Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Oracle / Sun / PeopleSoft / MySQL
дополнено с 16 октября 2014 г.
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14031
Тип:библиотека
Уровень опасности:
9/10
Описание:Ежеквартальное обновление закрывает 138 различных уязвимостей.
Затронутые продукты:ORACLE : Solaris 10
 ORACLE : Oracle E-Business Suite 11i
 ORACLE : Solaris 11
 ORACLE : Oracle 11g
 ORACLE : JD Edwards EnterpriseOne Tools 8.98
 ORACLE : Oracle Application Express 4.2
 ORACLE : WebLogic Server 12.1
 ORACLE : Oracle E-Business Suite 12i
 ORACLE : MySQL 5.6
 ORACLE : Oracle Access Manager 11.1
 ORACLE : Oracle 12c
 ORACLE : Fusion Middleware 11g
 ORACLE : Oracle Identity Manager 11.1
 ORACLE : JDeveloper 12.1
 ORACLE : Primavera P6 Enterprise Project Portfolio Management 8.3
 ORACLE : JavaFX 2.2
 ORACLE : Java SE Embedded 7
 ORACLE : Fusion Middleware 12c
 ORACLE : VirtualBox 4.3
 ORACLE : Fusion Applications 11.1
 ORACLE : Java SE 8
 ORACLE : JRockit 28.3
 ORACLE : Oracle Secure Global Desktop 5.1
 ORACLE : Transportation Management 6.3
 ORACLE : Oracle Adaptive Access Manager 11.1
 ORACLE : Endeca Information Discovery Studio 3.1
 ORACLE : Enterprise Data Quality 9.0
 ORACLE : OpenSSO 3.0
 ORACLE : Application Performance Management 12.1
 ORACLE : Enterprise Manager for Oracle Database 10g
 ORACLE : Enterprise Manager for Oracle Database 11g
 ORACLE : Enterprise Manager for Oracle Database 12c
 ORACLE : Agile PLM 9.3
 ORACLE : PeopleSoft Enterprise HRMS 9.2
 ORACLE : PeopleSoft Enterprise PeopleTools 8.54
 ORACLE : Communications MetaSolv Solution 6.2
 ORACLE : Communications Session Border Controller SCX640m5
 ORACLE : Retail Allocation 13.2
 ORACLE : Retail Clearance Optimization Engine 14.0
 ORACLE : Retail Invoice Matching 14.0
 ORACLE : Retail Markdown Optimization 13.4
 ORACLE : Health Sciences Empirica Inspections 1.0
 ORACLE : Health Sciences Empirica Signal 7.3
 ORACLE : Health Sciences Empirica Study 3.1
 ORACLE : Primavera Contract Management 14.0
 ORACLE : Fujitsu server M10-1
 ORACLE : Fujitsu server M10-4
 ORACLE : Fujitsu server M10-4S
CVE:CVE-2014-6564 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML.)
 CVE-2014-6563 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-4295, and CVE-2014-6538.)
 CVE-2014-6562 (Unspecified vulnerability in Oracle Java SE 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.)
 CVE-2014-6561 (Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Separate Remittance Advice.)
 CVE-2014-6560 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6545.)
 CVE-2014-6559 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING.)
 CVE-2014-6558 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security.)
 CVE-2014-6557 (Unspecified vulnerability in the Application Performance Management component in Oracle Enterprise Manager Grid Control before 12.1.0.6.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to End User Experience Management.)
 CVE-2014-6555 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML.)
 CVE-2014-6554 (Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.2.1 and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Admin Console.)
 CVE-2014-6553 (Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5 and 11.1.1.7 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Admin Console.)
 CVE-2014-6552 (Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors related to Admin Console.)
 CVE-2014-6551 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN.)
 CVE-2014-6550 (Unspecified vulnerability in the Oracle Applications Object Library component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect integrity via unknown vectors related to iHelp.)
 CVE-2014-6547 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, and CVE-2014-4310.)
 CVE-2014-6546 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6545 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6560.)
 CVE-2014-6544 (Unspecified vulnerability in the JDBC component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2014-4289.)
 CVE-2014-6543 (Unspecified vulnerability in the Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to ITEM (Item & BOM).)
 CVE-2014-6542 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, and CVE-2014-6454.)
 CVE-2014-6540 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, before 4.2.26, and before 4.3.14 allows local users to affect availability via vectors related to Graphics driver (WDDM) for Windows guests.)
 CVE-2014-6539 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via vectors related to LOV, a different vulnerability than CVE-2014-6472.)
 CVE-2014-6538 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-4295, and CVE-2014-6563.)
 CVE-2014-6537 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6536 (Unspecified vulnerability in the Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security.)
 CVE-2014-6535 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote attackers to affect confidentiality and integrity via vectors related to SECURITY.)
 CVE-2014-6534 (Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, and 12.1.3.0 allows remote authenticated users to affect integrity via vectors related to WLS Console.)
 CVE-2014-6533 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1 and 6.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security.)
 CVE-2014-6532 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503.)
 CVE-2014-6531 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries.)
 CVE-2014-6530 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to CLIENT:MYSQLDUMP.)
 CVE-2014-6529 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hermon HCA PCIe driver.)
 CVE-2014-6527 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476.)
 CVE-2014-6523 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality via vectors related to REST Interface.)
 CVE-2014-6522 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.1.7, 11.1.2.4, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect integrity via vectors related to ADF Faces.)
 CVE-2014-6520 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:DDL.)
 CVE-2014-6519 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Hotspot.)
 CVE-2014-6517 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and Jrockit R27.8.3 and R28.3.3 allows remote attackers to affect confidentiality via vectors related to JAXP.)
 CVE-2014-6516 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.98 allows local users to affect confidentiality, integrity, and availability via vectors related to Installation SEC.)
 CVE-2014-6515 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment.)
 CVE-2014-6513 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.)
 CVE-2014-6512 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries.)
 CVE-2014-6511 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D.)
 CVE-2014-6508 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via vectors related to iSCSI Data Mover (IDM).)
 CVE-2014-6507 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML.)
 CVE-2014-6506 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.)
 CVE-2014-6505 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:MEMORY STORAGE ENGINE.)
 CVE-2014-6504 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, and 7u67, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Hotspot.)
 CVE-2014-6503 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532.)
 CVE-2014-6502 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries.)
 CVE-2014-6501 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality via vectors related to SSH.)
 CVE-2014-6500 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491.)
 CVE-2014-6499 (Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to WebLogic Tuxedo Connector.)
 CVE-2014-6498 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect confidentiality via unknown vectors related to Security.)
 CVE-2014-6497 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Kernel.)
 CVE-2014-6496 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494.)
 CVE-2014-6495 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect availability via vectors related to SERVER:SSL:yaSSL.)
 CVE-2014-6494 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496.)
 CVE-2014-6493 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532.)
 CVE-2014-6492 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2014-6491 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500.)
 CVE-2014-6490 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect availability via vectors related to SMB server user component.)
 CVE-2014-6489 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SERVER:SP.)
 CVE-2014-6488 (Unspecified vulnerability in the Enterprise Manager for Oracle Database component in Oracle Enterprise Manager Grid Control EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4 EM Plugin for DB: 12.1.0.4, 12.1.0.5, and 12.1.0.6 allows remote authenticated users to affect integrity via unknown vectors related to Content Management.)
 CVE-2014-6487 (Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect integrity via unknown vectors related to End User Self Service.)
 CVE-2014-6486 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect integrity via unknown vectors related to Talent Acquisition Manager - Security.)
 CVE-2014-6485 (Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6484 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:DML.)
 CVE-2014-6483 (Unspecified vulnerability in the Application Express component in Oracle Database Server before 4.2.6 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6482 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.53 and 8.54 allows remote authenticated users to affect integrity via unknown vectors related to Updates Change Assistant.)
 CVE-2014-6479 (Unspecified vulnerability in the Oracle Applications Technology component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote authenticated users to affect confidentiality via vectors related to OC4J Configuration.)
 CVE-2014-6478 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL.)
 CVE-2014-6476 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527.)
 CVE-2014-6475 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.)
 CVE-2014-6474 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED.)
 CVE-2014-6473 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Framework.)
 CVE-2014-6472 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via vectors related to LOV, a different vulnerability than CVE-2014-6539.)
 CVE-2014-6471 (Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via vectors related to OAM Diagnostics.)
 CVE-2014-6470 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Archive Utility.)
 CVE-2014-6469 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.)
 CVE-2014-6468 (Unspecified vulnerability in Oracle Java SE 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.)
 CVE-2014-6467 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6545, and CVE-2014-6560.)
 CVE-2014-6466 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2014-6465 (Unspecified vulnerability in the Oracle Communications Session Border Controller component in Oracle Communications Applications SCX640m5 allows remote authenticated users to affect availability via unknown vectors related to Lawful Intercept.)
 CVE-2014-6464 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS.)
 CVE-2014-6463 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML.)
 CVE-2014-6462 (Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.2.1 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors related to Admin Console.)
 CVE-2014-6461 (Unspecified vulnerability in the Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Roles & Privileges.)
 CVE-2014-6460 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect confidentiality and integrity via vectors related to QUERY.)
 CVE-2014-6459 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv), a different vulnerability than CVE-2014-2472, CVE-2014-2474, and CVE-2014-2476.)
 CVE-2014-6458 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2014-6457 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.)
 CVE-2014-6456 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6455 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-6454 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, and CVE-2014-6542.)
 CVE-2014-6453 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6467, CVE-2014-6545, and CVE-2014-6560.)
 CVE-2014-6452 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6454, and CVE-2014-6542.)
 CVE-2014-4310 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, and CVE-2014-6547.)
 CVE-2014-4301 (Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page.)
 CVE-2014-4300 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542.)
 CVE-2014-4299 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4300, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542.)
 CVE-2014-4298 (Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542.)
 CVE-2014-4297 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4296 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4297, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4295 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-6538, and CVE-2014-6563.)
 CVE-2014-4294 (Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4295, CVE-2014-6538, and CVE-2014-6563.)
 CVE-2014-4293 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4292 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4291 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4290 (Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4301, CVE-2014-4310, and CVE-2014-6547.)
 CVE-2014-4289 (Unspecified vulnerability in the JDBC component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2014-6544.)
 CVE-2014-4288 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.)
 CVE-2014-4287 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:CHARACTER SETS.)
 CVE-2014-4285 (Unspecified vulnerability in the Oracle Applications Technology component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect integrity via unknown vectors related to Reports Configuration.)
 CVE-2014-4284 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via vectors related to IPS transfer module, a different vulnerability than CVE-2014-4280.)
 CVE-2014-4283 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect confidentiality via unknown vectors related to Automated Install Engine, a different vulnerability than CVE-2014-4277.)
 CVE-2014-4282 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via vectors related to Kernel/X86.)
 CVE-2014-4281 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Portal Integration.)
 CVE-2014-4280 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via vectors related to IPS transfer module, a different vulnerability than CVE-2014-4284.)
 CVE-2014-4278 (Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Oracle Forms.)
 CVE-2014-4277 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect confidentiality via unknown vectors related to Automated Install Engine, a different vulnerability than CVE-2014-4283.)
 CVE-2014-4276 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Common Internet File System (CIFS).)
 CVE-2014-4275 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via vectors related to SMB server kernel module.)
 CVE-2014-4274 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to SERVER:MyISAM.)
 CVE-2014-2880 (Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.)
 CVE-2014-2478 (Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote attackers to affect confidentiality via unknown vectors.)
 CVE-2014-2476 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv), a different vulnerability than CVE-2014-2472, CVE-2014-2474, and CVE-2014-6459.)
 CVE-2014-2475 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 4.63, 4.71, 5.0, and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv).)
 CVE-2014-2474 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv), a different vulnerability than CVE-2014-2472, CVE-2014-2476, and CVE-2014-6459.)
 CVE-2014-2473 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv) and SGD SSL Daemon (ttassl).)
 CVE-2014-2472 (Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect availability via vectors related to SGD Proxy Server (ttaauxserv), a different vulnerability than CVE-2014-2474, CVE-2014-2476, and CVE-2014-6459.)
 CVE-2014-0224 (OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.)
 CVE-2014-0119 (Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.)
 CVE-2014-0114 (The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.)
 CVE-2014-0050 (MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.)
 CVE-2013-1741 (Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.)
 CVE-2012-5615 (MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.)
Оригинальный текстdocumentSecurity Explorations, [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU (03.11.2014)
 documentSecurity Explorations, [SE-2014-01] Breaking Oracle Database through Java exploits (details) (16.10.2014)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20141015-0 :: Potential Cross-Site Scripting in ADF Faces (16.10.2014)
Файлы:Oracle Critical Patch Update Advisory - October 2014

Повреждение памяти в PHP
дополнено с 27 октября 2014 г.
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14056
Тип:библиотека
Уровень опасности:
6/10
Описание:Повреждение памяти при разборе JPEG в exif_thumbnail(), exif_ifd_make_value(), переполнение буфера в XMLRPC, целочисленное переполнение в object_custom function.
Затронутые продукты:PHP : PHP 5.5
CVE:CVE-2014-3670 (The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.)
 CVE-2014-3669 (Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.)
 CVE-2014-3668 (Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.)
Оригинальный текстdocumentUBUNTU, [USN-2391-1] php5 vulnerabilities (03.11.2014)
 documentMANDRIVA, [ MDVSA-2014:202 ] php (27.10.2014)

Многочисленные уязвимости безопасности в Apple iOS
дополнено с 27 октября 2014 г.
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14062
Тип:библиотека
Уровень опасности:
6/10
Описание:Несанкционированное подключение по Bluetooth, недостаточное шифрование, недостаточная проверка сертификата, утечка информации, атаки poodle на SSL.
Затронутые продукты:APPLE : iOS 8.0
CVE:CVE-2014-4450 (The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.)
 CVE-2014-4449 (iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.)
 CVE-2014-4448 (House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.)
 CVE-2014-4428 (Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing.)
 CVE-2014-3566 (The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.)
Оригинальный текстdocumentVulnerability Lab, Apple iOS v8.0.2 - Silent Contact Denial of Service Vulnerability (03.11.2014)
 documentAPPLE, APPLE-SA-2014-10-20-1 iOS 8.1 (27.10.2014)

Проблема символьных линков в wget
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14066
Тип:клиент
Уровень опасности:
5/10
Описание:Проблема символьных линков в mirror-режиме FTP.
Затронутые продукты:WGET : wget 1.15
CVE:CVE-2014-4877 (Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2014:212 ] wget (03.11.2014)

DoS против HP-UX
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14067
Тип:локальная
Уровень опасности:
5/10
Затронутые продукты:HP : HP-UX 11.31
CVE:CVE-2014-7877 (Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBUX03159 SSRT101785 rev.2 - HP-UX kernel, Local Denial of Service (DoS) (03.11.2014)

Многочисленные уязвимости безопасности в Pidgin
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14069
Тип:удаленная
Уровень опасности:
6/10
Описание:Недостаточная проверка сертификата, DoS при разборе emoticons, DoS через сообщения Groupwise, утечка информации через XMPP.
Затронутые продукты:PIDGIN : Pidgin 2.10
CVE:CVE-2014-3698 (The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.)
 CVE-2014-3696 (nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.)
 CVE-2014-3695 (markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.)
 CVE-2014-3694 (The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.)
Оригинальный текстdocumentUBUNTU, [USN-2390-1] Pidgin vulnerabilities (03.11.2014)

Повреждения памяти в libbfd
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14070
Тип:библиотека
Уровень опасности:
6/10
Описание:Повреждения памяти при разборе ELF.
Оригинальный текстdocumentMichal Zalewski, vulnerabilities in libbfd (CVE-2014-beats-me) (03.11.2014)

Утечка информауции в quassel
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14071
Тип:удаленная
Уровень опасности:
5/10
Описание:Утечка содержимого памяти, DoS.
Затронутые продукты:QUASSEL : quassel 0.10
CVE:CVE-2014-8483 (The blowfishECB function in core/cipher.cpp in Quassel IRC 0.10.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a malformed string.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 3063-1] quassel security update (03.11.2014)

Многочисленные уязвимости безопасности в Aircrack-ng
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14072
Тип:удаленная
Уровень опасности:
6/10
Описание:DoS условия, переполнение буфера, целочисленное переполнение.
Затронутые продукты:AIRCRACKNG : aircrack-ng 1.2
CVE:CVE-2014-8324
 CVE-2014-8323
 CVE-2014-8322
 CVE-2014-8321
Оригинальный текстdocumentn.sampanis_(at)_obrela.com, "Aircrack-ng 1.2 Beta 3" multiple vulnerabilities (03.11.2014)

Уязвимости безопасности в HP Color LaserJet
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14073
Тип:удаленная
Уровень опасности:
5/10
Описание:Несанкционированный доступ к данным, DoS.
Затронутые продукты:HP : LaserJet CM3530
CVE:CVE-2014-7875 (Unspecified vulnerability on the HP LaserJet CM3530 Multifunction Printer CC519A and CC520A with firmware before 53.236.2 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBPI03147 rev.1 - Certain HP Color LaserJet Printers, Remote Unauthorized Access, Denial of Service (DoS) (03.11.2014)

DoS против systemd-shim в Ubuntu
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14074
Тип:локальная
Уровень опасности:
5/10
Описание:По умолчанию включен режим отладки.
Затронутые продукты:SYSTEMDSHIM : systemd-shim 8
CVE:CVE-2014-8399 (The default configuration in systemd-shim 8 enables the Abandon debugging clause, which allows local users to cause a denial of service via unspecified vectors.)
Оригинальный текстdocumentUBUNTU, [USN-2392-1] systemd-shim vulnerability (03.11.2014)

Повышение привилегий в torque
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14075
Тип:локальная
Уровень опасности:
5/10
Описание:Можно убить процесс любого пользователя.
Затронутые продукты:TORQUE : TORQUE 5.2
CVE:CVE-2014-3684 (The tm_adopt function in lib/Libifl/tm.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 5.0.x, 4.5.x, 4.2.x, and earlier does not validate that the owner of the process also owns the adopted session id, which allows remote authenticated users to kill arbitrary processes via a crafted executable.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 3058-1] torque security update (03.11.2014)

Межсайтовый скриптинг в Dell SonicWall GMS
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14076
Тип:локальная
Уровень опасности:
3/10
Описание:Межсайтовый скриптинг в интерфейсе администрирования.
Затронутые продукты:DELL : SonicWall GMS 7.2
Оригинальный текстdocumentVulnerability Lab, Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability (03.11.2014)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:3 ноября 2014 г.
Источник:
SecurityVulns ID:14077
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:SCALIX : Scalix Web Access 12.2
 DOKUWIKI : dokuwiki 0.0
 CONFLUENCE : RefinedWiki 4.0
 VIZENSOFT : Vizensoft Admin Panel 2014
 ESPOCRM : EspoCRM 2.5
 WORDPRESS : WordPress Database Manager 2.7
 INCREDIBLEPBX : Incredible PBX 11
 LITECART : LiteCart 1.1
 ELASTIX : Elastix 2.4
 BUGZILLA : Bugzilla 4.2
 TESTLINK : TestLink 1.9
 PHPMYADMIN : phpmyadmin 4.2
CVE:CVE-2014-8764 (DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.)
 CVE-2014-8763 (DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.)
 CVE-2014-8762 (The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.)
 CVE-2014-8761 (inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.)
 CVE-2014-8339 (SQL injection vulnerability in midroll.php in Nuevolab Nuevoplayer for ClipShare 8.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ch parameter.)
 CVE-2014-8335
 CVE-2014-8334 (The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable.)
 CVE-2014-8326 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page.)
 CVE-2014-8082 (lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.)
 CVE-2014-8081 (lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.)
 CVE-2014-7987 (Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php.)
 CVE-2014-7986 (install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter.)
 CVE-2014-7985 (Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to install/index.php.)
 CVE-2014-7183 (Multiple cross-site scripting (XSS) vulnerabilities in the search.php in LiteCart 1.1.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query parameter or (2) QUERY_STRING.)
 CVE-2014-1573 (Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name.)
 CVE-2014-1572 (The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted.)
 CVE-2014-1571 (Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.)
Оригинальный текстdocumentsimo_(at)_morxploit.com, Elastix Multiple vulnerabilities (Remote Command Execution, XSS, CSRF) (03.11.2014)
 documentOnur Yilmaz, LiteCart Security Advisory - Multiple XSS Vulnerabilities - CVE-2014-7183 (03.11.2014)
 documentsimo_(at)_morxploit.com, Incredible PBX remote command execution exploit (03.11.2014)
 documentMANDRIVA, [ MDVSA-2014:200 ] bugzilla (03.11.2014)
 documentlarry0_(at)_me.com, Vulnerabilities in WordPress Database Manager v2.7.1 (03.11.2014)
 documentEgidio Romano, [KIS-2014-12] TestLink <= 1.9.12 (database.class.php) Path Disclosure Weakness (03.11.2014)
 documentEgidio Romano, [KIS-2014-11] TestLink <= 1.9.12 (execSetResults.php) PHP Object Injection Vulnerability (03.11.2014)
 documentMANDRIVA, [ MDVSA-2014:208 ] phpmyadmin (03.11.2014)
 documentiedb.team_(at)_gmail.com, phpfusion (Search Page) Denial of Service Vulnerability (03.11.2014)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in EspoCRM (03.11.2014)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20141029-0 :: Multiple critical vulnerabilities in Vizensoft Admin Panel (03.11.2014)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20141029-1 :: Persistent cross site scripting in Confluence RefinedWiki Original Theme (03.11.2014)
 documentresearch_(at)_protectlogic.com, CVE-2014-8399 SQL Injection in NuevoLabs flash player for clipshare (03.11.2014)
 documentDEBIAN, [SECURITY] [DSA 3059-1] dokuwiki security update (03.11.2014)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20141031-0 :: XML External Entity Injection (XXE) and Reflected XSS in Scalix Web Access (03.11.2014)
 documentiedb.team_(at)_gmail.com, PARSADEV CMS Cross-Site Scripting Vulnerability (03.11.2014)

Многочисленные уязвимости безопасности в ядре Linux
дополнено с 3 ноября 2014 г.
Опубликовано:30 ноября 2014 г.
Источник:
SecurityVulns ID:14068
Тип:библиотека
Уровень опасности:
7/10
Описание:Многочисленные ошибки в KVM, DoS в клиенте CIFS, удаленные DoS-условия, повшение привилегий через файловую систему, повышение привилегий и обход защиты через trace_syscalls.
Затронутые продукты:LINUX : kernel 3.16
CVE:CVE-2014-8369 (The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601.)
 CVE-2014-7970 (The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.)
 CVE-2014-7826 (kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.)
 CVE-2014-7825 (kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.)
 CVE-2014-7207 (A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access.)
 CVE-2014-7145 (The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.)
 CVE-2014-3690 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.)
 CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.)
 CVE-2014-3687 (The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.)
 CVE-2014-3673 (The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.)
 CVE-2014-3647 (arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.)
 CVE-2014-3646 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.)
 CVE-2014-3645 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.)
 CVE-2014-3611 (Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.)
 CVE-2014-3610 (The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2014:230 ] kernel (30.11.2014)
 documentDEBIAN, [SECURITY] [DSA 3060-1] linux security update (03.11.2014)
 documentUBUNTU, [USN-2394-1] Linux kernel (Trusty HWE) vulnerabilities (03.11.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород