Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

239 results
CVE
Title
Severity
  • CVE-2021-20232+
    In Development

    Ubuntu Security Notification for GnuTransport Layer Security vulnerabilities (USN-5029-1)

    Severity
    Critical4
    Qualys ID
    198448
    Vendor Reference
    USN-5029-1
    CVE Reference
    CVE-2021-20232, CVE-2021-20231
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Gnutls incorrectly handled sending certain extensions when being used as a client.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a remote attacker could use this issue to cause gnutls to crash, resulting in a denial of service, or possibly execute arbitrary code..
    Solution
    Refer to Ubuntu advisory: USN-5029-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5029-1
  • CVE-2020-13933+
    In Development

    Debian Security Update for shiro (DLA 2726-1)

    Severity
    Critical4
    Qualys ID
    178735
    Vendor Reference
    DLA 2726-1
    CVE Reference
    CVE-2020-13933, CVE-2020-17510
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for shiro to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2726-1 for updates and patch information.
    Patches
    Debian DLA 2726-1
  • CVE-2018-10685+
    In Development

    Debian Security Update for lrzip (DLA 2725-1)

    Severity
    Critical4
    Qualys ID
    178734
    Vendor Reference
    DLA 2725-1
    CVE Reference
    CVE-2018-10685, CVE-2017-9928, CVE-2018-11496, CVE-2017-9929, CVE-2017-8846, CVE-2018-5650, CVE-2018-5786, CVE-2017-8844, CVE-2018-5747
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for lrzip to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2725-1 for updates and patch information.
    Patches
    Debian DLA 2725-1
  • CVE-2019-18823
    In Development

    Debian Security Update for condor (DLA 2724-1)

    Severity
    Critical4
    Qualys ID
    178733
    Vendor Reference
    DLA 2724-1
    CVE Reference
    CVE-2019-18823
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for condor to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2724-1 for updates and patch information.
    Patches
    Debian DLA 2724-1
  • CVE-2021-29053
    Under Investigation

    LifeRay Multiple SQL Injection Vulnerabilities

    Severity
    Critical4
    Qualys ID
    730147
    Vendor Reference
    CVE-2021-29053
    CVE Reference
    CVE-2021-29053
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Liferay, Inc., is an open-source company that provides free documentation and paid professional service to users of its software.

    Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter.

    Affected Versions:
    Liferay CE 7.3.5

    QID detection logic:
    This unauthenticated QID checks for the banner as well as the CE portal regex in the main GET query.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target system.

    Solution
    Update the Liferay Community Edition to the 7.3.6 or later.
    Patches
    CVE-2021-29053
  • CVE-2021-3570
    In Development

    Debian Security Update for linuxptp (DLA 2723-1)

    Severity
    Critical4
    Qualys ID
    178732
    Vendor Reference
    DLA 2723-1
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Debian has released security update for linuxptp to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2723-1 for updates and patch information.
    Patches
    Debian DLA 2723-1
  • CVE-2020-12049+
    In Development

    SUSE Enterprise Linux Security Update for dbus-1 (SUSE-SU-2021:2590-1)

    Severity
    Critical4
    Qualys ID
    750909
    Vendor Reference
    SUSE-SU-2021:2590-1
    CVE Reference
    CVE-2020-12049, CVE-2020-35512
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for dbus-1 fixes the following issues: - cve-2020-35512: fixed a bug where users with the same numeric uid could lead to use-after-free and undefined behaviour. (
    Bsc#1187105) - cve-2020-12049: fixed a bug where a truncated messages lead to resource exhaustion. (
    Bsc#1172505)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2590-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2590-1
  • CVE-2021-28091
    In Development

    SUSE Enterprise Linux Security Update for lasso (SUSE-SU-2021:2589-1)

    Severity
    Critical4
    Qualys ID
    750911
    Vendor Reference
    SUSE-SU-2021:2589-1
    CVE Reference
    CVE-2021-28091
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for lasso fixes the following issues: - cve-2021-28091: fixed xml signature wrapping vulnerability when parsing saml responses. (
    Bsc#1186768)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2589-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2589-1
  • CVE-2021-32635
    In Development

    Gentoo Linux Singularity Remote code execution (GLSA 202107-50)

    Severity
    Critical4
    Qualys ID
    710045
    Vendor Reference
    GLSA 202107-50
    CVE Reference
    CVE-2021-32635
    CVSS Scores
    Base 6.3 / Temporal 5.5
    Description
    Gentoo Linux is a Linux distribution

    A vulnerability in Singularity could result in remote code execution.

    Affected Package(s): sys-cluster/singularity-{VERSION}


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit GLSA 202107-50 for updates and patch information.
    Patches
    Gentoo GLSA 202107-50
  • CVE-2021-3607+
    In Development

    OpenSUSE Security Update for qemu (openSUSE-SU-2021:2591-1)

    Severity
    Critical4
    Qualys ID
    750912
    Vendor Reference
    openSUSE-SU-2021:2591-1
    CVE Reference
    CVE-2021-3607, CVE-2021-3594, CVE-2021-3611, CVE-2021-3593, CVE-2021-3582, CVE-2020-25085, CVE-2021-3595, CVE-2021-3592, CVE-2021-3608
    CVSS Scores
    Base 5 / Temporal 4.4
    Description
    OpenSUSE has released a security update for qemu to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2591-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2591-1
  • CVE-2021-3611+
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2591-1)

    Severity
    Critical4
    Qualys ID
    750910
    Vendor Reference
    SUSE-SU-2021:2591-1
    CVE Reference
    CVE-2021-3611, CVE-2021-3607, CVE-2021-3592, CVE-2021-3582, CVE-2020-25085, CVE-2021-3594, CVE-2021-3593, CVE-2021-3608, CVE-2021-3595
    CVSS Scores
    Base 5 / Temporal 4.4
    Description
    This update for qemu fixes the following issues: security issues fixed: - cve-2021-3595: fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366) - cve-2021-3592: fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364) - cve-2021-3594: fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367) - cve-2021-3593: fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365) - cve-2021-3582: fix possible mremap overflow in the pvrdma (bsc#1187499) - cve-2021-3607: ensure correct input on ring init (bsc#1187539) - cve-2021-3608: fix the ring init error flow (bsc#1187538) - cve-2021-3611: fix intel-hda segmentation fault due to stack overflow (bsc#1187529) - cve-2020-25085: fix out-of-bounds access issue while doing multi block sdma (bsc#1176681) other issues fixed: - qemu bios fails to read stage2 loader (on s390x)(bsc#1186290) - fix qemu hang while cancelling migrating hugepage vm (bsc#1185591)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2591-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2591-1
  • CVE-2021-30563+
    In Development

    Gentoo Linux Chromium, Google Chrome Multiple vulnerabilities (GLSA 202107-49)

    Severity
    Critical4
    Qualys ID
    710046
    Vendor Reference
    GLSA 202107-49
    CVE Reference
    CVE-2021-30563, CVE-2021-30560, CVE-2021-30564, CVE-2021-30559, CVE-2021-30561, CVE-2021-30541, CVE-2021-30562
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Gentoo Linux is a Linux distribution

    Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code.

    Affected Package(s): www-client/google-chrome-{VERSION}


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit GLSA 202107-49 for updates and patch information.
    Patches
    Gentoo GLSA 202107-49
  • In Development

    EOL/Obsolete Software: IBM Websphere MQ 8.0 Detected

    Severity
    Urgent5
    Qualys ID
    106002
    Vendor Reference
    WebSphere MQ 8.0
    CVSS Scores
    Base 9.1 / Temporal 8.3
    Description
    IBM WebSphere MQ is message oriented middleware that allows independent and non-concurrent applications on a distributed system to communicate with each other.

    IBM Websphere MQ 8.0 is detected on host.

    QID Detection Logic (authenticated):
    Operating System: Windows
    The QID checks for the Registry Key "HKLM\SOFTWARE\IBM\MQSeries\CurrentVersion" value "VRMF" to see if the system is running a vulnerable version of IBM MQ or not.

    QID Detection Logic (authenticated):
    Operating System: Linux
    The QID runs the command "/opt/mqm/bin/dspmqver -v | grep -A3 '^Name'" and "/usr/mqm/bin/dspmqver -v | grep -A3 '^Name'" (for AIX only) to see if the system is running a vulnerable version of IBM MQ or not.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

    Solution
    Users are advised to update to latest MQ version. Please refer to IBM WebSphere MQ Website for further information.

  • In Development

    EOL/Obsolete Software: IBM Websphere MQ 5.3 Detected

    Severity
    Urgent5
    Qualys ID
    106001
    Vendor Reference
    WebSphere MQ 5.3
    CVSS Scores
    Base 8.6 / Temporal 7.9
    Description
    IBM WebSphere MQ is message oriented middleware that allows independent and non-concurrent applications on a distributed system to communicate with each other.

    IBM Websphere MQ 5.3 is detected on host.

    QID Detection Logic (authenticated):
    Operating System: Windows
    The QID checks for the Registry Key "HKLM\SOFTWARE\IBM\MQSeries\CurrentVersion" value "VRMF" to see if the system is running a vulnerable version of IBM MQ or not.

    QID Detection Logic (authenticated):
    Operating System: Linux
    The QID runs the command "/opt/mqm/bin/dspmqver -v | grep -A3 '^Name'" and "/usr/mqm/bin/dspmqver -v | grep -A3 '^Name'" (for AIX only) to see if the system is running a vulnerable version of IBM MQ or not.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

    Solution
    Users are advised to update to latest MQ version. Please refer to IBM WebSphere MQ Website for further information.

  • In Development

    EOL/Obsolete Software: IBM Websphere MQ 6.X Detected

    Severity
    Urgent5
    Qualys ID
    106004
    Vendor Reference
    WebSphere MQ 6.X
    CVSS Scores
    Base 8.2 / Temporal 7.5
    Description
    IBM WebSphere MQ is message oriented middleware that allows independent and non-concurrent applications on a distributed system to communicate with each other.

    IBM Websphere MQ 6.x is detected on host.

    QID Detection Logic (authenticated):
    Operating System: Windows
    The QID checks for the Registry Key "HKLM\SOFTWARE\IBM\MQSeries\CurrentVersion" value "VRMF" to see if the system is running a vulnerable version of IBM MQ or not.

    QID Detection Logic (authenticated):
    Operating System: Linux
    The QID runs the command "/opt/mqm/bin/dspmqver -v | grep -A3 '^Name'" and "/usr/mqm/bin/dspmqver -v | grep -A3 '^Name'" (for AIX only) to see if the system is running a vulnerable version of IBM MQ or not.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

    Solution
    Users are advised to update to latest MQ version. Please refer to IBM WebSphere MQ Website for further information.

  • In Development

    EOL/Obsolete Software: IBM Websphere MQ 9.0.X Detected

    Severity
    Urgent5
    Qualys ID
    106003
    Vendor Reference
    WebSphere MQ 9.0.X
    CVSS Scores
    Base 8.2 / Temporal 7.5
    Description
    IBM WebSphere MQ is message oriented middleware that allows independent and non-concurrent applications on a distributed system to communicate with each other.

    IBM Websphere MQ 9.0.X is detected on host.

    QID Detection Logic (authenticated):
    Operating System: Windows
    The QID checks for the Registry Key "HKLM\SOFTWARE\IBM\MQSeries\CurrentVersion" value "VRMF" to see if the system is running a vulnerable version of IBM MQ or not.

    QID Detection Logic (authenticated):
    Operating System: Linux
    The QID runs the command "/opt/mqm/bin/dspmqver -v | grep -A3 '^Name'" and "/usr/mqm/bin/dspmqver -v | grep -A3 '^Name'" (for AIX only) to see if the system is running a vulnerable version of IBM MQ or not.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

    Solution
    Users are advised to update to latest MQ version. Please refer to IBM WebSphere MQ Website for further information.

  • CVE-2021-34552
    In Development

    Fedora Security Update for mingw (FEDORA-2021-bf01a738f3)

    Severity
    Critical4
    Qualys ID
    281760
    Vendor Reference
    FEDORA-2021-bf01a738f3
    CVE Reference
    CVE-2021-34552
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for mingw to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-bf01a738f3
  • CVE-2021-34552
    In Development

    Fedora Security Update for mingw (FEDORA-2021-3ec845dc0c)

    Severity
    Critical4
    Qualys ID
    281759
    Vendor Reference
    FEDORA-2021-3ec845dc0c
    CVE Reference
    CVE-2021-34552
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for mingw to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-3ec845dc0c
  • CVE-2021-2135+
    Under Investigation

    Oracle WebLogic Server Multiple Vulnerabilities - CPUAPR2021

    Severity
    Critical4
    Qualys ID
    150355
    Vendor Reference
    CPUAPR2021
    CVE Reference
    CVE-2021-2135, CVE-2021-2136, CVE-2021-2142, CVE-2021-2204, CVE-2021-2211, CVE-2021-2214, CVE-2021-2292, CVE-2021-2397, CVE-2021-2376, CVE-2021-2378, CVE-2021-2382, CVE-2021-2403, CVE-2021-2394
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    N/A
    Consequence
    N/A
    Solution
    N/A
    Patches
    CPUAPR2021
  • CVE-2021-30807
    Recently Published

    Apple MacOS Big Sur 11.5.1 Not Installed (HT212622)

    Severity
    Critical4
    Qualys ID
    375775
    Date Published
    August 3, 2021
    Vendor Reference
    HT212622
    CVE Reference
    CVE-2021-30807
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    macOS Big Sur (version 11) is the 17th and current major release of macOS, Apple Inc.'s operating system for Macintosh computers, and is the successor to macOS Catalina (version 10.15).

    Affected Versions:
    Apple MacOS Big Sur version before 11.5.1

    QID Detection Logic:
    This QID checks for vulnerable version of Big sur.

    Consequence
    Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
    Solution
    The updates can be downloaded from Apple Downloads.

    For more information regarding the update can be found at HT212622.

    Patches
    HT212622
  • CVE-2021-2341+
    In Development

    Fedora Security Update for java (FEDORA-2021-d20d6712bc)

    Severity
    Critical4
    Qualys ID
    281771
    Vendor Reference
    FEDORA-2021-d20d6712bc
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-d20d6712bc
  • CVE-2021-2341+
    In Development

    Fedora Security Update for java (FEDORA-2021-ade03666c0)

    Severity
    Critical4
    Qualys ID
    281770
    Vendor Reference
    FEDORA-2021-ade03666c0
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-ade03666c0
  • CVE-2021-2341+
    In Development

    Fedora Security Update for java (FEDORA-2021-4581ccb97d)

    Severity
    Critical4
    Qualys ID
    281769
    Vendor Reference
    FEDORA-2021-4581ccb97d
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-4581ccb97d
  • CVE-2021-2341+
    In Development

    Fedora Security Update for java (FEDORA-2021-e6b0792d75)

    Severity
    Critical4
    Qualys ID
    281768
    Vendor Reference
    FEDORA-2021-e6b0792d75
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-e6b0792d75
  • CVE-2021-24119
    In Development

    Fedora Security Update for mbedtls (FEDORA-2021-10bfc067d1)

    Severity
    Critical4
    Qualys ID
    281758
    Vendor Reference
    FEDORA-2021-10bfc067d1
    CVE Reference
    CVE-2021-24119
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    Fedora has released a security update for mbedtls to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-10bfc067d1
  • CVE-2021-24119
    In Development

    Fedora Security Update for mbedtls (FEDORA-2021-165969af24)

    Severity
    Critical4
    Qualys ID
    281757
    Vendor Reference
    FEDORA-2021-165969af24
    CVE Reference
    CVE-2021-24119
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    Fedora has released a security update for mbedtls to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-165969af24
  • In Development

    Fedora Security Update for java (FEDORA-2021-6707cd4327)

    Severity
    Critical4
    Qualys ID
    281764
    Vendor Reference
    FEDORA-2021-6707cd4327
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-6707cd4327
  • In Development

    Fedora Security Update for java (FEDORA-2021-97706cf14f)

    Severity
    Critical4
    Qualys ID
    281763
    Vendor Reference
    FEDORA-2021-97706cf14f
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-97706cf14f
  • CVE-2021-37576
    In Development

    Fedora Security Update for kernel (FEDORA-2021-817b3d47d2)

    Severity
    Critical4
    Qualys ID
    281755
    Vendor Reference
    FEDORA-2021-817b3d47d2
    CVE Reference
    CVE-2021-37576
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-817b3d47d2
  • CVE-2021-37576
    In Development

    Fedora Security Update for kernel (FEDORA-2021-12618d9b08)

    Severity
    Critical4
    Qualys ID
    281754
    Vendor Reference
    FEDORA-2021-12618d9b08
    CVE Reference
    CVE-2021-37576
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-12618d9b08
  • CVE-2020-27780
    Recently Published

    CBL-Mariner Linux Security Update for pam 1.3.1

    Severity
    Urgent5
    Qualys ID
    900022
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-27780
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: pam 1.3.1 - less than or equal 1.3.1-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2016-7161
    Recently Published

    CBL-Mariner Linux Security Update for qemu-kvm 4.2.0

    Severity
    Urgent5
    Qualys ID
    900010
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2016-7161
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: qemu-kvm 4.2.0 - less than 4.2.0-12.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2016-4074+
    Recently Published

    CBL-Mariner Linux Security Update for jq 1.5

    Severity
    Urgent5
    Qualys ID
    900007
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2016-4074, CVE-2015-8863
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: jq 1.5 - less than 1.5-6.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2019-5736
    Recently Published

    CBL-Mariner Linux Security Update for runc 1.0.0.rc8

    Severity
    Urgent5
    Qualys ID
    900053
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-5736
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: runc 1.0.0.rc8 - less than or equal 1.0.0.rc8-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2019-12735
    Recently Published

    CBL-Mariner Linux Security Update for vim 8.1.0388

    Severity
    Urgent5
    Qualys ID
    900052
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-12735
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: vim 8.1.0388 - less than 8.1.0388-7.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2008-0888+
    Recently Published

    CBL-Mariner Linux Security Update for unzip 6.0

    Severity
    Urgent5
    Qualys ID
    900036
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2008-0888, CVE-2014-9636, CVE-2014-8140, CVE-2014-8139, CVE-2018-1000035, CVE-2014-8141
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: unzip 6.0 - less than 6.0-16.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2010-4756+
    Recently Published

    CBL-Mariner Linux Security Update for glibc 2.28

    Severity
    Critical4
    Qualys ID
    900034
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2010-4756, CVE-2019-9192, CVE-2021-33574, CVE-2016-3706
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: glibc 2.28 - less than or equal 2.28-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-3177
    Recently Published

    CBL-Mariner Linux Security Update for python3 3.7.9

    Severity
    Critical4
    Qualys ID
    900033
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-3177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: python3 3.7.9 - less than 3.7.9-4.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-28879
    Recently Published

    CBL-Mariner Linux Security Update for rust 1.47.0

    Severity
    Critical4
    Qualys ID
    900032
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-28879
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: rust 1.47.0 - less than 1.47.0-2.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-30641+
    Recently Published

    CBL-Mariner Linux Security Update for httpd 2.4.46

    Severity
    Critical4
    Qualys ID
    900030
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-30641, CVE-2020-35452, CVE-2021-26691, CVE-2020-13950, CVE-2021-26690
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: httpd 2.4.46 - less than 2.4.46-5.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-23410
    Recently Published

    CBL-Mariner Linux Security Update for python-msgpack 0.6.2

    Severity
    Critical4
    Qualys ID
    900028
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-23410
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: python-msgpack 0.6.2 - less than or equal 0.6.2-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-23410
    Recently Published

    CBL-Mariner Linux Security Update for msgpack 3.2.1

    Severity
    Critical4
    Qualys ID
    900027
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-23410
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: msgpack 3.2.1 - less than or equal 3.2.1-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2019-9511+
    Recently Published

    CBL-Mariner Linux Security Update for nginx 1.16.1

    Severity
    Critical4
    Qualys ID
    900026
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-9511, CVE-2019-9513, CVE-2021-23017, CVE-2019-9516
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: nginx 1.16.1 - less than or equal 1.16.1-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-20231+
    Recently Published

    CBL-Mariner Linux Security Update for gnutls 3.6.14

    Severity
    Critical4
    Qualys ID
    900025
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-20231, CVE-2021-20232
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: gnutls 3.6.14 - less than 3.6.14-5.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-20236
    Recently Published

    CBL-Mariner Linux Security Update for zeromq 4.3.2

    Severity
    Critical4
    Qualys ID
    900024
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-20236
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: zeromq 4.3.2 - less than or equal 4.3.2-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-36318+
    Recently Published

    CBL-Mariner Linux Security Update for rust 1.47.0

    Severity
    Critical4
    Qualys ID
    900023
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-36318, CVE-2021-31162
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: rust 1.47.0 - less than or equal 1.47.0-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-27619
    Recently Published

    CBL-Mariner Linux Security Update for python3 3.7.9

    Severity
    Critical4
    Qualys ID
    900021
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-27619
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: python3 3.7.9 - less than 3.7.9-2.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-15889
    Recently Published

    CBL-Mariner Linux Security Update for lua 5.3.5

    Severity
    Critical4
    Qualys ID
    900019
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-15889
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: lua 5.3.5 - less than 5.3.5-7.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2016-10739+
    Recently Published

    CBL-Mariner Linux Security Update for glibc 2.28

    Severity
    Critical4
    Qualys ID
    900018
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2016-10739, CVE-2020-10029, CVE-2018-19591, CVE-2020-1751, CVE-2019-9169, CVE-2018-20796, CVE-2019-6488, CVE-2020-6096, CVE-2020-1752
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: glibc 2.28 - less than 2.28-12.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2019-12900+
    Recently Published

    CBL-Mariner Linux Security Update for bzip2 1.0.6

    Severity
    Critical4
    Qualys ID
    900017
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-12900, CVE-2016-3189
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: bzip2 1.0.6 - less than 1.0.6-15.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2019-13012+
    Recently Published

    CBL-Mariner Linux Security Update for glib 2.58.0

    Severity
    Critical4
    Qualys ID
    900016
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-13012, CVE-2019-12450
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: glib 2.58.0 - less than 2.58.0-6.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-36328+
    Recently Published

    CBL-Mariner Linux Security Update for libwebp 1.0.0

    Severity
    Critical4
    Qualys ID
    900015
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-36328, CVE-2020-36331, CVE-2018-25010, CVE-2018-25012, CVE-2018-25013, CVE-2018-25011, CVE-2020-36330, CVE-2020-36332, CVE-2018-25009, CVE-2018-25014, CVE-2020-36329
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: libwebp 1.0.0 - less than or equal 1.0.0-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2018-16395+
    Recently Published

    CBL-Mariner Linux Security Update for openssl 1.1.1g

    Severity
    Critical4
    Qualys ID
    900014
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2018-16395, CVE-2009-0590, CVE-1999-0428, CVE-2016-7798, CVE-2009-3767
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: openssl 1.1.1g - less than or equal 1.1.1g-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2018-21029+
    Recently Published

    CBL-Mariner Linux Security Update for systemd 239

    Severity
    Critical4
    Qualys ID
    900013
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2018-21029, CVE-2018-16864, CVE-2018-15686, CVE-2018-15687, CVE-2018-15688, CVE-2018-16865, CVE-2018-16866
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: systemd 239 - less than 239-31.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2018-13410
    Recently Published

    CBL-Mariner Linux Security Update for zip 3.0

    Severity
    Critical4
    Qualys ID
    900012
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2018-13410
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: zip 3.0 - less than 3.0-5.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2017-9728+
    Recently Published

    CBL-Mariner Linux Security Update for uclibc 0.9.33.2

    Severity
    Critical4
    Qualys ID
    900011
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2017-9728, CVE-2017-9729
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: uclibc 0.9.33.2 - less than or equal 0.9.33.2-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2016-4609+
    Recently Published

    CBL-Mariner Linux Security Update for libxslt 1.1.34

    Severity
    Critical4
    Qualys ID
    900009
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2016-4609, CVE-2016-4607
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: libxslt 1.1.34 - less than or equal 1.1.34-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2016-1585
    Recently Published

    CBL-Mariner Linux Security Update for apparmor 2.13

    Severity
    Critical4
    Qualys ID
    900008
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2016-1585
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: apparmor 2.13 - less than 2.13-11.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-11102+
    Recently Published

    CBL-Mariner Linux Security Update for qemu-kvm 4.2.0

    Severity
    Critical4
    Qualys ID
    900050
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-11102, CVE-2015-7504, CVE-2020-15863, CVE-2020-16092, CVE-2017-5931, CVE-2019-20175, CVE-2017-14167, CVE-2020-13659, CVE-2020-1711, CVE-2020-7211, CVE-2020-7039
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: qemu-kvm 4.2.0 - less than 4.2.0-13.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-3537+
    Recently Published

    CBL-Mariner Linux Security Update for libxml2 2.9.10

    Severity
    Critical4
    Qualys ID
    900044
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-3537, CVE-2021-3518, CVE-2021-3517
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: libxml2 2.9.10 - less than or equal 2.9.10-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-27675+
    Recently Published

    CBL-Mariner Linux Security Update for kernel 5.4.91

    Severity
    Critical4
    Qualys ID
    900040
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-27675, CVE-2020-25704, CVE-2020-27777, CVE-2020-27152, CVE-2020-29369, CVE-2020-28915, CVE-2020-29371, CVE-2020-29660, CVE-2020-25656, CVE-2020-29368, CVE-2020-29569, CVE-2020-14351, CVE-2020-29372, CVE-2020-36158, CVE-2020-29661, CVE-2020-29373, CVE-2020-28974, CVE-2020-28374, CVE-2020-14381, CVE-2020-29370, CVE-2020-15436, CVE-2020-27194, CVE-2020-29534, CVE-2020-25705, CVE-2020-29374, CVE-2020-15437, CVE-2020-28941
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: kernel 5.4.91 - less than 5.4.91-1.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-3418+
    Recently Published

    CBL-Mariner Linux Security Update for grub2 2.06~rc1

    Severity
    Critical4
    Qualys ID
    900055
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2021-3418, CVE-2020-14372, CVE-2020-27749, CVE-2020-25632, CVE-2020-27779, CVE-2020-25647, CVE-2021-20233, CVE-2021-20225
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: grub2 2.06~rc1 - less than 2.06~rc1-4.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2020-25696+
    Recently Published

    CBL-Mariner Linux Security Update for postgresql 12.5

    Severity
    Critical4
    Qualys ID
    900020
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2020-25696, CVE-2021-20229
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: postgresql 12.5 - less than or equal 12.5-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-3592+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2563-1)

    Severity
    Critical4
    Qualys ID
    750904
    Date Published
    August 2, 2021
    Vendor Reference
    SUSE-SU-2021:2563-1
    CVE Reference
    CVE-2021-3592, CVE-2021-3595, CVE-2021-3594, CVE-2021-3611, CVE-2021-3593
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    This update for qemu fixes the following issues: security issues fixed: - cve-2021-3595: fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366) - cve-2021-3592: fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364) - cve-2021-3594: fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367) - cve-2021-3593: fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365) - cve-2021-3611: fix intel-hda segmentation fault due to stack overflow (bsc#1187529)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2563-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2563-1
  • CVE-2020-27221
    In Development

    IBM DB2 Stack-Based Buffer Overflow Vulnerability (January 2021 CPU)

    Severity
    Critical4
    Qualys ID
    375760
    Vendor Reference
    6446277
    CVE Reference
    CVE-2020-27221
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    DB2 is a family of data management products, including database servers, developed by IBM.
    CVE-2020-27221 - stack based bufferoverflow vulnerability was discovered in IBM DB2.

    Affected Version:
    DB2 Release v9.7 jdk version prior to 7.0.10.80
    DB2 Release V10.1 jdk version prior to 7.0.10.80
    DB2 Release V10.5 jdk version prior to 7.0.10.80
    DB2 Release V11.1 jdk version prior to 8.0.6.25
    DB2 Release V11.5 jdk version prior to 8.0.6.25

    QID Detection Logic:(Authenticated)
    This QID sends INST_DIR/java/jdk64/bin/./java -version command to check the vulnerable version of Java used by DB2.
    Note: use db2 user credentials to scan this qid.

    Consequence
    On Successful exploitation a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

    Solution
    The vendor has released multiple fixes. For more information please visit6446277
    Patches
    6446277
  • CVE-2021-3570
    Recently Published

    SUSE Enterprise Linux Security Update for linuxptp (SUSE-SU-2021:2545-1)

    Severity
    Critical4
    Qualys ID
    750902
    Date Published
    August 2, 2021
    Vendor Reference
    SUSE-SU-2021:2545-1
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for linuxptp fixes the following issues: - cve-2021-3570: validate the messagelength field of incoming messages.
    (bsc#1187646)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2545-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2545-1
  • CVE-2020-36327+
    In Development

    Fedora Security Update for ruby (FEDORA-2021-36cdab1f8d)

    Severity
    Critical4
    Qualys ID
    281749
    Vendor Reference
    FEDORA-2021-36cdab1f8d
    CVE Reference
    CVE-2020-36327, CVE-2021-31799, CVE-2021-32066, CVE-2021-31810
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for ruby to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-36cdab1f8d
  • CVE-2020-26820
    In Development

    SAP NetWeaver AS Java Remote Code Execution Vulnerability

    Severity
    Critical4
    Qualys ID
    87459
    Vendor Reference
    SAP Security Note 2979062
    CVE Reference
    CVE-2020-26820
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description
    SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file..

    Affected Versions
    SAP NetWeaver AS JAVA Versions 7.20, 7.30, 7.31, 7.40, 7.50

    QID Detection Logic(s):
    Scan initiates HTTP request on Web Server and determines version based on the Server Header.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on the target system.

    Solution
    Customers are advised to follow the SAP Security Note 2979062 for remediation instructions.
    Patches
    2979062
  • CVE-2021-3595+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2546-1)

    Severity
    Critical4
    Qualys ID
    750903
    Date Published
    August 2, 2021
    Vendor Reference
    SUSE-SU-2021:2546-1
    CVE Reference
    CVE-2021-3595, CVE-2021-3593, CVE-2021-3594, CVE-2021-3611, CVE-2021-3592
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    This update for qemu fixes the following issues: security issues fixed: - cve-2021-3595: fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366) - cve-2021-3592: fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364) - cve-2021-3594: fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367) - cve-2021-3593: fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365) - cve-2021-3611: fix intel-hda segmentation fault due to stack overflow (bsc#1187529)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2546-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2546-1
  • CVE-2021-33909+
    In Development

    Red Hat Update for OpenShift Container Platform 4.7.21 (RHSA-2021:2763)

    Severity
    Critical4
    Qualys ID
    239520
    Vendor Reference
    RHSA-2021:2763
    CVE Reference
    CVE-2021-33909, CVE-2021-33910
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.The kernel packages contain the Linux kernel, the core of any Linux operating system.The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3.The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)

    Affected Products:

    Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2763 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2763
  • CVE-2021-2422+
    Recently Published

    Ubuntu Security Notification for MySQL vulnerabilities (USN-5022-1)

    Severity
    Critical4
    Qualys ID
    198442
    Date Published
    August 3, 2021
    Vendor Reference
    USN-5022-1
    CVE Reference
    CVE-2021-2422, CVE-2021-2441, CVE-2021-2370, CVE-2021-2425, CVE-2021-2339, CVE-2021-2424, CVE-2021-2429, CVE-2021-2340, CVE-2021-2352, CVE-2021-2372, CVE-2021-2385, CVE-2021-2390, CVE-2021-2418, CVE-2021-2402, CVE-2021-2383, CVE-2021-2437, CVE-2021-2384, CVE-2021-2389, CVE-2021-2426, CVE-2021-2417, CVE-2021-2367, CVE-2021-2374, CVE-2021-2342, CVE-2021-2410, CVE-2021-2427, CVE-2021-2387, CVE-2021-2399, CVE-2021-2440, CVE-2021-2354, CVE-2021-2356, CVE-2021-2357
    CVSS Scores
    Base 6 / Temporal 5.2
    Description
    Multiple security issues were discovered in mysql and this update includes new upstream mysql versions to fix these issues mysql has been updated to 8 in addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
    Solution
    Refer to Ubuntu advisory: USN-5022-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-5022-1
  • CVE-2019-13509+
    Recently Published

    CBL-Mariner Linux Security Update for moby-buildx 0.4.1

    Severity
    Urgent5
    Qualys ID
    900005
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2019-13509, CVE-2014-9356, CVE-2014-5278, CVE-2015-3631, CVE-2014-9358, CVE-2014-8178, CVE-2014-5277, CVE-2014-5282, CVE-2014-6407, CVE-2019-5736, CVE-2020-27534, CVE-2014-8179, CVE-2016-3697, CVE-2015-3627, CVE-2015-3630, CVE-2014-0047, CVE-2021-21285, CVE-2017-14992, CVE-2019-13139, CVE-2014-0048, CVE-2019-16884, CVE-2021-21284
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: moby-buildx 0.4.1 - less than or equal 0.4.1-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2007-4050+
    Recently Published

    CBL-Mariner Linux Security Update for bzr 2.7.0

    Severity
    Urgent5
    Qualys ID
    900003
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2007-4050, CVE-2017-14176
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: bzr 2.7.0 - less than or equal 2.7.0-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2008-3913+
    Recently Published

    CBL-Mariner Linux Security Update for clamav 0.101.2

    Severity
    Urgent5
    Qualys ID
    900004
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2008-3913, CVE-2007-2650, CVE-2009-1241, CVE-2008-3912, CVE-2019-12625, CVE-2019-15961, CVE-2008-3914
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: clamav 0.101.2 - less than or equal 0.101.2-9999.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2000-0803
    Recently Published

    CBL-Mariner Linux Security Update for groff 1.22.3

    Severity
    Urgent5
    Qualys ID
    900002
    Date Published
    August 3, 2021
    Vendor Reference
    CBL-Mariner Linux
    CVE Reference
    CVE-2000-0803
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description

    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.

    Affected OS: CBL Mariner

    Affected Versions: groff 1.22.3 - less than 1.22.3-5.cm1

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of package name.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to security breach or could affect integrity, availability and confidentiality.
    Solution
    CBL-Mariner has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:

    Patches
    CBL-Mariner Linux CBL-Mariner Linux
  • CVE-2021-22920
    Recently Published

    Citrix ADC And Citrix Gateway Account Hijacking Vulnerability (CTX319135)

    Severity
    Urgent5
    Qualys ID
    375755
    Date Published
    August 2, 2021
    Vendor Reference
    CTX319135
    CVE Reference
    CVE-2021-22920
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Citrix NetScaler Gateway provides secure access control management solution.

    Citrix ADC provides proven L4-7 load balancing and global server load balancing (GSLB) to ensure the best application performance and reliability.
    Multiple vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could result in a number of security issues.

    Affected Versions:
    Citrix ADC and Citrix Gateway 13.0-82.42
    Citrix ADC and Citrix Gateway 12.1-62.25

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of Citrix ADC/NetScaler.

    Consequence
    Successful exploitation could allow an attacker to steal a valid user session via SAML authentication hijack through a phishing attack
    Solution

    Customers are advised to refer to CTX319135 for information pertaining to remediating this vulnerability.

    Patches
    CTX319135
  • CVE-2021-26701
    Recently Published

    PowerShell Remote Code Execution Vulnerability

    Severity
    Critical4
    Qualys ID
    375741
    Date Published
    August 2, 2021
    Vendor Reference
    Microsoft Security Advisory
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    PowerShell Core is a cross-platform automation and configuration tool/framework that works well with your existing tools and is optimized for dealing with structured data, REST APIs, and object models.

    A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.

    Affected Versions:
    PowerShell Version 7.0 Prior to 7.0.6
    PowerShell Version 7.1 Prior to 7.1.3

    QID Detection Logic: (Authenticated)
    Operating System: Windows
    The QID checks for vulnerable version of file pwsh.exe and QID checks for vulnerable version of PowerShell Core by running command pwsh --version on linux systems.


    NOTE: The Windows check will only work for msi installations.

    Consequence
    Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.

    Solution
    Customers are advised to install the latest version of PowerShell Core which can be in the Releases page
    Patches
    CVE-2021-26701
  • CVE-2020-24556+
    Recently Published

    Trend Micro OfficeScan XG Hard Link Privilege Escalation Vulnerability(000263632)

    Severity
    Critical4
    Qualys ID
    375758
    Date Published
    August 2, 2021
    Vendor Reference
    000263632
    CVE Reference
    CVE-2020-24556, CVE-2020-24557, CVE-2020-24558, CVE-2020-24562
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Trend Micro OfficeScan is a security suite that protects office networks from a variety of threats, including viruses, trojans and spyware.

    Vulnerabilities in Trend Micro OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution.
    An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

    Affected software:
    OfficeScan XG SP1

    Consequence
    Exploitation of vulnerability could lead attacker to escalate privilege.

    Solution
    Trend Micro has released an advisory detailing various solutions available to fix this issue. Refer to Trend Micro Security Advisory Trend Micro for additional information on obtaining the fixes.
    Patches
    000263632
  • CVE-2020-24556+
    Recently Published

    Trend Micro Apex One(On-Prem) Multiple Vulnerabilities(000263632)(August 2020)

    Severity
    Critical4
    Qualys ID
    375757
    Date Published
    August 2, 2021
    Vendor Reference
    000263632
    CVE Reference
    CVE-2020-24556, CVE-2020-24557, CVE-2020-24558, CVE-2020-24562
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Trend Micro Apex One protection offers advanced automated threat detection and response against an ever-growing variety of threats, including file-less and ransomware.

    CVE-2020-24556 and CVE-2020-24562: Trend Micro Apex One Hard Link Privilege Escalation Vulnerability (Windows)
    CVE-2020-24557: Trend Micro Apex One and OfficeScan XG Improper Access Control Privilege Escalation
    CVE-2020-24559: Trend Micro Apex One Hard Link Privilege Escalation Vulnerability (macOS)

    Affected Versions
    Trend Micro Apex 2019 (On-Prem) prior to Build 8378

    QID Detection Logic:(Authenticated):
    The QID checks for vulnerable version of Trend Micro Apex which it fetches out through registry file.

    Consequence
    Successful exploitation would allow an authenticated attacker to privilege escalation, out-of-bounds read information disclosure and improper access control.
    Solution
    Trend Micro has released an advisory detailing various solutions available to fix this issue. Refer to Trend Micro Security Advisory 000263632 for additional information on obtaining the fixes.
    Patches
    000263632
  • CVE-2021-22919+
    Recently Published

    Citrix ADC and NetScaler Gateway Multiple Vulnerabilities(CTX319135)

    Severity
    Urgent5
    Qualys ID
    375745
    Date Published
    August 2, 2021
    Vendor Reference
    CTX319135
    CVE Reference
    CVE-2021-22919, CVE-2021-22927
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Citrix NetScaler Gateway provides secure access control management solution.

    Citrix ADC provides proven L4-7 load balancing and global server load balancing (GSLB) to ensure the best application performance and reliability.
    Multiple vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could result in a number of security issues.

    Affected Versions:
    Citrix ADC and Citrix Gateway 13.0 before 13.0-82.45
    Citrix ADC and Citrix Gateway 12.1 before 12.1-62.27
    Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.22
    Citrix ADC and Citrix Gateway 13.0-82.42
    Citrix ADC and Citrix Gateway 12.1-62.25

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of Citrix ADC/NetScaler.

    Consequence
    Successful exploitation could allow an attacker to steal a valid user session via SAML authentication hijack through a phishing attack
    Solution

    Customers are advised to refer to CTX319135 for information pertaining to remediating this vulnerability.

    Patches
    CTX319135
  • CVE-2021-30547+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:2478-1)

    Severity
    Critical4
    Qualys ID
    750898
    Date Published
    July 29, 2021
    Vendor Reference
    SUSE-SU-2021:2478-1
    CVE Reference
    CVE-2021-30547, CVE-2021-29970, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 78.12.0 esr * fixed: various stability, functionality, and security fixes mfsa 2021-29 (bsc#1188275) * cve-2021-29970: use-after-free in accessibility features of a document * cve-2021-30547: out of bounds write in angle * cve-2021-29976: memory safety bugs fixed in firefox 90 and firefox esr 78.12

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2478-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2478-1
  • CVE-2021-3570
    Recently Published

    SUSE Enterprise Linux Security Update for linuxptp (SUSE-SU-2021:2472-1)

    Severity
    Critical4
    Qualys ID
    750896
    Date Published
    July 29, 2021
    Vendor Reference
    SUSE-SU-2021:2472-1
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for linuxptp fixes the following issues: - cve-2021-3570: validate the messagelength field of incoming messages.
    (bsc#1187646)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2472-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2472-1
  • CVE-2021-29969+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2881)

    Severity
    Critical4
    Qualys ID
    239510
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2881
    CVE Reference
    CVE-2021-29969, CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.12.0.

    Security Fix(es): Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2881 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2881
  • CVE-2021-29969+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2882)

    Severity
    Critical4
    Qualys ID
    239509
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2882
    CVE Reference
    CVE-2021-29969, CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.12.0.

    Security Fix(es): Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2882 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2882
  • CVE-2021-29969+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2883)

    Severity
    Critical4
    Qualys ID
    239508
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2883
    CVE Reference
    CVE-2021-29969, CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.12.0.

    Security Fix(es): Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2883 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2883
  • CVE-2021-29969+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2914)

    Severity
    Critical4
    Qualys ID
    239507
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2914
    CVE Reference
    CVE-2021-29969, CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.12.0.

    Security Fix(es): Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2914 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2914
  • CVE-2021-33909+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (SUSE-SU-2021:2538-1)

    Severity
    Critical4
    Qualys ID
    750899
    Date Published
    July 29, 2021
    Vendor Reference
    SUSE-SU-2021:2538-1
    CVE Reference
    CVE-2021-33909, CVE-2020-36385, CVE-2021-22555
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    This update for the linux kernel 4.4.180-94_135 fixes several issues.
    The following security issues were fixed: - cve-2021-33909: fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (
    Bsc#1188062) - cve-2021-22555: fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation.
    (bsc#1188116) - cve-2020-36385: fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called.
    (bnc#1187050)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2538-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2538-1
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel: ALAS2-2021-1691

    Severity
    Critical4
    Qualys ID
    352500
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2-2021-1691
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    An out-of-bounds write flaw was found in the linux kernel's seq_file in the filesystem layer.
    This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information.
    The issue results from not validating the size_t-to-int conversion prior to performing operations.
    The highest threat from this vulnerability is to data integrity, confidentiality and system availability. (
    ( CVE-2021-33909)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1691 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1691
  • CVE-2021-33200
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-054

    Severity
    Critical4
    Qualys ID
    352498
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-054
    CVE Reference
    CVE-2021-33200
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    N/A
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-054 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-054
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-055

    Severity
    Critical4
    Qualys ID
    352497
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-055
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Amazon has released a security update for kernel-livepatch to fix the vulnerabilities.

    Affected Product:
    Amazon Linux 2



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-055 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-055
  • CVE-2019-20934+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2725)

    Severity
    Critical4
    Qualys ID
    239524
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2725
    CVE Reference
    CVE-2019-20934, CVE-2020-11668, CVE-2021-33033, CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) kernel: use-after-free in show_numa_stats function (CVE-2019-20934) kernel: mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668) kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le
    Red Hat Virtualization Host 4 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2725 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2725
  • CVE-2019-20934+
    Recently Published

    Red Hat Update for kernel-rt (RHSA-2021:2726)

    Severity
    Critical4
    Qualys ID
    239523
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2726
    CVE Reference
    CVE-2019-20934, CVE-2020-11668, CVE-2021-33033, CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) kernel: use-after-free in show_numa_stats function (CVE-2019-20934) kernel: mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668) kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

    Affected Products:

    Red Hat Enterprise Linux for Real Time 7 x86_64
    Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2726 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2726
  • CVE-2021-33034+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2728)

    Severity
    Critical4
    Qualys ID
    239522
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2728
    CVE Reference
    CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2728 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2728
  • CVE-2021-33034+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2729)

    Severity
    Critical4
    Qualys ID
    239521
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2729
    CVE Reference
    CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2729 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2729
  • CVE-2021-2341+
    Recently Published

    Amazon Linux Security Advisory for java-11-amazon-corretto: ALAS2-2021-1692

    Severity
    Critical4
    Qualys ID
    352499
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2-2021-1692
    CVE Reference
    CVE-2021-2341, CVE-2021-2388, CVE-2021-2369
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    Vulnerability in the java se, oracle graalvm enterprise edition product of oracle java se (component: networking).
    Supported versions that are affected are java se: 7u301, 8u291, 11.0.11, 16.0.1; oracle graalvm enterprise edition: 20.3.2 and 21.1.0.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise java se, oracle graalvm enterprise edition.
    Successful attacks require human interaction from a person other than the attacker.
    Successful attacks of this vulnerability can result in unauthorized read access to a subset of java se, oracle graalvm enterprise edition accessible data.
    Note: this vulnerability applies to java deployments, typically in clients running sandboxed java web start applications or sandboxed java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the java sandbox for security.
    This vulnerability does not apply to java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
    Cvss 3.1 base score 3.1 (confidentiality impacts).
    Cvss vector: (cvss:3.1/av:n/ac:h/pr:n/ui:r/s:u/c:l/i:n/a:n). (
    ( CVE-2021-2341) vulnerability in the java se, oracle graalvm enterprise edition product of oracle java se (component: library).
    Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise java se, oracle graalvm enterprise edition.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of java se, oracle graalvm enterprise edition accessible data.
    Cvss 3.1 base score 4.3 (integrity impacts).
    Cvss vector: (cvss:3.1/av:n/ac:l/pr:n/ui:r/s:u/c:n/i:l/a:n). (
    ( CVE-2021-2369) vulnerability in the java se, oracle graalvm enterprise edition product of oracle java se (component: hotspot).
    Supported versions that are affected are java se: 8u291, 11.0.11, 16.0.1; oracle graalvm enterprise edition: 20.3.2 and 21.1.0.
    Successful attacks of this vulnerability can result in takeover of java se, oracle graalvm enterprise edition.
    Cvss 3.1 base score 7.5 (confidentiality, integrity and availability impacts).
    Cvss vector: (cvss:3.1/av:n/ac:h/pr:n/ui:r/s:u/c:h/i:h/a:h). (
    ( CVE-2021-2388)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1692 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1692
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-1.8.0-openjdk (RHSA-2021:2774)

    Severity
    Critical4
    Qualys ID
    239519
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2774
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2774 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2774
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-1.8.0-openjdk (RHSA-2021:2775)

    Severity
    Critical4
    Qualys ID
    239518
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2775
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2775 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2775
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-1.8.0-openjdk (RHSA-2021:2776)

    Severity
    Critical4
    Qualys ID
    239517
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2776
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2776 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2776
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-11-openjdk (RHSA-2021:2781)

    Severity
    Critical4
    Qualys ID
    239516
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2781
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2781 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2781
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-11-openjdk (RHSA-2021:2782)

    Severity
    Critical4
    Qualys ID
    239515
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2782
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2782 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2782
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-11-openjdk (RHSA-2021:2783)

    Severity
    Critical4
    Qualys ID
    239514
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2783
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2783 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2783
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-11-openjdk (RHSA-2021:2784)

    Severity
    Critical4
    Qualys ID
    239513
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2784
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2784 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2784
  • CVE-2021-2341+
    Recently Published

    Red Hat Update for java-1.8.0-openjdk (RHSA-2021:2845)

    Severity
    Critical4
    Qualys ID
    239512
    Date Published
    July 29, 2021
    Vendor Reference
    RHSA-2021:2845
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    Security Fix(es): OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
    (CVE-2021-2388) OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
    (CVE-2021-2341) OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
    (CVE-2021-2369)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2845 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2845
  • CVE-2021-29136
    Recently Published

    OpenSUSE Security Update for umoci (openSUSE-SU-2021:1863-1)

    Severity
    Critical4
    Qualys ID
    750900
    Date Published
    July 29, 2021
    Vendor Reference
    openSUSE-SU-2021:1863-1
    CVE Reference
    CVE-2021-29136
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    OpenSUSE has released a security update for umoci to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1863-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1863-1
  • CVE-2020-12049
    Recently Published

    SUSE Enterprise Linux Security Update for dbus-1 (SUSE-SU-2021:2470-1)

    Severity
    Critical4
    Qualys ID
    750895
    Date Published
    July 29, 2021
    Vendor Reference
    SUSE-SU-2021:2470-1
    CVE Reference
    CVE-2020-12049
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    This update for dbus-1 fixes the following issues: - cve-2020-12049: truncated messages lead to resource exhaustion (bsc#1172505) special instructions and notes: please reboot the system after installing this update.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2470-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2470-1
  • CVE-2021-3611+
    Recently Published

    OpenSUSE Security Update for qemu (openSUSE-SU-2021:2474-1)

    Severity
    Critical4
    Qualys ID
    750901
    Date Published
    July 29, 2021
    Vendor Reference
    openSUSE-SU-2021:2474-1
    CVE Reference
    CVE-2021-3611, CVE-2021-3593, CVE-2021-3592, CVE-2021-3595, CVE-2021-3594, CVE-2021-3582, CVE-2021-3608, CVE-2021-3607
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    OpenSUSE has released a security update for qemu to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2474-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2474-1
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-056

    Severity
    Critical4
    Qualys ID
    352496
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-056
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Amazon has released a security update for kernel-livepatch to fix the vulnerabilities. Affected Product: Amazon Linux 2



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-056 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-056
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-057

    Severity
    Critical4
    Qualys ID
    352495
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-057
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Amazon has released a security update for kernel-livepatch to fix the vulnerabilities. Affected Product: Amazon Linux 2



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-057 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-057
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-058

    Severity
    Critical4
    Qualys ID
    352494
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-058
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Amazon has released a security update for kernel-livepatch to fix the vulnerabilities. Affected Product: Amazon Linux 2



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-058 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-058
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel-livepatch: ALAS2LIVEPATCH-2021-059

    Severity
    Critical4
    Qualys ID
    352493
    Date Published
    July 29, 2021
    Vendor Reference
    ALAS2LIVEPATCH-2021-059
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Amazon has released a security update for kernel-livepatch to fix the vulnerabilities. Affected Product: Amazon Linux 2



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2LIVEPATCH-2021-059 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2LIVEPATCH-2021-059
  • CVE-2020-11668+
    Recently Published

    CentOS Security Update for kernel (CESA-2021:2725)

    Severity
    Critical4
    Qualys ID
    257100
    Date Published
    July 29, 2021
    Vendor Reference
    CESA-2021:2725
    CVE Reference
    CVE-2020-11668, CVE-2019-20934, CVE-2021-33909, CVE-2021-33033, CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CentOS has released security update for kernel security update to fix the vulnerabilities.

    Affected Products:

    centos 7

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could leads to security breach or could affect Integrity, availability and confidentiality.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory >centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:2725
  • CVE-2020-8159
    Recently Published

    Debian Security Update for ruby-actionpack-page-caching (DLA 2719-1)

    Severity
    Critical4
    Qualys ID
    178722
    Date Published
    July 29, 2021
    Vendor Reference
    DLA 2719-1
    CVE Reference
    CVE-2020-8159
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for ruby-actionpack-page-caching to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2719-1 for updates and patch information.
    Patches
    Debian DLA 2719-1
  • CVE-2020-10255
    In Development

    Lenovo Rowhammer DDR4 Vulnerability (LEN-31370)

    Severity
    Critical4
    Qualys ID
    375724
    Vendor Reference
    LEN-31370
    CVE Reference
    CVE-2020-10255
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    Lenovo DDR4 DRAM has a issue referred to as TRRespass, where researchers demonstrated a method that claims to bypass existing Targeted Row Refresh (TRR) mitigations in non- ECC (Error-Correcting Code) DDR4 DRAM.

    Affected Products:
    ThinkStation P340 Tiny
    ThinkStation P320
    ThinkStation P330 Tiny
    ThinkStation P320 Tiny
    ThinkStation P310
    ThinkStation P330
    ThinkStation P500
    ThinkStation P520/P520c
    ThinkStation P700
    ThinkStation P900
    ThinkStation P920
    ThinkPad P50
    ThinkPad T470
    ThinkPad T480s
    QID Detection Logic
    : This QID checks if Vulnerable versions of BIOS installed on windows system.

    Consequence
    Successful exploitation could compromise confidentiality, integrity and availability

    Solution
    Customers are recommended to update firmware. Refer to LEN-31370 for firmware updates.
    Patches
    LEN-31370
  • CVE-2020-13529+
    In Development

    Fedora Security Update for systemd (FEDORA-2021-166e461c8d)

    Severity
    Critical4
    Qualys ID
    281739
    Vendor Reference
    FEDORA-2021-166e461c8d
    CVE Reference
    CVE-2020-13529, CVE-2021-33910
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Fedora has released a security update for systemd to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-166e461c8d
  • CVE-2021-36740
    In Development

    Fedora Security Update for varnish (FEDORA-2021-cf7585f0ca)

    Severity
    Critical4
    Qualys ID
    281743
    Vendor Reference
    FEDORA-2021-cf7585f0ca
    CVE Reference
    CVE-2021-36740
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for varnish to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-cf7585f0ca
  • CVE-2021-36740
    In Development

    Fedora Security Update for varnish (FEDORA-2021-36e10d3f9f)

    Severity
    Critical4
    Qualys ID
    281742
    Vendor Reference
    FEDORA-2021-36e10d3f9f
    CVE Reference
    CVE-2021-36740
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for varnish to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-36e10d3f9f
  • CVE-2021-30559+
    In Development

    Fedora Security Update for chromium (FEDORA-2021-30c84b4924)

    Severity
    Critical4
    Qualys ID
    281741
    Vendor Reference
    FEDORA-2021-30c84b4924
    CVE Reference
    CVE-2021-30559, CVE-2021-30561, CVE-2021-30562, CVE-2021-30564, CVE-2021-30560, CVE-2021-30563, CVE-2021-30541
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-30c84b4924
  • CVE-2021-28676+
    Recently Published

    Debian Security Update for pillow (DLA 2716-1)

    Severity
    Critical4
    Qualys ID
    178719
    Date Published
    July 29, 2021
    Vendor Reference
    DLA 2716-1
    CVE Reference
    CVE-2021-28676, CVE-2021-28677, CVE-2021-34552, CVE-2020-35653, CVE-2021-25290
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for pillow to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2716-1 for updates and patch information.
    Patches
    Debian DLA 2716-1
  • CVE-2021-33909
    Recently Published

    Amazon Linux Security Advisory for kernel: ALAS-2021-1524

    Severity
    Critical4
    Qualys ID
    352491
    Date Published
    July 28, 2021
    Vendor Reference
    ALAS-2021-1524
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    An out-of-bounds write flaw was found in the linux kernel's seq_file in the filesystem layer.
    This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information.
    The issue results from not validating the size_t-to-int conversion prior to performing operations.
    The highest threat from this vulnerability is to data integrity, confidentiality and system availability. (
    ( CVE-2021-33909)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS-2021-1524 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux ALAS-2021-1524
  • CVE-2021-3592+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2461-1)

    Severity
    Critical4
    Qualys ID
    750889
    Date Published
    July 28, 2021
    Vendor Reference
    SUSE-SU-2021:2461-1
    CVE Reference
    CVE-2021-3592, CVE-2021-3593, CVE-2021-3595, CVE-2021-3594, CVE-2021-3611
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    This update for qemu fixes the following issues: security issues fixed: - cve-2021-3595: fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366) - cve-2021-3592: fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364) - cve-2021-3594: fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367) - cve-2021-3593: fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365) - cve-2021-3611: fix intel-hda segmentation fault due to stack overflow (bsc#1187529)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2461-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2461-1
  • CVE-2021-31475
    Recently Published

    SolarWinds Orion Job Scheduler Remote Code Execution Vulnerability

    Severity
    Urgent5
    Qualys ID
    375655
    Date Published
    July 28, 2021
    Vendor Reference
    Orion Platform 2020.2.5 Release Notes
    CVE Reference
    CVE-2021-31475
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SolarWinds Orion Platform is used to monitor, visualize, and analyze the performance of networks, applications, systems, and databases on-premises, in a hybrid environment, or in the cloud.

    The vulnerability can be used to achieve authenticated RCE as Administrator.
    In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server.

    Affected Versions:
    SolarWinds Orion Job Scheduler 2020.2.1 through 2020.2.4

    QID Detection Logic (Authenticated):
    This QID checks for vulnerable version of SolarWinds Job Scheduler

    Consequence
    An attacker can leverage this vulnerability to execute code in the context of an administrator.
    Solution
    Customers are advised to upgrade to the version 2020.2.5 Orion Platform 2020.2.5 Release Notes
    Patches
    Orion Platform 2020.2.5 Release Notes
  • CVE-2021-28624+
    Recently Published

    Adobe Photoshop Heap-based Buffer Overflow Vulnerability (APSB21-38)

    Severity
    Urgent5
    Qualys ID
    375616
    Date Published
    July 28, 2021
    Vendor Reference
    APSB21-38
    CVE Reference
    CVE-2021-28624, CVE-2021-28582
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Adobe Photoshop is an application that allows users to view and edit various graphic formats. This update resolves an arbitrary code execution vulnerability.

    Affected Versions:
    Adobe Photoshop 2020 version 21.2.8 and earlier
    Adobe Photoshop 2021 version 22.4.1 and earlier

    QID Detection Logic:
    Windows(Authenticated): This QID checks for vulnerable version of 'Photoshop.exe' file.

    Consequence
    Successful exploitation can result in arbitrary code execution on target system.

    Solution
    Adobe has released Photoshop version 21.2.9 and 22.4.2 in APSB21-38 to address this vulnerability.
    Patches
    APSB21-38
  • CVE-2021-30789+
    Recently Published

    Apple iOS 14.7 and iPadOS 14.7 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610349
    Date Published
    July 27, 2021
    Vendor Reference
    HT212601
    CVE Reference
    CVE-2021-30789, CVE-2021-30788, CVE-2021-30781, CVE-2021-30780, CVE-2021-30785, CVE-2021-30786, CVE-2021-30804, CVE-2021-30799, CVE-2021-30802, CVE-2021-30800, CVE-2021-30763, CVE-2021-30748, CVE-2021-30760, CVE-2021-30769, CVE-2021-30768, CVE-2020-36328, CVE-2020-36329, CVE-2020-36331, CVE-2020-36330, CVE-2021-30798, CVE-2021-30791, CVE-2021-30792, CVE-2018-25011, CVE-2018-25010, CVE-2021-30796, CVE-2021-30797, CVE-2018-25014, CVE-2021-30795, CVE-2021-30779, CVE-2021-30758, CVE-2021-30759, CVE-2021-30770, CVE-2021-30773, CVE-2021-30774, CVE-2021-30775, CVE-2021-30776, CVE-2021-3518
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    iOS is a mobile operating system created and developed by Apple Inc.

    Following security issues are observed :
    CVE-2021-30789,CVE-2021-30788,CVE-2021-30781,CVE-2021-30780,CVE-2021-30785,CVE-2021-30786,CVE-2021-30804,CVE-2021-30799,CVE-2021-30802,CVE-2021-30800,CVE-2021-30763,CVE-2021-30748,CVE-2021-30760,CVE-2021-30769,CVE-2021-30768,CVE-2020-36328,CVE-2020-36329,CVE-2020-36331,CVE-2020-36330,CVE-2021-30798,CVE-2021-30791,CVE-2021-30792,CVE-2018-25011,CVE-2018-25010,CVE-2021-30796,CVE-2021-30797,CVE-2018-25014,CVE-2021-30795,CVE-2021-30779,CVE-2021-30758,CVE-2021-30759,CVE-2021-30770,CVE-2021-30773,CVE-2021-30774,CVE-2021-30775,CVE-2021-30776,CVE-2021-3518

    Affected Devices
    iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT212601 for patching details.
    Patches
    iOS HT212601
  • CVE-2021-30807
    Recently Published

    Apple iOS 14.7.1 and iPadOS 14.7.1 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610348
    Date Published
    July 27, 2021
    Vendor Reference
    HT212623
    CVE Reference
    CVE-2021-30807
    CVSS Scores
    Base / Temporal
    Description
    iOS is a mobile operating system created and developed by Apple Inc.

    Following security issues are observed :
    A memory corruption issue was addressed with improved memory handling. CVE-2021-30807

    Affected Devices
    iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT212623 for patching details.
    Patches
    iOS HT212623
  • CVE-2021-30748+
    Recently Published

    Apple MacOS Big Sur 11.5 Not Installed (HT212602)

    Severity
    Critical4
    Qualys ID
    375746
    Date Published
    July 27, 2021
    Vendor Reference
    HT212602
    CVE Reference
    CVE-2021-30748, CVE-2021-30805, CVE-2021-30790, CVE-2021-30781, CVE-2021-30775, CVE-2021-30776, CVE-2021-30786, CVE-2021-30772, CVE-2021-30783, CVE-2021-30777, CVE-2021-30789, CVE-2021-30774, CVE-2021-30780, CVE-2021-30768, CVE-2021-30760, CVE-2021-30788, CVE-2021-30759, CVE-2021-30803, CVE-2021-30779, CVE-2021-30785, CVE-2021-30787, CVE-2021-30766, CVE-2021-30765, CVE-2021-30784, CVE-2021-30793, CVE-2021-30778, CVE-2021-3518, CVE-2021-30796, CVE-2021-30792, CVE-2021-30791, CVE-2021-30782, CVE-2021-30798, CVE-2021-30758, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    macOS Big Sur (version 11) is the 17th and current major release of macOS, Apple Inc.'s operating system for Macintosh computers, and is the successor to macOS Catalina (version 10.15).

    Affected Versions:
    Apple MacOS Big Sur version before 11.5

    QID Detection Logic:
    This QID checks for vulnerable version of Big sur.

    Consequence
    Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
    Solution
    The updates can be downloaded from Apple Downloads.

    For more information regarding the update can be found at HT212602.

    Patches
    HT212602
  • CVE-2021-29969+
    Recently Published

    OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:2458-1)

    Severity
    Critical4
    Qualys ID
    750883
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:2458-1
    CVE Reference
    CVE-2021-29969, CVE-2021-29970, CVE-2021-30547, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for MozillaThunderbird to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2458-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2458-1
  • CVE-2021-3609+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:1076-1)

    Severity
    Critical4
    Qualys ID
    750887
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:1076-1
    CVE Reference
    CVE-2021-3609, CVE-2021-35039, CVE-2021-33909, CVE-2021-22555, CVE-2021-3612
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1076-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1076-1
  • CVE-2021-23134+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2451-1)

    Severity
    Critical4
    Qualys ID
    750880
    Date Published
    July 26, 2021
    Vendor Reference
    SUSE-SU-2021:2451-1
    CVE Reference
    CVE-2021-23134, CVE-2020-26141, CVE-2021-22555, CVE-2020-26139, CVE-2021-0512, CVE-2021-3609, CVE-2021-32399, CVE-2020-26147, CVE-2021-33909, CVE-2021-0605, CVE-2020-36385, CVE-2021-34693, CVE-2021-33034, CVE-2021-0129, CVE-2020-36386, CVE-2020-24587, CVE-2020-24586, CVE-2020-26558, CVE-2020-26145, CVE-2020-24588
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    The suse linux enterprise 12 sp3 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-22555: fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation.
    (bsc#1188116) - cve-2021-33909: fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (
    Bsc#1188062) - cve-2021-3609: fixed a race condition in the can bcm networking protocol which allows for local privilege escalation. (
    Bsc#1187215) - cve-2021-0605: fixed an out-of-bounds read which could lead to local information disclosure in the kernel with system execution privileges needed. (
    Bsc#1187601) - cve-2021-0512: fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (
    Bsc#1187595) - cve-2021-34693: fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (
    Bsc#1187452) - cve-2020-36385: fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (
    Bsc#1187050) - cve-2021-0129: fixed an improper access control in bluez that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (
    Bsc#1186463) - cve-2020-26558: fixed a flaw in the bluetooth le and br/edr secure pairing that could permit a nearby man-in-the-middle attacker to identify the passkey used during pairing. (
    Bsc#1179610) - cve-2020-36386: fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (
    Bsc#1187038) - cve-2020-24588: fixed a bug that could allow an adversary to abuse devices that support receiving non-ssp a-msdu frames to inject arbitrary network packets. (
    Bsc#1185861) - cve-2021-32399: fixed a race condition in net/bluetooth/hci_request.c for removal of the hci controller. (
    Bsc#1184611) - cve-2021-33034: fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (
    Bsc#1186111) - cve-2020-26139: fixed a bug that allows an access point (ap) to forward eapol frames to other clients even though the sender has not yet successfully authenticated.
    This might be abused in projected wi-fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (
    Bsc#1186062) - cve-2021-23134: fixed a use after free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (
    Bsc#1186060) - cve-2020-24586: fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using wep, ccmp, or gcmp. (
    Bsc#1185859) - cve-2020-26141: fixed a flaw that could allows an adversary to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bsc#1185987) - cve-2020-26145: fixed a bug in the wep, wpa, wpa2, and wpa3 implementations that could allows an adversary to inject arbitrary network packets. (
    Bsc#1185860) - cve-2020-24587: fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed. (
    Bsc#1185862) - cve-2020-26147: fixed a bug in the wep, wpa, wpa2, and wpa3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2451-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2451-1
  • CVE-2021-2369+
    Recently Published

    CentOS Security Update for java-11-openjdk (CESA-2021:2784)

    Severity
    Critical4
    Qualys ID
    257099
    Date Published
    July 26, 2021
    Vendor Reference
    CESA-2021:2784
    CVE Reference
    CVE-2021-2369, CVE-2021-2388, CVE-2021-2341
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CentOS has released security update for java-11-openjdk security update to fix the vulnerabilities.

    Affected Products:

    centos 7

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory >centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:2784
  • CVE-2021-34558
    Recently Published

    OpenSUSE Security Update for go1.16 (openSUSE-SU-2021:1078-1)

    Severity
    Critical4
    Qualys ID
    750884
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:1078-1
    CVE Reference
    CVE-2021-34558
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    OpenSUSE has released a security update for go1.16 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1078-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1078-1
  • CVE-2021-3593+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2448-1)

    Severity
    Critical4
    Qualys ID
    750879
    Date Published
    July 26, 2021
    Vendor Reference
    SUSE-SU-2021:2448-1
    CVE Reference
    CVE-2021-3593, CVE-2021-3594, CVE-2021-3611, CVE-2021-3595, CVE-2021-3592, CVE-2021-3608, CVE-2021-3607, CVE-2021-3582
    CVSS Scores
    Base 3.8 / Temporal 3.3
    Description
    This update for qemu fixes the following issues: security fixes: - cve-2021-3595: fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366) - cve-2021-3592: fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364) - cve-2021-3594: fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367) - cve-2021-3593: fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365) - cve-2021-3582: fixed possible mremap overflow in the pvrdma (bsc#1187499) - cve-2021-3607: ensure correct input on ring init (bsc#1187539) - cve-2021-3608: fixed the ring init error flow (bsc#1187538) - cve-2021-3611: fixed intel-hda segmentation fault due to stack overflow (bsc#1187529) other fixes: - fix qemu hang while cancelling migrating hugepage vm (bsc#1185591)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2448-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2448-1
  • CVE-2021-33909
    Recently Published

    Fedora Security Update for kernel (FEDORA-2021-07dc0b3eb1)

    Severity
    Urgent5
    Qualys ID
    281734
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-07dc0b3eb1
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-07dc0b3eb1
  • CVE-2021-30790+
    Recently Published

    Apple macOS Security Update 2021-005 Mojave (HT212603)

    Severity
    Critical4
    Qualys ID
    375748
    Date Published
    July 26, 2021
    Vendor Reference
    HT212603
    CVE Reference
    CVE-2021-30790, CVE-2021-30781, CVE-2021-30805, CVE-2021-30672, CVE-2021-30777, CVE-2021-30733, CVE-2021-30780, CVE-2021-30760, CVE-2021-30759, CVE-2021-30788, CVE-2021-30787, CVE-2021-30765, CVE-2021-30766, CVE-2021-30703, CVE-2021-30793, CVE-2021-30677, CVE-2021-30783, CVE-2021-30796, CVE-2021-30782, CVE-2021-30799
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Multiple vulnerabilities were addressed in Apple macOS.

    Affected versions:
    Apple macOS Security Update Prior to 2021-005 Mojave.

    QID Detection Logic (Authenticated):
    This QID looks for the missing security patches from Mojave

    Consequence
    Successful exploitation could allows arbitrary code execution, elevate privileges, denial of service.

    Solution
    The vendor has issued these fixes: Apple macOS Security Update 2021-005 Mojave.
    The updates can be downloaded from Apple Downloads.

    For more information regarding the update can be found at HT212603.

    Patches
    HT212603
  • CVE-2021-30805+
    Recently Published

    Apple macOS Security Update 2021-004 Catalina (HT212600)

    Severity
    Critical4
    Qualys ID
    375747
    Date Published
    July 26, 2021
    Vendor Reference
    HT212600
    CVE Reference
    CVE-2021-30805, CVE-2021-30790, CVE-2021-30781, CVE-2021-30672, CVE-2021-30775, CVE-2021-30776, CVE-2021-30777, CVE-2021-30789, CVE-2021-30733, CVE-2021-30780, CVE-2021-30768, CVE-2021-30760, CVE-2021-30759, CVE-2021-30788, CVE-2021-30785, CVE-2021-30787, CVE-2021-30765, CVE-2021-30766, CVE-2021-30731, CVE-2021-30703, CVE-2021-30793, CVE-2021-30677, CVE-2021-30783, CVE-2021-30796, CVE-2021-30782, CVE-2021-30799
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Multiple vulnerabilities were addressed in Apple macOS.

    Affected versions:
    Apple macOS Security Update 2021-004 Catalina.

    QID Detection Logic (Authenticated):
    This QID looks for the missing security patches from Catalina

    Consequence
    Successful exploitation could allow an attacker to the disclosure of sensitive user information, read restricted memory, read arbitrary files, disclosure of process memory, unexpected application termination or arbitrary code execution, denial of service, and privilege escalation.

    Solution
    The vendor has released these fixes: Security Update 2021-004 Catalina.
    The updates can be downloaded from Apple Downloads.

    For more information regarding the update can be found at HT212600.

    Patches
    HT212600
  • CVE-2021-32680+
    Recently Published

    Fedora Security Update for nextcloud (FEDORA-2021-6f327296fe)

    Severity
    Critical4
    Qualys ID
    281736
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-6f327296fe
    CVE Reference
    CVE-2021-32680, CVE-2021-32688, CVE-2021-32705, CVE-2021-32679, CVE-2021-32678, CVE-2021-32703
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for nextcloud to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-6f327296fe
  • CVE-2021-32680+
    Recently Published

    Fedora Security Update for nextcloud (FEDORA-2021-9b421b78af)

    Severity
    Critical4
    Qualys ID
    281735
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-9b421b78af
    CVE Reference
    CVE-2021-32680, CVE-2021-32688, CVE-2021-32705, CVE-2021-32679, CVE-2021-32678, CVE-2021-32703
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for nextcloud to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-9b421b78af
  • CVE-2020-26558+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:2427-1)

    Severity
    Critical4
    Qualys ID
    750877
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:2427-1
    CVE Reference
    CVE-2020-26558, CVE-2020-36385, CVE-2020-36386, CVE-2021-0512, CVE-2021-34693, CVE-2021-22555, CVE-2020-24588, CVE-2021-0605, CVE-2021-33200, CVE-2021-33624, CVE-2021-3609, CVE-2021-33909, CVE-2021-0129
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2427-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2427-1
  • CVE-2021-27277
    In Development

    SolarWinds Server and Application Monitor Privilege Escalation Vulnerability

    Severity
    Critical4
    Qualys ID
    375739
    Vendor Reference
    SAM 2020.2.5 Release Notes
    CVE Reference
    CVE-2021-27277
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SolarWinds Server and Application Monitor provide monitoring, alerting, reporting, and server management options while supporting multiple hardware vendors.

    Affected Product:
    SolarWinds Server and Application Monitor 2020.2 versions prior to 2020.2.5

    QID Detection Logic:(Authenticated)
    This QID checks for APMServiceControl.exe file version to detect the vulnerable version of the product.

    Consequence
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
    Solution
    SolarWinds has released fixes in version SAM 2020.2.5
    Patches
    SAM 2020.2.5
  • CVE-2021-33910
    Recently Published

    Fedora Security Update for systemd (FEDORA-2021-2a6ba64260)

    Severity
    Critical4
    Qualys ID
    281733
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-2a6ba64260
    CVE Reference
    CVE-2021-33910
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Fedora has released a security update for systemd to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-2a6ba64260
  • CVE-2021-3567
    Recently Published

    OpenSUSE Security Update for caribou (openSUSE-SU-2021:1071-1)

    Severity
    Critical4
    Qualys ID
    750876
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:1071-1
    CVE Reference
    CVE-2021-3567
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for caribou to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1071-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1071-1
  • CVE-2021-3607+
    Recently Published

    OpenSUSE Security Update for qemu (openSUSE-SU-2021:2442-1)

    Severity
    Critical4
    Qualys ID
    750874
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:2442-1
    CVE Reference
    CVE-2021-3607, CVE-2021-3582, CVE-2021-3608, CVE-2021-3611
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for qemu to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2442-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2442-1
  • CVE-2021-30541+
    Recently Published

    OpenSUSE Security Update for chromium (openSUSE-SU-2021:1073-1)

    Severity
    Critical4
    Qualys ID
    750873
    Date Published
    July 26, 2021
    Vendor Reference
    openSUSE-SU-2021:1073-1
    CVE Reference
    CVE-2021-30541, CVE-2021-30564, CVE-2021-30563, CVE-2021-30560, CVE-2021-30559, CVE-2021-30562, CVE-2021-30561
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for chromium to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1073-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1073-1
  • Recently Published

    Fedora Security Update for kernel (FEDORA-2021-4786624190)

    Severity
    Critical4
    Qualys ID
    281732
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-4786624190
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-4786624190
  • CVE-2021-32680+
    In Development

    OpenSUSE Security Update for nextcloud (openSUSE-SU-2021:1068-1)

    Severity
    Critical4
    Qualys ID
    750850
    Vendor Reference
    openSUSE-SU-2021:1068-1
    CVE Reference
    CVE-2021-32680, CVE-2020-8294, CVE-2020-8295, CVE-2021-32734, CVE-2021-32703, CVE-2021-32688, CVE-2021-32679, CVE-2020-8293, CVE-2021-32678, CVE-2021-32725, CVE-2021-32726, CVE-2021-32705, CVE-2021-32741
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for nextcloud to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1068-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1068-1
  • CVE-2019-17195+
    Under Investigation

    Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJUL2021)

    Severity
    Critical4
    Qualys ID
    375720
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2019-17195, CVE-2021-27568, CVE-2021-22884, CVE-2021-3450, CVE-2021-7017, CVE-2021-2408, CVE-2021-21290, CVE-2021-2407, CVE-2020-13956, CVE-2020-2377, CVE-2020-8908
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle's PeopleSoft applications are designed to address the most complex business requirements. PeopleSoft PeopleTools provides a comprehensive development toolset that supports the development and runtime of PeopleSoft applications.

    Affected Versions:
    Oracle PeopleSoft Enterprise PeopleTools 8.57
    Oracle PeopleSoft Enterprise PeopleTools 8.58
    Oracle PeopleSoft Enterprise PeopleTools 8.59

    QID Detection Logic (Authenticated):
    The authenticated check looks for the installed version of PeopleTools and it's corresponding patch.

    Consequence
    Successful exploitation of this vulnerability allows unauthorized disclosure of information, unauthorized modification and disruption of service.
    Solution
    Newer versions are available to download. For more information about this product or to check for new releases, go to the Oracle PeopleSoft Products.
    Patches
    CPUJUL2021
  • CVE-2021-0089+
    In Development

    Gentoo Linux Xen Multiple vulnerabilities (GLSA 202107-30)

    Severity
    Critical4
    Qualys ID
    710038
    Vendor Reference
    GLSA 202107-30
    CVE Reference
    CVE-2021-0089, CVE-2021-28692, CVE-2021-3308, CVE-2021-28691, CVE-2020-29479, CVE-2020-29569, CVE-2021-28693, CVE-2020-29567, CVE-2020-29571, CVE-2021-26313, CVE-2020-29486, CVE-2020-29570, CVE-2021-28690, CVE-2021-28687, CVE-2020-29568, CVE-2020-29566, CVE-2020-29487
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Gentoo Linux is a Linux distribution

    Multiple vulnerabilities have been found in Xen, the worst of which could result in privilege escalation.

    Affected Package(s): app-emulation/xen-{VERSION}

    Affected versions: Prior to


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit GLSA 202107-30 for updates and patch information.
    Patches
    Gentoo GLSA 202107-30
  • CVE-2021-36007+
    Under Investigation

    Adobe Prelude Arbitrary code execution Vulnerability (ASPB21-58)

    Severity
    Critical4
    Qualys ID
    375740
    Vendor Reference
    ASPB21-58
    CVE Reference
    CVE-2021-36007, CVE-2021-35999
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Adobe Prelude is an ingest and logging tool for tagging media with metadata for searching, post-production workflows, and footage lifecycle management.

    These updates address critical vulnerabilities Arbitrary code execution in Adobe Prelude. Affected Versions:
    Adobe Prelude 10.0 and earlier versions

    QID Detection Logic:(Authenticated)
    This QID checks the Windows registry to see if Adobe Prelude is installed. If found, it checks if the installed versions are vulnerable.

    Consequence
    On successful exploitation of this vulnerability, an attacker could execute arbitrary code.
    Solution
    The vendor has released a patch for Adobe Prelude
    For more information please visit ASPB21-58
    Patches
    ASPB21-58
  • CVE-2021-3560
    In Development

    Gentoo Linux polkit Privilege escalation (GLSA 202107-31)

    Severity
    Critical4
    Qualys ID
    710037
    Vendor Reference
    GLSA 202107-31
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Gentoo Linux is a Linux distribution

    A vulnerability in polkit could lead to local root privilege escalation.

    Affected Package(s): sys-auth/polkit-{VERSION}

    Affected versions: Prior to


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    The Vendor has released security update to fix the vulnerability. For more information please visit GLSA 202107-31 for updates and patch information.
    Patches
    Gentoo GLSA 202107-31
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-722e2543fe)

    Severity
    Urgent5
    Qualys ID
    281723
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-722e2543fe
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-722e2543fe
  • CVE-2021-3570+
    Recently Published

    Fedora Security Update for linuxptp (FEDORA-2021-a5b584004c)

    Severity
    Critical4
    Qualys ID
    281726
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-a5b584004c
    CVE Reference
    CVE-2021-3570, CVE-2021-3571
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for linuxptp to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-a5b584004c
  • CVE-2021-3570+
    Recently Published

    Fedora Security Update for linuxptp (FEDORA-2021-1b42c2f458)

    Severity
    Critical4
    Qualys ID
    281725
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-1b42c2f458
    CVE Reference
    CVE-2021-3570, CVE-2021-3571
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for linuxptp to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-1b42c2f458
  • CVE-2021-30563+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-9f62d36f09)

    Severity
    Critical4
    Qualys ID
    281721
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-9f62d36f09
    CVE Reference
    CVE-2021-30563, CVE-2021-30564, CVE-2021-30561, CVE-2021-30559, CVE-2021-30562, CVE-2021-30560, CVE-2021-30541
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-9f62d36f09
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-e0adbf04a9)

    Severity
    Urgent5
    Qualys ID
    281717
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-e0adbf04a9
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-e0adbf04a9
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-01f851ab8d)

    Severity
    Critical4
    Qualys ID
    281720
    Date Published
    July 26, 2021
    Vendor Reference
    FEDORA-2021-01f851ab8d
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-01f851ab8d
  • CVE-2010-1435
    Recently Published

    Joomla Core Vulnerability CVE-2010-1435

    Severity
    Urgent5
    Qualys ID
    154098
    Date Published
    July 26, 2021
    Vendor Reference
    [20100423] - Core - Password Reset Tokens
    CVE Reference
    CVE-2010-1435
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
    Consequence
    When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an existing SQL injection vulnerability.
    Solution
    Customers are advised to upgrade to latest Joomla! 1.5.16 or later versions to remediate this vulnerability.
    Patches
    Joomla! 1.5.16
  • CVE-2021-2371+
    Recently Published

    Oracle Coherence July 2021 Critical Patch Update

    Severity
    Critical4
    Qualys ID
    375733
    Date Published
    July 23, 2021
    Vendor Reference
    CPUJULY2021
    CVE Reference
    CVE-2021-2371, CVE-2021-2344, CVE-2021-2428
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Oracle Coherence is an in-memory data grid solution that enables organizations to predictably scale mission-critical applications by providing fast access to frequently used data.

    Oracle Coherence is affected by CVE-2021-2371, CVE-2021-2344, CVE-2021-2428.

    Affected Versions:
    Oracle Coherence, version(s) 3.7, 12.1.3.0, 12.2.1.3, 12.2.1.4 and 14.1.1.0

    QID Detection Logic (Authenticated):
    Operating System: Linux
    This QID checks to see if Oracle Coherence process is listening on any of the TCP port. The version is checked via product.xml under the install location of coherence. The patches for 12.x are checked under "Install Location"/invetory/patches.

    QID Detection Logic (Authenticated):
    Operating System: Windows
    The QID checks the "Oracle_Home" path with help of the registry key "HKLM\Software\Oracle". The QID verifies if the affected Oracle Coherence version is installed on the host and then checks if the corresponding patch is applied or not.

    Patch IDs checked:
    Coherence 3.7.1.0, Patch 32973233
    Coherence 12.1.3.0.0 Patch 32973268
    Coherence 12.2.1.3.0 Patch 32973279
    Coherence 12.2.1.4.0 Patch 32973297
    Coherence 14.1.1.0.0 Patch 32973306

    Consequence
    Successful exploitation could allow an attacker to execute arbitrary code on the target system.
    Solution
    The vendor has released patches for these issues. Customers are advised to refer to Oracle CPUJULY2021 for detailed information.

    Patches
    CPUJULY2021
  • CVE-2021-3570
    Recently Published

    SUSE Enterprise Linux Security Update for linuxptp (SUSE-SU-2021:2443-1)

    Severity
    Critical4
    Qualys ID
    750871
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2443-1
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for linuxptp fixes the following issues: - cve-2021-3570: validate the messagelength field of incoming messages.
    (bsc#1187646)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2443-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2443-1
  • CVE-2021-22555+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2421-1)

    Severity
    Critical4
    Qualys ID
    750864
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2421-1
    CVE Reference
    CVE-2021-22555, CVE-2021-3491, CVE-2020-26145, CVE-2020-24587, CVE-2021-0129, CVE-2020-26141, CVE-2020-36385, CVE-2021-33624, CVE-2021-33034, CVE-2021-3609, CVE-2021-0605, CVE-2021-33200, CVE-2021-23134, CVE-2020-26139, CVE-2021-32399, CVE-2021-0512, CVE-2020-36386, CVE-2020-26558, CVE-2021-33909, CVE-2020-26147, CVE-2020-24586, CVE-2020-24588, CVE-2021-34693, CVE-2021-23133
    CVSS Scores
    Base 8.8 / Temporal 7.9
    Description
    The suse linux enterprise 15 ltss kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-22555: a heap out-of-bounds write was discovered in net/netfilter/x_tables.c (bnc#1188116 ).
    - cve-2021-33909: extremely large seq buffer allocations in seq_file could lead to buffer underruns and code execution (bsc#1188062).
    - cve-2021-3609: a use-after-free in can/bcm could have led to privilege escalation (bsc#1187215).
    - cve-2021-33624: in kernel/bpf/verifier.c a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged bpf program can read arbitrary memory locations via a side-channel attack, aka cid-9183671af6db (bnc#1187554).
    - cve-2021-0605: in pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check.
    This could lead to local information disclosure with system execution privileges needed.
    user interaction is not needed for exploitation (bnc#1187601).
    - cve-2021-0512: in __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow.
    This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation (bnc#1187595).
    - cve-2020-26558: bluetooth le and br/edr secure pairing in bluetooth core specification 2.1 may permit a nearby man-in-the-middle attacker to identify the passkey used during pairing (in the passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct passkey for the pairing session.
    The attack methodology determines the passkey value one bit at a time (bnc#1179610).
    - cve-2021-34693: net/can/bcm.c in the linux kernel allowed local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized (bnc#1187452).
    - cve-2020-36385: an issue was discovered in the linux kernel drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka cid-f5449e74802c (bnc#1187050).
    - cve-2021-0129: improper access control in bluez may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bnc#1186463).
    - cve-2020-36386: an issue was discovered in the linux kernel net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka cid-51c19bf3d5cf (bnc#1187038).
    - cve-2020-24588: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesnt require that the a-msdu flag in the plaintext qos header field is authenticated.
    Against devices that support receiving non-ssp a-msdu frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (bnc#1185861).
    - cve-2021-33200: kernel/bpf/verifier.c enforced incorrect limits for pointer arithmetic operations, aka cid-bb01a1bba579.
    This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root.
    In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit (bnc#1186484).
    - cve-2021-33034: net/bluetooth/hci_event.c had a use-after-free when destroying an hci_chan, aka cid-5c4c8c954409.
    Bnc#1185642).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2421-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2421-1
  • CVE-2020-35512+
    Recently Published

    SUSE Enterprise Linux Security Update for dbus-1 (SUSE-SU-2021:2424-1)

    Severity
    Critical4
    Qualys ID
    750870
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2424-1
    CVE Reference
    CVE-2020-35512, CVE-2020-12049
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for dbus-1 fixes the following issues: - cve-2020-35512: users with the same numeric uid could lead to use-after-free and undefined behaviour (bsc#1187105) - cve-2020-12049: truncated messages lead to resource exhaustion (bsc#1172505) special instructions and notes: please reboot the system after installing this update.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2424-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2424-1
  • CVE-2020-36386+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2422-1)

    Severity
    Critical4
    Qualys ID
    750869
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2422-1
    CVE Reference
    CVE-2020-36386, CVE-2021-33909, CVE-2021-0512, CVE-2021-3609, CVE-2020-26558, CVE-2021-22555, CVE-2020-36385, CVE-2021-0129, CVE-2021-0605, CVE-2021-33624, CVE-2021-34693, CVE-2020-24588, CVE-2021-33200
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    The suse linux enterprise 12 sp4 ltss kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-22555: a heap out-of-bounds write was discovered in net/netfilter/x_tables.c (bnc#1188116).
    - cve-2021-33909: extremely large seq buffer allocations in seq_file could lead to buffer underruns and code execution (bsc#1188062).
    - cve-2021-3609: a use-after-free in can/bcm could have led to privilege escalation (bsc#1187215).
    - cve-2021-33624: in kernel/bpf/verifier.c a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged bpf program can read arbitrary memory locations via a side-channel attack, aka cid-9183671af6db (bnc#1187554).
    - cve-2021-0605: in pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check.
    This could lead to local information disclosure in the kernel with system execution privileges needed.
    User interaction is not needed for exploitation (bnc#1187601).
    - cve-2021-0512: in __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow.
    This could lead to local escalation of privilege with no additional execution privileges needed.
    User interaction is not needed for exploitation (bnc#1187595).
    - cve-2020-26558: bluetooth le and br/edr secure pairing in bluetooth core specification 2.1 may permit a nearby man-in-the-middle attacker to identify the passkey used during pairing (in the passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct passkey for the pairing session.
    The attack methodology determines the passkey value one bit at a time (bnc#1179610 bnc#1186463).
    - cve-2021-34693: net/can/bcm.c allowed local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized (bnc#1187452).
    - cve-2020-36385: an issue was discovered in drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka cid-f5449e74802c (bnc#1187050).
    - cve-2021-0129: improper access control in bluez may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bnc#1186463).
    - cve-2020-36386: an issue was discovered net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka cid-51c19bf3d5cf (bnc#1187038).
    - cve-2020-24588: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesnt require that the a-msdu flag in the plaintext qos header field is authenticated.
    Against devices that support receiving non-ssp a-msdu frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (bnc#1185861).
    - cve-2021-33200: kernel/bpf/verifier.c enforced incorrect limits for pointer arithmetic operations, aka cid-bb01a1bba579.
    This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root.
    In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit (bnc#1186484).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2422-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2422-1
  • CVE-2020-36386+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2427-1)

    Severity
    Critical4
    Qualys ID
    750868
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2427-1
    CVE Reference
    CVE-2020-36386, CVE-2021-33909, CVE-2021-0512, CVE-2021-3609, CVE-2020-26558, CVE-2021-22555, CVE-2020-36385, CVE-2021-0129, CVE-2021-0605, CVE-2021-33624, CVE-2021-34693, CVE-2020-24588, CVE-2021-33200
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    The suse linux enterprise 15 sp3 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-22555: fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation.
    (bsc#1188116) - cve-2021-33624: fixed a bug which allows unprivileged bpf program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (
    Bsc#1187554) - cve-2021-0605: fixed an out-of-bounds read which could lead to local information disclosure in the kernel with system execution privileges needed. (
    Bsc#1187601) - cve-2021-0512: fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (
    Bsc#1187595) - cve-2020-26558: fixed a flaw in the bluetooth le and br/edr secure pairing that could permit a nearby man-in-the-middle attacker to identify the passkey used during pairing. (
    Bnc#1179610) - cve-2021-34693: fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (
    Bsc#1187452) - cve-2021-0129: fixed an improper access control in bluez that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (
    Bnc#1186463) - cve-2020-36386: fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (
    Bsc#1187038) - cve-2020-24588: fixed a bug that could allow an adversary to abuse devices that support receiving non-ssp a-msdu frames to inject arbitrary network packets. (
    Bsc#1185861 bsc#1185863) - cve-2021-33909: fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (
    Bsc#1188062) - cve-2021-3609: fixed a race condition in the can bcm networking protocol which allows for local privilege escalation. (
    Bsc#1187215) - cve-2020-36385: fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (
    Bsc#1187050) - cve-2021-33200: fix leakage of uninitialized bpf stack under speculation. (
    Bsc#1186484)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2427-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2427-1
  • CVE-2021-0605+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (SUSE-SU-2021:2433-1)

    Severity
    Critical4
    Qualys ID
    750867
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2433-1
    CVE Reference
    CVE-2021-0605, CVE-2021-0512
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for the linux kernel 4.4.180-94_130 fixes several issues.
    The following security issues were fixed: - cve-2021-0605: fixed an out-of-bounds read which could lead to local information disclosure in the kernel with system execution privileges needed. (
    Bsc#1187687) - cve-2021-0512: fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (
    Bsc#1187597)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2433-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2433-1
  • CVE-2021-33910
    Recently Published

    SUSE Enterprise Linux Security Update for systemd (SUSE-SU-2021:2423-1)

    Severity
    Critical4
    Qualys ID
    750865
    Date Published
    July 22, 2021
    Vendor Reference
    SUSE-SU-2021:2423-1
    CVE Reference
    CVE-2021-33910
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    This update for systemd fixes the following issues: security issues fixed: - cve-2021-33910: fixed a denial of service (stack exhaustion) in systemd (pid 1) (bsc#1188063) other fixes: - mount-util: shorten the loop a bit (#7545) - mount-util: do not use the official max_handle_sz (#7523) - mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) - mount-util: fix bad indenting - mount-util: eoverflow might have other causes than buffer size issues - mount-util: fix error propagation in fd_fdinfo_mnt_id() - mount-util: drop exponential buffer growing in name_to_handle_at_loop() - udev: port udev_has_devtmpfs() to use path_get_mnt_id() - mount-util: add new path_get_mnt_id() call that queries the mnt id of a path - mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() - mount-util: accept that name_to_handle_at() might fail with eperm (#5499) - basic: fallback to the fstat if we dont have access to the /proc/self/fdinfo - sysusers: use the usual comment style - test/test-21-sysusers: add tests for new functionality - sysusers: allow admin/runtime overrides to command-line config - basic/strv: add function to insert items at position - sysusers: allow the shell to be specified - sysusers: move various user credential validity checks to src/basic/ - man: reformat table in sysusers.d(5) - sysusers: take configuration as positional arguments - sysusers: emit a bit more info at debug level when locking fails - sysusers: allow force reusing existing user/group ids (#8037) - sysusers: ensure gid in uid:gid syntax exists - sysusers: make add_group always create a group - test: add test-21-sysusers test - sysuser: use orderedhashmap - sysusers: allow uid:gid in sysusers.conf files - sysusers: fix memleak (#4430) - these commits implement the option --replace for systemd-sysusers so %sysusers_create_package can be introduced in sle and packages can rely on this rpm macro without wondering whether the macro is available on the different target the package is submitted to.
    - expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) - systemctl: add --value option - execute: make sure to call into pam after initializing resource limits (bsc#1184967) - rlimit-util: introduce setrlimit_closest_all() - system-conf: drop reference to shutdownwatchdogusec= - core: rename shutdownwatchdogsec to rebootwatchdogsec (bsc#1185331) - return -eagain instead of -ealready from unit_reload (bsc#1185046) - rules: dont ignore xen virtual interfaces anymore (bsc#1178561) - write_net_rules: set execute bits (bsc#1178561) - udev: rework network device renaming - revert "revert "udev: network device renaming - immediately give up if the target name isnt available""

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2423-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2423-1
  • CVE-2021-30565+
    Recently Published

    Google Chrome Prior To 92.0.4515.107 Multiple Vulnerabilities

    Severity
    Urgent5
    Qualys ID
    375738
    Date Published
    July 22, 2021
    Vendor Reference
    Google Chrome 92.0.4515.107
    CVE Reference
    CVE-2021-30565, CVE-2021-30566, CVE-2021-30567, CVE-2021-30568, CVE-2021-30569, CVE-2021-30571, CVE-2021-30572, CVE-2021-30573, CVE-2021-30574, CVE-2021-30575, CVE-2021-30576, CVE-2021-30577, CVE-2021-30578, CVE-2021-30579, CVE-2021-30580, CVE-2021-30581, CVE-2021-30582, CVE-2021-30583, CVE-2021-30584, CVE-2021-30585, CVE-2021-30586, CVE-2021-30587, CVE-2021-30588, CVE-2021-30589
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Google Chrome is a web browser for multiple platforms developed by Google.

    Affected Versions:
    Google Chrome Prior to 92.0.4515.107

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of Google Chrome on Windows, linux and MAC OS.

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    Customers are advised to upgrade to latest version 92.0.4515.107
    For further details refer to Google Chrome 92.0.4515.107
    Patches
    92.0.4515.107
  • CVE-2020-9327+
    Recently Published

    OpenSUSE Security Update for sqlite3 (openSUSE-SU-2021:1058-1)

    Severity
    Critical4
    Qualys ID
    750856
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1058-1
    CVE Reference
    CVE-2020-9327, CVE-2019-19646, CVE-2020-13631, CVE-2019-19880, CVE-2019-19926, CVE-2019-19923, CVE-2019-19645, CVE-2019-19603, CVE-2019-19317, CVE-2019-20218, CVE-2020-13630, CVE-2019-19244, CVE-2019-19925, CVE-2020-13434, CVE-2020-13632, CVE-2019-19924, CVE-2015-3415, CVE-2019-19959, CVE-2015-3414, CVE-2020-15358, CVE-2020-13435
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for sqlite3 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1058-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1058-1
  • CVE-2021-32680+
    Recently Published

    OpenSUSE Security Update for nextcloud (openSUSE-SU-2021:1068-1)

    Severity
    Critical4
    Qualys ID
    750849
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1068-1
    CVE Reference
    CVE-2021-32680, CVE-2020-8294, CVE-2020-8295, CVE-2021-32734, CVE-2021-32703, CVE-2021-32688, CVE-2021-32679, CVE-2020-8293, CVE-2021-32678, CVE-2021-32725, CVE-2021-32726, CVE-2021-32705, CVE-2021-32741
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    OpenSUSE has released a security update for nextcloud to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1068-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1068-1
  • CVE-2021-30547+
    Recently Published

    OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:2393-1)

    Severity
    Critical4
    Qualys ID
    750862
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:2393-1
    CVE Reference
    CVE-2021-30547, CVE-2021-29970, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for MozillaFirefox to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2393-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2393-1
  • CVE-2021-30547+
    Recently Published

    OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:1066-1)

    Severity
    Critical4
    Qualys ID
    750854
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1066-1
    CVE Reference
    CVE-2021-30547, CVE-2021-29970, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    OpenSUSE has released a security update for MozillaFirefox to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1066-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1066-1
  • CVE-2020-35512
    Recently Published

    OpenSUSE Security Update for dbus-1 (openSUSE-SU-2021:1056-1)

    Severity
    Critical4
    Qualys ID
    750855
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1056-1
    CVE Reference
    CVE-2020-35512
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    OpenSUSE has released a security update for dbus-1 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1056-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1056-1
  • CVE-2021-28091
    Recently Published

    OpenSUSE Security Update for lasso (openSUSE-SU-2021:1057-1)

    Severity
    Critical4
    Qualys ID
    750860
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1057-1
    CVE Reference
    CVE-2021-28091
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for lasso to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1057-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1057-1
  • CVE-2021-3449+
    Recently Published

    OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1059-1)

    Severity
    Critical4
    Qualys ID
    750859
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1059-1
    CVE Reference
    CVE-2021-3449, CVE-2021-23362, CVE-2020-7774, CVE-2021-22918, CVE-2021-3450, CVE-2021-27290
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for nodejs12 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1059-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1059-1
  • CVE-2021-3449+
    Recently Published

    OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:1061-1)

    Severity
    Critical4
    Qualys ID
    750858
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1061-1
    CVE Reference
    CVE-2021-3449, CVE-2021-23362, CVE-2020-7774, CVE-2021-22918, CVE-2021-3450, CVE-2021-27290
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for nodejs10 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1061-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1061-1
  • CVE-2021-27290+
    Recently Published

    OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1060-1)

    Severity
    Critical4
    Qualys ID
    750857
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:1060-1
    CVE Reference
    CVE-2021-27290, CVE-2021-23362, CVE-2020-7774, CVE-2021-22918
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for nodejs14 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.2


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:1060-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:1060-1
  • CVE-2021-34558
    Recently Published

    OpenSUSE Security Update for go1.16 (openSUSE-SU-2021:2392-1)

    Severity
    Critical4
    Qualys ID
    750863
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:2392-1
    CVE Reference
    CVE-2021-34558
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    OpenSUSE has released a security update for go1.16 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2392-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2392-1
  • CVE-2021-3567
    Recently Published

    OpenSUSE Security Update for caribou (openSUSE-SU-2021:2414-1)

    Severity
    Critical4
    Qualys ID
    750852
    Date Published
    July 22, 2021
    Vendor Reference
    openSUSE-SU-2021:2414-1
    CVE Reference
    CVE-2021-3567
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    OpenSUSE has released a security update for caribou to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2414-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2414-1
  • Recently Published

    EOL/Obsolete Software: Microsoft Office Project 2010 Service Pack 1 Detected

    Severity
    Urgent5
    Qualys ID
    105999
    Date Published
    July 22, 2021
    Vendor Reference
    Microsoft Project 2010 Lifecycle
    CVSS Scores
    Base 10 / Temporal 9.1
    Description
    Microsoft Project is a project management software program that assists a project manager in developing a plan, assigning resources to tasks, tracking progress, managing the budget and analyzing workloads.

    Microsoft has ended mainstream support for Microsoft Office Project 2010 Service Pack 1 on October 14, 2014.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.
    Solution
    The customers are advised to upgrade to the latest supported version of Microsoft Sharepoint. For more information please visit here.
  • CVE-2021-36001+
    Recently Published

    Adobe Character Animator Remote Code Execution Vulnerability (ASPB21-59)

    Severity
    Critical4
    Qualys ID
    375735
    Date Published
    July 21, 2021
    Vendor Reference
    APSB21-59
    CVE Reference
    CVE-2021-36001, CVE-2021-36000
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Adobe Character Animator is a desktop application software product that combines live motion-capture with a multi-track recording system to control layered 2D puppets drawn in Photoshop or Illustrator.

    This update resolves a critical and an important vulnerability.

    Affected Versions:
    Adobe Character Animator CC 2020 4.2 and earlier versions on windows
    QID Detection Logic:(Authenticated)
    It checks registry to check file version of Character Animator.exe

    Consequence
    Successful exploitation could lead to arbitrary code execution in the context of the current user.
    Solution
    Adobe has released patches, for more information can be obtained from APSB21-59
    Patches
    ASPB21-59
  • CVE-2021-22555+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:2415-1)(Sequoia)

    Severity
    Critical4
    Qualys ID
    750851
    Date Published
    July 21, 2021
    Vendor Reference
    openSUSE-SU-2021:2415-1
    CVE Reference
    CVE-2021-22555, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2415-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2415-1
  • CVE-2020-36385+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2416-1)(Sequoia)

    Severity
    Critical4
    Qualys ID
    750848
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2416-1
    CVE Reference
    CVE-2020-36385, CVE-2021-22555, CVE-2021-33909, CVE-2021-3609, CVE-2021-3612
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    The suse linux enterprise 12 sp5 kernel was updated to receive various security and bugfixes.
    The following security bugs were fixed: - cve-2021-22555: fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation.
    (bsc#1188116) - cve-2021-33909: fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (
    Bsc#1188062) - cve-2021-3609: fixed a race condition in the can bcm networking protocol which allows for local privilege escalation. (
    Bsc#1187215) - cve-2021-3612: fixed an out-of-bounds memory write flaw which could allows a local user to crash the system or possibly escalate their privileges on the system. (
    Bsc#1187585) - cve-2020-36385: fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (
    Bsc#1187050)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2416-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2416-1
  • CVE-2021-32399+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2714) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239506
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2714
    CVE Reference
    CVE-2021-32399, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: race condition for removal of the HCI controller (CVE-2021-32399)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Virtualization Host 4 for RHEL 8 x86_64
    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2714 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2714
  • CVE-2021-32399+
    Recently Published

    Red Hat Update for kernel-rt (RHSA-2021:2715) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239505
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2715
    CVE Reference
    CVE-2021-32399, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: race condition for removal of the HCI controller (CVE-2021-32399)

    Affected Products:

    Red Hat Enterprise Linux for Real Time 8 x86_64
    Red Hat Enterprise Linux for Real Time for NFV 8 x86_64
    Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64
    Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2715 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2715
  • CVE-2021-32399+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2716) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239504
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2716
    CVE Reference
    CVE-2021-32399, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: race condition for removal of the HCI controller (CVE-2021-32399)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2716 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2716
  • CVE-2020-25704+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2718) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239502
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2718
    CVE Reference
    CVE-2020-25704, CVE-2020-26541, CVE-2020-35508, CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) kernel: perf_event_parse_addr_filter memory (CVE-2020-25704) kernel: security bypass in certs/blacklist.c and certs/system_keyring.c (CVE-2020-26541) kernel: fork: fix copy_process(CLONE_PARENT)
    race with the exiting ->real_parent (CVE-2020-35508)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.2 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2718 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2718
  • CVE-2020-25704+
    Recently Published

    Red Hat Update for kernel-rt (RHSA-2021:2719) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239501
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2719
    CVE Reference
    CVE-2020-25704, CVE-2020-26541, CVE-2020-35508, CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) kernel: perf_event_parse_addr_filter memory (CVE-2020-25704) kernel: security bypass in certs/blacklist.c and certs/system_keyring.c (CVE-2020-26541) kernel: fork: fix copy_process(CLONE_PARENT)
    race with the exiting ->real_parent (CVE-2020-35508)

    Affected Products:

    Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.2 x86_64
    Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2719 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2719
  • CVE-2021-33034+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2720) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239500
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2720
    CVE Reference
    CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2720 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2720
  • CVE-2021-33909
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2722) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239498
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2722
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.1 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2722 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2722
  • CVE-2021-33909
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2723) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239497
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2723
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2723 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2723
  • CVE-2021-33034+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2727) (Sequoia)

    Severity
    Critical4
    Qualys ID
    239495
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2727
    CVE Reference
    CVE-2021-33034, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2727 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2727
  • CVE-2021-33910
    Recently Published

    Red Hat Update for systemd (RHSA-2021:2717)

    Severity
    Critical4
    Qualys ID
    239503
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2717
    CVE Reference
    CVE-2021-33910
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

    Security Fix(es): systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2717 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2717
  • CVE-2021-33910
    Recently Published

    Red Hat Update for systemd (RHSA-2021:2721)

    Severity
    Critical4
    Qualys ID
    239499
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2721
    CVE Reference
    CVE-2021-33910
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

    Security Fix(es): systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2721 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2721
  • CVE-2021-33910
    Recently Published

    Red Hat Update for systemd (RHSA-2021:2724)

    Severity
    Critical4
    Qualys ID
    239496
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2724
    CVE Reference
    CVE-2021-33910
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

    Security Fix(es): systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2724 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2724
  • CVE-2021-2351+
    Recently Published

    Oracle Database 12.1.0.2 Critical Patch Update - July 2021 (Unauthenticated)

    Severity
    Urgent5
    Qualys ID
    20230
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2020-27193, CVE-2020-26870, CVE-2021-2460, CVE-2021-2333, CVE-2019-17545, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.1.0.2

    QID Detection Logic (Unauthenticated):
    This QID connects the remote server's Oracle listener and reviews the Oracle banner version.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2021-2351+
    Recently Published

    Oracle Database 12.1.0.2 Critical Patch Update - July 2021

    Severity
    Urgent5
    Qualys ID
    20229
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2020-27193, CVE-2020-26870, CVE-2021-2460, CVE-2021-2333, CVE-2019-17545, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.1.0.2

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2021-2351+
    Recently Published

    Oracle Database 12.2.0.1 Critical Patch Update - July 2021 (Unauthenticated)

    Severity
    Urgent5
    Qualys ID
    20228
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2021-2333, CVE-2019-17545, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.0.1

    QID Detection Logic (Unauthenticated):
    This QID connects the remote server's Oracle listener and reviews the Oracle banner version.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2021-2351+
    Recently Published

    Oracle Database 12.2.0.1 Critical Patch Update - July 2021

    Severity
    Urgent5
    Qualys ID
    20227
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJULY2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2021-2333, CVE-2019-17545, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.0.1

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2021-2351+
    Recently Published

    Oracle Database 19c Critical Patch Update - July 2021

    Severity
    Urgent5
    Qualys ID
    20226
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2020-27193, CVE-2020-26870, CVE-2021-2460, CVE-2021-2333, CVE-2019-17545, CVE-2021-2330, CVE-2020-7760, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2015-0254+
    Recently Published

    Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2021)

    Severity
    Critical4
    Qualys ID
    87458
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2015-0254, CVE-2021-2397, CVE-2021-2376, CVE-2021-2378, CVE-2021-2382, CVE-2021-2403, CVE-2021-2394
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services.
    The Oracle WebLogic Server component in Oracle Fusion Middleware for versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0 has fixes for multiple vulnerabilities.

    Affected Versions:
    Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.3,12.2.1.4 and 14.1.1.0

    QID Detection Logic (Authenticated):
    Operating System: Linux
    This QID checks to see if Oracle WebLogic Server process is listening on any of the TCP ports. If so, for version 12.x it gets the "Oracle_Home" path, navigates to that directory and reads "registry.xml" and the patch files found in the directory "Oracle_Home"\inventory\patches to check if the installed version is patched.
    For version 10.3.6.x, it gets the "Oracle_Home" path, navigates to that directory and reads "registry.xml" and the file "Oracle_Home"\patch_wls1036\registry\patch-registry.xml to check if the installed version is patched.

    QID Detection Logic (Authenticated):
    Operating System: Windows
    For affected 12.x version
    The QID checks the "Oracle_Home" path with help of the registry key "HKLM\Software\Oracle". The QID verifies if the affected WebLogic version is installed on the host and then checks if the corresponding patch is applied or not.

    For 10.3.6.0
    The QID checks if WebLogic v10.3.6.0 is installed by looking at the file WLS_HOME\wlserver_10.3\.product.properties. The QID then checks if the corresponding patch is applied or not. The WLS_HOME is check using the file "systemdrive"\bea\beahomelist.

    Patch IDs checked:
    WebLogic Server 14.1.1.0 - Patch 33069656
    WebLogic Server 12.2.1.4 - Patch 33059296
    WebLogic Server 12.2.1.3 - Patch 33064699
    WebLogic Server 12.1.3.0 - Patch 32832660
    WebLogic Server 10.3.6.0 - Patch 32832785

    QID Detection Logic (Unauthenticated) :
    The qid sends a "GET console/login/LoginForm.jsp" request to retrieve the WebLogic version installed.

    Consequence
    Successful exploitation could allow an attacker to affect the confidentiality, integrity and availability of data on the target system.

    Solution
    The vendor has released patches for these issues. Customers are advised to refer to Oracle CPUJUL2021 for detailed information.

    Patches
    CPUJUL2021
  • CVE-2020-14387+
    Recently Published

    Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)

    Severity
    Critical4
    Qualys ID
    296053
    Date Published
    July 21, 2021
    Vendor Reference
    CPUJUL2021, olaris ThirdpartyBulletin JUL 2021
    CVE Reference
    CVE-2020-14387, CVE-2020-18032, CVE-2021-20240, CVE-2021-20270, CVE-2021-2146, CVE-2021-2154, CVE-2021-2162, CVE-2021-2166, CVE-2021-2169, CVE-2021-2171, CVE-2021-2174, CVE-2021-2179, CVE-2021-2180, CVE-2021-2194, CVE-2021-2226, CVE-2021-2307, CVE-2021-2381, CVE-2021-23841, CVE-2021-27291, CVE-2021-28965, CVE-2021-29951, CVE-2021-29956, CVE-2021-29957, CVE-2021-29964, CVE-2021-29967, CVE-2021-31618, CVE-2021-32052, CVE-2021-32055, CVE-2021-33203, CVE-2021-33571, CVE-2021-3449, CVE-2021-3450, CVE-2021-3468, CVE-2021-3472, CVE-2021-3520, CVE-2021-3560
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    The target does not have Solaris 11.4 SRU 35.94.4 applied. The Support Repository Updates provide patch bundles/updates that primarily contain bug fixes for the system and third party software.

    QID Detection Logic (Authenticated):
    This QID lists installed patch to check if the patches are missing.

    Consequence
    Exploitation could allow an attacker to compromise a vulnerable system.

    Solution
    Apply Solaris 11.4 SRU 35.94.4. Refer to Oracle Solaris 11.4 SRU 35.94.4 for more information.

    SuperCluster Quarterly Full Stack Download Patches are not available at the time of publishing this qid. Please refer to QFSDP (Doc ID 2056975.1) for updates.

    Patches
    CPUJUL2021
  • CVE-2021-3570
    Recently Published

    Red Hat Update for linuxptp (RHSA-2021:2657)

    Severity
    Critical4
    Qualys ID
    239489
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2657
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The linuxptp packages provide Precision Time Protocol (PTP)
    implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API)
    offered by the Linux kernel.

    Security Fix(es): linuxptp: missing length check of forwarded messages (CVE-2021-3570)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2657 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2657
  • CVE-2021-3570
    Recently Published

    Red Hat Update for linuxptp (RHSA-2021:2658)

    Severity
    Critical4
    Qualys ID
    239488
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2658
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The linuxptp packages provide Precision Time Protocol (PTP)
    implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API)
    offered by the Linux kernel.

    Security Fix(es): linuxptp: missing length check of forwarded messages (CVE-2021-3570)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2658 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2658
  • CVE-2021-3570
    Recently Published

    Red Hat Update for linuxptp (RHSA-2021:2659)

    Severity
    Critical4
    Qualys ID
    239487
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2659
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The linuxptp packages provide Precision Time Protocol (PTP)
    implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API)
    offered by the Linux kernel.

    Security Fix(es): linuxptp: missing length check of forwarded messages (CVE-2021-3570)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2659 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2659
  • CVE-2021-3570
    Recently Published

    Red Hat Update for linuxptp (RHSA-2021:2660)

    Severity
    Critical4
    Qualys ID
    239486
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2660
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    The linuxptp packages provide Precision Time Protocol (PTP)
    implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API)
    offered by the Linux kernel.

    Security Fix(es): linuxptp: missing length check of forwarded messages (CVE-2021-3570)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2660 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2660
  • CVE-2021-29505
    Recently Published

    Red Hat Update for xstream (RHSA-2021:2683)

    Severity
    Critical4
    Qualys ID
    239481
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2683
    CVE Reference
    CVE-2021-29505
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

    Security Fix(es): XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2683 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2683
  • CVE-2021-29970+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2740)

    Severity
    Critical4
    Qualys ID
    239477
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2740
    CVE Reference
    CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.12.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2740 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2740
  • CVE-2021-29970+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2741)

    Severity
    Critical4
    Qualys ID
    239476
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2741
    CVE Reference
    CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.12.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2741 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2741
  • CVE-2021-29970+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2742)

    Severity
    Critical4
    Qualys ID
    239475
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2742
    CVE Reference
    CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.12.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2742 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2742
  • CVE-2021-29970+
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2743)

    Severity
    Critical4
    Qualys ID
    239474
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2743
    CVE Reference
    CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.12.0 ESR.

    Security Fix(es): Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2743 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2743
  • CVE-2021-3570
    Recently Published

    Oracle Enterprise Linux Security Update for linuxptp (ELSA-2021-2660)

    Severity
    Critical4
    Qualys ID
    159300
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2660
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released a security update for linuxptp to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    N/A
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2660.
    Patches
    Oracle Linux ELSA-2021-2660
  • CVE-2021-3570
    Recently Published

    Oracle Enterprise Linux Security Update for linuxptp (ELSA-2021-2658)

    Severity
    Critical4
    Qualys ID
    159299
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2658
    CVE Reference
    CVE-2021-3570
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released a security update for linuxptp to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2658.
    Patches
    Oracle Linux ELSA-2021-2658
  • CVE-2020-10663+
    Recently Published

    Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2021-2588)

    Severity
    Critical4
    Qualys ID
    159298
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2588
    CVE Reference
    CVE-2020-10663, CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-25613, CVE-2020-10933, CVE-2021-28965, CVE-2019-3881
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for ruby:2.6 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2588.
    Patches
    Oracle Linux ELSA-2021-2588
  • CVE-2021-36018+
    Recently Published

    Adobe After Effects Multiple Security Vulnerabilities(APSB21-54)

    Severity
    Critical4
    Qualys ID
    375726
    Date Published
    July 21, 2021
    Vendor Reference
    APSB21-54
    CVE Reference
    CVE-2021-36018, CVE-2021-35995, CVE-2021-36019, CVE-2021-35996, CVE-2021-36017, CVE-2021-35993, CVE-2021-35994
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Adobe After Effects is a digital visual effects, motion graphics, and compositing application developed by Adobe Systems and used in the post-production process of film making and television production.

    Affected Versions:
    Adobe After Effects Version 18.2.1 and earlier versions

    Consequence
    Successful exploitation could lead to arbitrary code execution.
    Solution
    Adobe has released After Effects version 18.4 in APSB21-54 to address this vulnerability.
    Patches
    APSB21-54
  • CVE-2021-36005+
    Recently Published

    Adobe Photoshop Multiple Security Vulnerabilities (APSB21-63)

    Severity
    Critical4
    Qualys ID
    375725
    Date Published
    July 21, 2021
    Vendor Reference
    APSB21-63
    CVE Reference
    CVE-2021-36005, CVE-2021-36006
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Adobe Photoshop is an application that allows users to view and edit various graphic formats. This update resolves an arbitrary code execution vulnerability.

    Affected Versions:
    Adobe Photoshop 2020 Version 21.2.9 and earlier versions
    Adobe Photoshop 2021 Version 22.4.2 and earlier versions

    QID Detection Logic:
    Windows(Authenticated): This QID checks for vulnerable version of Photoshop.exe file.
    MAC(Authenticated): This QID checks for vulnerable version of Photoshop

    Consequence
    Successful exploitation could lead to arbitrary code execution.

    Solution
    Adobe has released Photoshop version 21.2.10 and 22.4.3 in APSB21-63 to address this vulnerability.
    Patches
    APSB21-63
  • CVE-2020-26541+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2666)

    Severity
    Critical4
    Qualys ID
    239483
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2666
    CVE Reference
    CVE-2020-26541, CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) kernel: security bypass in certs/blacklist.c and certs/system_keyring.c (CVE-2020-26541)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.1 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2666 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2666
  • CVE-2021-33034
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2668)

    Severity
    Critical4
    Qualys ID
    239482
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2668
    CVE Reference
    CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2668 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2668
  • CVE-2021-3560+
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.7.19 (RHSA-2021:2555)

    Severity
    Critical4
    Qualys ID
    239490
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2555
    CVE Reference
    CVE-2021-3560, CVE-2021-25217
    CVSS Scores
    Base 7.4 / Temporal 6.7
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.19. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2021:2554

    Security Fix(es): polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
    (CVE-2021-3560) dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient (CVE-2021-25217)

    Affected Products:

    Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2555 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2555
  • CVE-2021-35997
    Under Investigation

    Adobe Premiere Pro Arbitrary Code Execution Vulnerability (APSB21-56)

    Severity
    Critical4
    Qualys ID
    375728
    Vendor Reference
    APSB21-56
    CVE Reference
    CVE-2021-35997
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Adobe Premiere Pro is a timeline-based video editing app developed by Adobe Systems and published as part of the Adobe Creative Cloud licensing program.This update fixes security bugs in Adobe Creative Cloud Desktop Application.

    Affected Versions:
    Adobe Premiere Pro 15.2 and earlier versions

    Consequence
    Successful exploitation could lead to arbitrary code execution.
    Solution
    The vendor has released a patch for Adobe Premiere Pro
    For more information please visit APSB21-56
    Patches
    APSB21-56
  • CVE-2021-31535
    Recently Published

    Amazon Linux Security Advisory for libX11: ALAS2-2021-1686

    Severity
    Critical4
    Qualys ID
    352488
    Date Published
    July 21, 2021
    Vendor Reference
    ALAS2-2021-1686
    CVE Reference
    CVE-2021-31535
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    A missing validation flaw was found in libx11.
    This flaw allows an attacker to inject x11 protocol commands on x clients, and in some cases, also bypass, authenticate (via injection of control characters), or potentially execute arbitrary code with permissions of the application compiled with libx11.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (
    ( CVE-2021-31535)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1686 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1686
  • CVE-2021-30547+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:2389-1)

    Severity
    Critical4
    Qualys ID
    750838
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2389-1
    CVE Reference
    CVE-2021-30547, CVE-2021-29970, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 78.12.0 esr * fixed: various stability, functionality, and security fixes mfsa 2021-29 (bsc#1188275) * cve-2021-29970: use-after-free in accessibility features of a document * cve-2021-30547: out of bounds write in angle * cve-2021-29976: memory safety bugs fixed in firefox 90 and firefox esr 78.12

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2389-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2389-1
  • CVE-2020-13936
    Recently Published

    Amazon Linux Security Advisory for velocity: ALAS2-2021-1690

    Severity
    Critical4
    Qualys ID
    352484
    Date Published
    July 21, 2021
    Vendor Reference
    ALAS2-2021-1690
    CVE Reference
    CVE-2020-13936
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A flaw was found in velocity.
    An attacker, able to modify velocity templates, may execute arbitrary java code or run arbitrary system commands with the same privileges as the account running the servlet container.
    The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (
    ( CVE-2020-13936)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1690 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1690
  • CVE-2021-30547+
    Recently Published

    CentOS Security Update for firefox (CESA-2021:2741)

    Severity
    Critical4
    Qualys ID
    257098
    Date Published
    July 21, 2021
    Vendor Reference
    CESA-2021:2741
    CVE Reference
    CVE-2021-30547, CVE-2021-29970, CVE-2021-29976
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    CentOS has released security update for firefox security update to fix the vulnerabilities.

    Affected Products:

    centos 7

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory >centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:2741
  • CVE-2021-3573+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:2352-1)

    Severity
    Critical4
    Qualys ID
    750842
    Date Published
    July 21, 2021
    Vendor Reference
    openSUSE-SU-2021:2352-1
    CVE Reference
    CVE-2021-3573, CVE-2021-0512, CVE-2021-33624, CVE-2021-0605, CVE-2021-34693
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2352-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2352-1
  • CVE-2021-33624+
    Recently Published

    Amazon Linux Security Advisory for kernel: ALAS2-2021-1685

    Severity
    Critical4
    Qualys ID
    352489
    Date Published
    July 21, 2021
    Vendor Reference
    ALAS2-2021-1685
    CVE Reference
    CVE-2021-33624, CVE-2021-3573, CVE-2021-32399, CVE-2021-33034, CVE-2021-0129, CVE-2020-26558, CVE-2021-3564, CVE-2021-29650
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    A vulnerability was found in the bluez, where passkey entry protocol used in secure simple pairing (ssp), secure connections (sc) and le secure connections (lesc) of the bluetooth core specification is vulnerable to an impersonation attack where an active attacker can impersonate the initiating device without any previous knowledge. (
    ( CVE-2020-26558) a flaw was found in the linux kernel.
    Improper access control in bluez may allow an authenticated user to potentially enable information disclosure via adjacent access.
    The highest threat from this vulnerability is to data confidentiality and integrity. (
    ( CVE-2021-0129) a denial-of-service (dos) flaw was identified in the linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (
    ( CVE-2021-29650) a flaw was found in the linux kernel's handling of the removal of bluetooth hci controllers.
    This flaw allows an attacker with a local account to exploit a race condition, leading to corrupted memory and possible privilege escalation.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (
    ( CVE-2021-32399) a use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (hci) in linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system the issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places.
    The highest threat from this vulnerability is to data integrity, confidentiality and system availability. (
    ( CVE-2021-33034) a flaw was found in the linux kernel's bpf subsystem, where protection against speculative execution attacks (spectre mitigation) can be bypassed.
    The highest threat from this vulnerability is to confidentiality. (
    ( CVE-2021-33624) a flaw double-free memory corruption in the linux kernel hci device initialization subsystem was found in the way user attach malicious hci tty bluetooth device.
    A local user could use this flaw to crash the system. (
    ( CVE-2021-3564) a flaw use-after-free in the linux kernel hci subsystem was found in the way user detaches bluetooth dongle or other way triggers unregister bluetooth device event.
    A local user could use this flaw to crash the system or escalate their privileges on the system. (
    ( CVE-2021-3573)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS2-2021-1685 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux 2 ALAS2-2021-1685
  • CVE-2021-27290+
    Recently Published

    OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:2354-1)

    Severity
    Critical4
    Qualys ID
    750841
    Date Published
    July 21, 2021
    Vendor Reference
    openSUSE-SU-2021:2354-1
    CVE Reference
    CVE-2021-27290, CVE-2020-7774, CVE-2021-23362, CVE-2021-22918
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for nodejs14 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2354-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2354-1
  • CVE-2020-7774+
    Recently Published

    OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:2353-1)

    Severity
    Critical4
    Qualys ID
    750840
    Date Published
    July 21, 2021
    Vendor Reference
    openSUSE-SU-2021:2353-1
    CVE Reference
    CVE-2020-7774, CVE-2021-3449, CVE-2021-27290, CVE-2021-23362, CVE-2021-3450, CVE-2021-22918
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    OpenSUSE has released a security update for nodejs10 to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2353-1 to address this issue and obtain further details.

    Patches
    OpenSuse openSUSE-SU-2021:2353-1
  • CVE-2021-23362+
    Recently Published

    SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2021:2353-1)

    Severity
    Critical4
    Qualys ID
    750837
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2353-1
    CVE Reference
    CVE-2021-23362, CVE-2021-3449, CVE-2020-7774, CVE-2021-3450, CVE-2021-22918, CVE-2021-27290
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for nodejs10 fixes the following issues: update nodejs10 to 10.24.1.
    Including fixes for - cve-2021-22918: libuv upgrade - out of bounds read (bsc#1187973) - cve-2021-27290: ssri regular expression denial of service (bsc#1187976) - cve-2021-23362: hosted-git-info regular expression denial of service (bsc#1187977) - cve-2020-7774: y18n prototype pollution (bsc#1184450) - cve-2021-3450: openssl - ca certificate check bypass with x509_v_flag_x509_strict (bsc#1183851) - cve-2021-3449: openssl - null pointer deref in signature_algorithms processing (bsc#1183852) - reduce memory footprint of test-worker-stdio (bsc#1183155)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2353-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2353-1
  • CVE-2015-3415+
    Recently Published

    SUSE Enterprise Linux Security Update for sqlite3 (SUSE-SU-2021:2320-1)

    Severity
    Critical4
    Qualys ID
    750831
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2320-1
    CVE Reference
    CVE-2015-3415, CVE-2015-3414, CVE-2020-13632, CVE-2020-13434, CVE-2019-19924, CVE-2019-19959, CVE-2019-20218, CVE-2019-19880, CVE-2020-15358, CVE-2019-19646, CVE-2020-13631, CVE-2019-19244, CVE-2019-19603, CVE-2019-19923, CVE-2019-19925, CVE-2020-13435, CVE-2020-13630, CVE-2019-19645, CVE-2020-9327, CVE-2019-19926, CVE-2019-19317
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for sqlite3 fixes the following issues: - update to version 3.36.0 - cve-2020-15358: heap-based buffer overflow in multiselectorderby due to mishandling of query-flattener optimization (bsc#1173641) - cve-2020-9327: null pointer dereference and segmentation fault because of generated column optimizations in isauxiliaryvtaboperator (bsc#1164719) - cve-2019-20218: selectexpander in select.c proceeds with with stack unwinding even after a parsing error (bsc#1160439) - cve-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded \0 input (bsc#1160438) - cve-2019-19923: improper handling of certain uses of select distinct in flattensubquery may lead to null pointer dereference (bsc#1160309) - cve-2019-19924: improper error handling in sqlite3windowrewrite() (bsc#1159850) - cve-2019-19925: improper handling of null pathname during an update of a zip archive (bsc#1159847) - cve-2019-19926: improper handling of certain errors during parsing multiselect in select.c (bsc#1159715) - cve-2019-19880: exprlistappendlist in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - cve-2019-19603: during handling of create table and create view statements, does not consider confusion with a shadow table name (bsc#1158960) - cve-2019-19646: pragma.c mishandles not null in an integrity_check pragma command in certain cases of generated columns (bsc#1158959) - cve-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with alter table statements (bsc#1158958) - cve-2019-19317: lookupname in resolve.c omits bits from the colused bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - cve-2019-19244: sqlite3,sqlite2,sqlite: the function sqlite3select in select.c allows a crash if a sub-select uses both distinct and window functions, and also has certain order by usage (bsc#1157818) - cve-2015-3415: sqlite3vdbeexec comparison operator vulnerability (bsc#928701) - cve-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - cve-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - cve-2020-13630: (bsc#1172234: use-after-free in fts3evalnextrow - cve-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - cve-2020-13632: null pointer dereference via crafted matchinfo() query (bsc#1172240) - cve-2020-13435: malicious sql statements could have crashed the process that is running sqlite (bsc#1172091)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2320-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2320-1
  • CVE-2020-24588+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2324-1)

    Severity
    Critical4
    Qualys ID
    750832
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2324-1
    CVE Reference
    CVE-2020-24588, CVE-2021-34693, CVE-2021-33624, CVE-2020-36386, CVE-2019-25045, CVE-2021-0512, CVE-2021-0605, CVE-2021-0129, CVE-2020-26558
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 12 sp5 kernel was updated to receive various security and bugfixes.
    The following security bugs were fixed: - cve-2021-33624: fixed a bug which allows unprivileged bpf program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (
    Bsc#1187554) - cve-2019-25045: fixed an use-after-free issue in the linux kernel the xfrm subsystem, related to an xfrm_state_fini panic. (
    Bsc#1187049) - cve-2021-0605: fixed an out-of-bounds read which could lead to local information disclosure in the kernel with system execution privileges needed. (
    Bsc#1187601) - cve-2021-0512: fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (
    Bsc#1187595) - cve-2020-26558: fixed a flaw in the bluetooth le and br/edr secure pairing that could permit a nearby man-in-the-middle attacker to identify the passkey used during pairing. (
    Bsc#1179610) - cve-2021-34693: fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (
    Bsc#1187452) - cve-2021-0129: fixed an improper access control in bluez that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (
    Bsc#1186463) - cve-2020-36386: fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (
    Bsc#1187038) - cve-2020-24588: fixed a bug that could allow an adversary to abuse devices that support receiving non-ssp a-msdu frames to inject arbitrary network packets. (
    Bsc#1185861)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2324-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2324-1
  • CVE-2020-24588+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:2321-1)

    Severity
    Critical4
    Qualys ID
    750830
    Date Published
    July 21, 2021
    Vendor Reference
    SUSE-SU-2021:2321-1
    CVE Reference
    CVE-2020-24588, CVE-2021-34693, CVE-2021-33624, CVE-2020-36386, CVE-2019-25045, CVE-2021-0512, CVE-2021-0605, CVE-2021-0129, CVE-2020-26558
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 12 sp5 kernel was updated to receive various security and bugfixes.
    The following security bugs were fixed: - cve-2021-33624: fixed a bug which allows unprivileged bpf program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (
    Bsc#1187554) - cve-2019-25045: fixed an use-after-free issue in the linux kernel the xfrm subsystem, related to an xfrm_state_fini panic. (
    Bsc#1187049) - cve-2021-0605: fixed an out-of-bounds read which could lead to local information disclosure in the kernel with system execution privileges needed. (
    Bsc#1187601) - cve-2021-0512: fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (
    Bsc#1187595) - cve-2020-26558: fixed a flaw in the bluetooth le and br/edr secure pairing that could permit a nearby man-in-the-middle attacker to identify the passkey used during pairing. (
    Bsc#1179610) - cve-2021-34693: fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (
    Bsc#1187452) - cve-2021-0129: fixed an improper access control in bluez that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (
    Bsc#1186463) - cve-2020-36386: fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (
    Bsc#1187038) - cve-2020-24588: fixed a bug that could allow an adversary to abuse devices that support receiving non-ssp a-msdu frames to inject arbitrary network packets. (
    Bsc#1185861)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2321-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:2321-1
  • CVE-2021-29505
    Recently Published

    CentOS Security Update for xstream (CESA-2021:2683)

    Severity
    Critical4
    Qualys ID
    257097
    Date Published
    July 21, 2021
    Vendor Reference
    CESA-2021:2683
    CVE Reference
    CVE-2021-29505
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    CentOS has released security update for xstream security update to fix the vulnerabilities.

    Affected Products:

    centos 7

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory >centos 7 for updates and patch information.
    Patches
    centos 7 CESA-2021:2683
  • CVE-2020-14343
    Recently Published

    Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-2583)

    Severity
    Urgent5
    Qualys ID
    159289
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2583
    CVE Reference
    CVE-2020-14343
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for python38:3.8 and python38-devel:3.8 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2583.
    Patches
    Oracle Linux ELSA-2021-2583
  • CVE-2016-10228+
    Recently Published

    Oracle Enterprise Linux Security Update for glibc (ELSA-2021-9344)

    Severity
    Critical4
    Qualys ID
    159295
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-9344
    CVE Reference
    CVE-2016-10228, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, CVE-2019-25013
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for glibc to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-9344.
    Patches
    Oracle Linux ELSA-2021-9344
  • CVE-2021-3520
    Recently Published

    Oracle Enterprise Linux Security Update for lz4 (ELSA-2021-2575)

    Severity
    Critical4
    Qualys ID
    159288
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2575
    CVE Reference
    CVE-2021-3520
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for lz4 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2575.
    Patches
    Oracle Linux ELSA-2021-2575
  • CVE-2021-3516+
    Recently Published

    Oracle Enterprise Linux Security Update for libxml2 (ELSA-2021-2569)

    Severity
    Critical4
    Qualys ID
    159285
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2569
    CVE Reference
    CVE-2021-3516, CVE-2021-3518, CVE-2021-3537, CVE-2021-3517, CVE-2021-3541
    CVSS Scores
    Base 8.8 / Temporal 7
    Description
    Oracle Enterprise Linux has released a security update for libxml2 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2569.
    Patches
    Oracle Linux ELSA-2021-2569
  • CVE-2020-10663+
    Recently Published

    Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2021-2587)

    Severity
    Critical4
    Qualys ID
    159290
    Date Published
    July 21, 2021
    Vendor Reference
    ELSA-2021-2587
    CVE Reference
    CVE-2020-10663, CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-25613, CVE-2020-10933, CVE-2021-28965
    CVSS Scores
    Base 8.1 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for ruby:2.5 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2587.
    Patches
    Oracle Linux ELSA-2021-2587
  • CVE-2020-27216+
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.5.41 (RHSA-2021:2431)

    Severity
    Critical4
    Qualys ID
    239473
    Date Published
    July 21, 2021
    Vendor Reference
    RHSA-2021:2431
    CVE Reference
    CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-21642, CVE-2021-21643, CVE-2021-21644, CVE-2021-21645
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift ContainerPlatform 4.5.41. See the following advisory for the container images forthis release:https://access.redhat.com/errata/RHSA-2021:2430

    Security Fix(es): jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE)
    attacks. (CVE-2021-21642) jetty: local temporary directory hijacking vulnerability (CVE-2020-27216) jetty: buffer not correctly recycled in Gzip Request inflation (CVE-2020-27218) jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223) jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints. (CVE-2021-21643) jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
    vulnerability. (CVE-2021-21644) jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints. (CVE-2021-21645)

    Affected Products:

    Red Hat OpenShift Container Platform 4.5 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.5 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.5 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for Power 4.5 for RHEL 7 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 8 s390x
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 7 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2431 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2431
  • CVE-2021-22555+
    Recently Published

    OpenSUSE Security Update for the Linux Kernel (openSUSE-SU-2021:2409-1)

    Severity
    Critical4
    Qualys ID
    750847
    Date Published
    July 20, 2021
    Vendor Reference
    openSUSE-SU-2021:2409-1
    CVE Reference
    CVE-2021-22555, CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    OpenSUSE has released a security update for the Linux Kernel to fix the vulnerabilities.

    Affected Products:
    openSUSE Leap 15.3


    Consequence
    Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.
    Solution
    Upgrade to the latest packages which contain a patch. To install this OpenSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

    To install packages using the command line interface, use the command "yum update".

    Refer to SUSE security advisory openSUSE-SU-2021:2409-1 to address this issue and obtain further details.

    Patches
    openSUSE-SU-2021:2409-1
  • CVE-2020-36385+
    Recently Published

    SUSE Enterprise Linux Security Update for kernel (SUSE-SU-2021:2407-1)

    Severity
    Critical4
    Qualys ID
    750844
    Date Published
    July 20, 2021
    Vendor Reference
    SUSE-SU-2021:2407-1
    CVE Reference
    CVE-2020-36385, CVE-2021-22555, CVE-2021-33909, CVE-2021-3609, CVE-2021-3612
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    SUSE Enterprise Linux has released a security update for Linux Kernel.
    Affected Products:
    SUSE Linux Enterprise Server 12-SP5

    Consequence
    Successful exploitation allows attackers to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:2407-1 to address this issue and obtain further details.
    Patches
    SUSE-SU-2021:2407-1
  • CVE-2020-36311+
    Recently Published

    Debian Security Update for linux (DSA 4941-1)

    Severity
    Critical4
    Qualys ID
    178710
    Date Published
    July 20, 2021
    Vendor Reference
    DSA 4941-1
    CVE Reference
    CVE-2020-36311, CVE-2021-3609, CVE-2021-33909, CVE-2021-34693
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released security update for linux to fix the vulnerabilities.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Debian security advisory DSA 4941-1 to address this issue and obtain further details.
    Patches
    Debian DSA 4941-1
  • CVE-2021-33909
    Recently Published

    Linux Kernel Local Privilege Escalation Vulnerability (Sequoia)

    Severity
    Critical4
    Qualys ID
    375710
    Date Published
    July 20, 2021
    Vendor Reference
    CVE-2021-33909
    CVE Reference
    CVE-2021-33909
    CVSS Scores
    Base 7.8 / Temporal 7
    Description
    A file system is an organization of data and metadata on a storage device.

    The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel filesystem layer affecting most Linux operating systems.

    Consequence
    Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.
    Solution
    Upgrade to the latest packages which contain a patch.

    Patches
    Sequoia
Last updated: