Информационная безопасность
[RU] switch to English


Утечка информации в EMC RSA enVision
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12194
Тип:удаленная
Уровень опасности:
4/10
Описание:Возможно получить значение переменных среды окружения.
Затронутые продукты:EMC : RSA enVision 4.0
 EMC : RSA enVision 4.1
CVE:CVE-2011-4143 (EMC RSA enVision 4.0 before SP4 P5 and 4.1 before P3 allows remote attackers to obtain sensitive information about environment variables in the web system via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2012-007: RSA, The Security Division of EMC, announces security fixes for RSA enVision (15.02.2012)

Подмена кода в Nomachine NX Web Companion
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12195
Тип:m-i-t-m
Уровень опасности:
4/10
Описание:Загружается файл client.zip не имеющий цифровой подписи.
Затронутые продукты:NOMACHINE : NX Web Companion 3.0
Оригинальный текстdocumentotr_(at)_bockcay.de, NX Web Companion Spoofing Arbitrary Code Execution Vulnerability (15.02.2012)

Несанкционированный доступ к HP Network Automation
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12196
Тип:удаленная
Уровень опасности:
5/10
Затронутые продукты:HP : HP Network Automation 9.10
CVE:CVE-2011-4790 (Unspecified vulnerability in HP Network Automation 7.5x, 7.6x, 9.0, and 9.10 allows remote attackers to execute arbitrary code via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU02738 SSRT100748 rev.1 - HP Network Automation Running on Linux, Solaris, and Windows, Remote Unauthorized Access (15.02.2012)

Обратный путь в каталогах тюнера Mutant 200s
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12197
Тип:удаленная
Уровень опасности:
4/10
Описание:Обратный путь в каталогах встроенного веб-сервера.
Затронутые продукты:DREAMMULTIMEDIAT : Dreambox DM500
 MUTANT : Mutant 200s
Оригинальный текстdocumentkevin mitnik, FW: mutant200s DreamBox Arbitrary File Download Vulnerability (15.02.2012)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 15 февраля 2012 г.
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12198
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:WORDPRESS : Register Plus 3.5
 EFRONTLEARNING : eFront Community++ 3.6
 MANAGEENGINE : ME Monitoring Manager 10.0
 XRAYCMS : XRayCMS 1.1
Оригинальный текстdocumentrezahmail_(at)_gmail.com, sqlinjection bug in nova cms (15.02.2012)
 documentVulnerability Lab, eFront Community++ v3.6.10 - SQL Injection Vulnerability (15.02.2012)
 documentMustLive, Multiple new vulnerabilities in Register Plus for WordPress (15.02.2012)
 documentVulnerability Lab, ME Monitoring Manager v9.x; v10.x - Multiple Vulnerabilities (15.02.2012)

Многочисленные уязвимости безопасности в ядре Linux
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12199
Тип:удаленная
Уровень опасности:
7/10
Описание:Повышение привилегий через файловые системы, повышение привилегий через /proc, DoS через IGMP
Затронутые продукты:LINUX : kernel 2.6
 LINUX : kernel 3.0
CVE:CVE-2012-0207 (The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.)
 CVE-2012-0056 (The mem_write function in Linux kernel 2.6.39 and other versions, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.)
 CVE-2012-0055
 CVE-2012-0044 (Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.)
 CVE-2012-0038 (Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow.)
Оригинальный текстdocumentUBUNTU, [USN-1364-1] Linux kernel (OMAP4) vulnerabilities (15.02.2012)

Утечка информации в Skype
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12200
Тип:локальная
Уровень опасности:
5/10
Описание:При удалении локальных сообщений производится их пометка как удаленных в базе, но сжатие и очистка базу на производится.
Затронутые продукты:SKYPE : Skype 5.0
 SKYPE : Skype 5.6
Оригинальный текстdocumentOsama Bin Error, Skype v. 5.x.x - information disclosure (15.02.2012)

Многочисленные XSS в Microsoft SharePoint
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12203
Тип:удаленная
Уровень опасности:
5/10
Описание:XSS в различных страницах.
Затронутые продукты:MICROSOFT : SharePoint Server 2010
 MICROSOFT : SharePoint Foundation 2010
CVE:CVE-2012-0145 (Cross-site scripting (XSS) vulnerability in wizardlist.aspx in Microsoft Office SharePoint Server 2010 Gold and SP1 and SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in wizardlist.aspx Vulnerability.")
 CVE-2012-0144 (Cross-site scripting (XSS) vulnerability in themeweb.aspx in Microsoft Office SharePoint Server 2010 Gold and SP1 and SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in themeweb.aspx Vulnerability.")
 CVE-2012-0017 (Cross-site scripting (XSS) vulnerability in inplview.aspx in Microsoft SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in inplview.aspx Vulnerability.")
Файлы:Microsoft Security Bulletin MS12-011 - Important Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841)

Многочисленные уязвимости безопасности в Microsoft Visio Viewer
Опубликовано:15 февраля 2012 г.
Источник:
SecurityVulns ID:12204
Тип:локальная
Уровень опасности:
5/10
Описание:Многочисленные повреждения памяти при разборе файлов VSD.
Затронутые продукты:MICROSOFT : Visio Viewer 2010
CVE:CVE-2012-0138 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0137.)
 CVE-2012-0137 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0138.)
 CVE-2012-0136 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0137, and CVE-2012-0138.)
 CVE-2012-0020 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0136, CVE-2012-0137, and CVE-2012-0138.)
 CVE-2012-0019 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0020, CVE-2012-0136, CVE-2012-0137, and CVE-2012-0138.)
Файлы:Microsoft Security Bulletin MS12-015 - Important Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510)

Многочисленные уязвимости безопасности в Microsoft Windows
дополнено с 15 февраля 2012 г.
Опубликовано:10 марта 2012 г.
Источник:
SecurityVulns ID:12201
Тип:удаленная
Уровень опасности:
9/10
Описание:Выполнение кода через GDI, повышение привилегий через различные драйверы, небезопасная загрузка DLL, выполнение кода через C Runtime, уязвимости в .Net framework и Silverlight.
Затронутые продукты:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
CVE:CVE-2012-0154 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers keyboard layout errors, aka "Keyboard Layout Use After Free Vulnerability.")
 CVE-2012-0150 (Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media file, aka "Msvcrt.dll Buffer Overflow Vulnerability.")
 CVE-2012-0149 (afd.sys in the Ancillary Function Driver in Microsoft Windows Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability.")
 CVE-2012-0148 (afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 on 64-bit platforms does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "AfdPoll Elevation of Privilege Vulnerability.")
 CVE-2012-0015 (Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly calculate the length of an unspecified buffer, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka ".NET Framework Heap Corruption Vulnerability.")
 CVE-2012-0014 (Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4, and Silverlight 4 before 4.1.10111, does not properly restrict access to memory associated with unmanaged objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, (3) a crafted .NET Framework application, or (4) a crafted Silverlight application, aka ".NET Framework Unmanaged Objects Vulnerability.")
 CVE-2011-5046 (The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability.")
 CVE-2010-5082 (Untrusted search path vulnerability in colorcpl.exe 6.0.6000.16386 in the Color Control Panel in Microsoft Windows Server 2008 SP2, R2, and R2 SP1 allows local users to gain privileges via a Trojan horse sti.dll file in the current working directory, as demonstrated by a directory that contains a .camp, .cdmp, .gmmp, .icc, or .icm file, aka "Color Control Panel Insecure Library Loading Vulnerability.")
 CVE-2010-3138 (Untrusted search path vulnerability in the Indeo filter (iac25_32.ax) in Microsoft Windows, as used in BS.Player, Media Player Classic, and possibly other products, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse iacenc.dll that is located in the same folder as an AVI, .mka, .ra, or .ram file. NOTE: some of these details are obtained from third party information.)
Оригинальный текстdocumentZDI, ZDI-12-034 : Microsoft Windows Media Player ASX Meta-File Parsing Remote Code Execution Vulnerability (10.03.2012)
Файлы:Microsoft Security Bulletin MS12-008 - Critical Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
 Microsoft Security Bulletin MS12-009 - Important Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)
 Microsoft Security Bulletin MS12-012 - Important Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719)
 Microsoft Security Bulletin MS12-013 - Critical Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)
 Microsoft Security Bulletin MS12-014 - Important Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637)
 Microsoft Security Bulletin MS12-016 - Critical Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)

Многочисленные уязвимости безопасности в Microsoft Internet Explorer
дополнено с 15 февраля 2012 г.
Опубликовано:10 марта 2012 г.
Источник:
SecurityVulns ID:12202
Тип:клиент
Уровень опасности:
8/10
Описание:Утечка информации, выполнение кода.
Затронутые продукты:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
CVE:CVE-2012-0155 (Microsoft Internet Explorer 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "VML Remote Code Execution Vulnerability.")
 CVE-2012-0012 (Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability.")
 CVE-2012-0011 (Microsoft Internet Explorer 7 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "HTML Layout Remote Code Execution Vulnerability.")
 CVE-2012-0010 (Microsoft Internet Explorer 6 through 9 does not properly perform copy-and-paste operations, which allows user-assisted remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Copy and Paste Information Disclosure Vulnerability.")
Оригинальный текстdocumentZDI, ZDI-12-036 : Microsoft Internet Explorer VML CDispScroller Remote Code Execution Vulnerability (10.03.2012)
 documentZDI, ZDI-12-035 : Microsoft Internet Explorer CDispNode t:MEDIA Remote Code Execution Vulnerability (10.03.2012)
Файлы:Microsoft Security Bulletin MS12-010 - Critical Cumulative Security Update for Internet Explorer (2647516)

Многочисленные уязвимости безопасности в Oracle Java
дополнено с 15 февраля 2012 г.
Опубликовано:20 августа 2012 г.
Источник:
SecurityVulns ID:12205
Тип:библиотека
Уровень опасности:
8/10
Описание:14 различных уязвимостей.
Затронутые продукты:ORACLE : JDK 6
 ORACLE : JDK 7
CVE:CVE-2012-1726 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.)
 CVE-2012-1725 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.)
 CVE-2012-1724 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect availability, related to JAXP.)
 CVE-2012-1723 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.)
 CVE-2012-1722 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1721.)
 CVE-2012-1721 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1722.)
 CVE-2012-1720 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier, when running on Solaris, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking.)
 CVE-2012-1719 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect integrity, related to CORBA.)
 CVE-2012-1718 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security.)
 CVE-2012-1717 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux.)
 CVE-2012-1716 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing.)
 CVE-2012-1713 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-1711 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA.)
 CVE-2012-0551 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE 7 update 4 and earlier and 6 update 32 and earlier, and the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Container or Deployment.)
 CVE-2012-0508 (Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX, 1.3.0 and earlier, and 1.2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2012-0507 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.)
 CVE-2012-0506 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.)
 CVE-2012-0505 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.)
 CVE-2012-0504 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install and the Java Update mechanism.)
 CVE-2012-0503 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to I18n.)
 CVE-2012-0502 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT.)
 CVE-2012-0501 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors.)
 CVE-2012-0500 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and JavaFX 2.0.2 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2012-0500 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and JavaFX 2.0.2 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2012-0499 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier; and JavaFX 2.0.2 and earlier; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-0499 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier; and JavaFX 2.0.2 and earlier; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-0498 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-0498 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-0497 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2012-0497 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2011-5035 (Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.)
 CVE-2011-3563 (Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Sound.)
Оригинальный текстdocumentZDI, ZDI-12-142 : Oracle Java WebStart Browser Argument Injection Remote Code Execution Vulnerability (20.08.2012)
 documentSecurity Explorations, [SE-2012-01] Regarding Oracle's Critical Patch Update for Java SE (17.06.2012)
 documentZDI, ZDI-12-083 : Oracle Java OpenAL Library Pointer Manipulation Remote Code Execution Vulnerability (13.06.2012)
 documentZDI, ZDI-12-081 : Oracle Java GlueGen Arbitrary Native Library Loading Remote Code Execution Vulnerability (13.06.2012)
 documentnoreply_(at)_telus.com, TELUS Security Labs VR - Oracle Java Web Start Command Argument Injection Remote Code Execution (15.02.2012)
Файлы:Oracle Java SE Critical Patch Update Advisory - February 2012
 Oracle Java SE Critical Patch Update Advisory - June 2012

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород