IBM Security Key Lifecycle Manager CVE-2016-6103 Cross Site Request Forgery Vulnerability
Jenkins CVE-2017-2610 HTML Injection Vulnerability
Jenkins CVE-2017-2600 Information Disclosure Vulnerability
Jenkins CVE-2017-2603 Information Disclosure Vulnerability
Jenkins CVE-2017-2602 Security Bypass Vulnerability

(credit: Johannes Hemmerlein)

There's a zero-day exploit in the wild that exploits a key file-sharing protocol in all supported versions of Windows. That includes Windows 10, the latest and most secure version of the Microsoft operating system. The exploit is probably not worth worrying about, but you'd never know that based on the statement Microsoft officials issued on Thursday when asked what kind of threat the exploit poses:

"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible," an unnamed spokesperson replied in an e-mail. "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

An employee at Microsoft's outside PR firm, WE Communications, wouldn't explain why the statement advised customers to use Windows 10 and Edge when the exploit works on all versions of Windows and doesn't require that targets use a browser. Ars reminded the employee that an advisory issued hours earlier by the CERT Coordination Center at Carnegie Mellon University warned that the vulnerability might leave users of all supported versions of Windows open to code-execution attacks.

Read 7 remaining paragraphs | Comments

Artifex MuJS 'regexp.c' Integer Overflow Vulnerability
Mini-XML Stack Exhaustion Multiple Denial of Service Vulnerabilities
Business LaLa Call App CVE-2017-2104 SSL Certificate Validation Security Bypass Vulnerability
SOGo CVE-2016-6188 Denial of Service Vulnerability
Barracuda NextGen Firewal F-Series Denial of Service Vulnerability
Mp3splt 'free_options()' Function Null Pointer Dereference Denial of Service Vulnerability
Multiple GStreamer Plug-ins Buffer Overflow and Denial Of Service Vulnerabilities
Apache Ranger CVE-2016-8746 Security Bypass Vulnerability
QEMU 'hw/scsi/megasas.c' Denial of Service Vulnerability
OpenBSD httpd CVE-2017-5850 Denial of Service Vulnerability
Akamai NetSession CVE-2016-10157 DLL Loading Remote Code Execution Vulnerability
Lenovo XClarity Administrator CVE-2016-8233 Information Disclosure Vulnerability
Ghostscript Remote Command Execution Vulnerability
FFmpeg CVE-2016-10191 Heap Buffer Overflow Vulnerability
Drupal Better Exposed Filters Module Cross Site Scripting Vulnerability
FFmpeg CVE-2016-10190 Heap Buffer Overflow Vulnerability
IBM Security Key Lifecycle Manager CVE-2016-6096 Cross Site Scripting Vulnerability
IBM Security Key Lifecycle Manager CVE-2016-6093 Security Bypass Vulnerability
IBM Security Key Lifecycle Manager CVE-2016-6094 Information Disclosure Vulnerability
WordPress Cryptographic Security Bypass Vulnerability

One of our readers, Dalibor Cerar, sent us an email about an issue impacting this point. While its a hardware issue, the result if it occurs is a self inflicted Denial of Service. Cisco released a notice on February 2 that some of its products had an issue with the Clock Signal component manufactured by a supplier. This was discovered late in November 2016. According to Cisco:

Although the Cisco products with this component are currently performing normally, we expect product failures to increase over the years, beginning after the unit has been in operation for approximately 18 months. Once the component has failed, the system will stop functioning, will not boot, and is not recoverable.

Keep in mind, Cisco says the component is used by other companies so I would expect to see this list grow to other vendors.

Here is the current list of the known Cisco/Meraki products and the link to their Field Notice:

Optical Networking:
FN-64230 : NCS1K-CNTLR

FN-64231 : NCS5500 Line Cards
FN-64252 : IR809/IR829 Industrial Integrated Services Routers
FN-64253 : ISR4331, ISR4321, ISR4351 and UCS-E120

FN-64228 : ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516
FN-64250 : Cisco ISA3000 Industrial Security Appliance
Meraki Notification - MX 84

FN-64251 - Nexus 9000 Series N9K-C9504-FM-E/N9K-C9508-FM-E/N9K-X9732C-EX
Meraki Notification - MS350 Series

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status