE-SU-2021:3292-1)

    Severity
    Critical4
    Qualys ID
    751202
    Date Published
    October 11, 2021
    Vendor Reference
    openSUSE-SU-2021:3292-1
    CVE Reference
    CVE-2021-39293
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for go1.16 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:3292-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:3292-1
  • CVE-2011-1848+
    Recently Published

    Hewlett Packard Enterprise (HPE) Intelligent Management Center (IMC) Multiple Vulnerabilities (HPSBGN02680)

    Severity
    Critical4
    Qualys ID
    375938
    Date Published
    October 11, 2021
    Vendor Reference
    HPSBGN02680
    CVE Reference
    CVE-2011-1848, CVE-2011-1849, CVE-2011-1850, CVE-2011-1851, CVE-2011-1852, CVE-2011-1853, CVE-2011-1854
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    HPE Intelligent Management Center, or IMC, is a new breed of network management systems, designed to give enterprises the most comprehensive visibility, efficiency, and agility possible.

    A security vulnerability in HPE Intelligent Management Center (iMC) PLAT could be exploited to allow remote execution of code.

    Affected Versions:
    HPE Intelligent Management Center (IMC) PLAT 5.0 (E0101) or earlier.
    HPE Intelligent Management Center (IMC) PLAT 5.0 (E0101L01) or earlier.

    QID Detection Logic (Authenticated):
    This QID checks Windows Registry to get HPE iMC PLAT installation path and then reads component-env.xml to see if it is running a vulnerable version.

    Consequence
    Successful exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code on the target system.
    Solution
    For updates please visit HPSBGN02680
    Patches
    HPSBGN02680
  • CVE-2021-3672+
    Recently Published

    Red Hat Update for nodejs:14 (RHSA-2021:3666)

    Severity
    Critical4
    Qualys ID
    239658
    Date Published
    October 11, 2021
    Vendor Reference
    RHSA-2021:3666
    CVE Reference
    CVE-2021-3672, CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-23343, CVE-2021-32803, CVE-2021-32804
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

    Security Fix(es): nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:3666 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:3666
Last updated: