IBM Security Key Lifecycle Manager CVE-2016-6103 Cross Site Request Forgery Vulnerability
 
Jenkins CVE-2017-2610 HTML Injection Vulnerability
 
Jenkins CVE-2017-2600 Information Disclosure Vulnerability
 
Jenkins CVE-2017-2603 Information Disclosure Vulnerability
 
Jenkins CVE-2017-2602 Security Bypass Vulnerability
 

(credit: Johannes Hemmerlein)

There's a zero-day exploit in the wild that exploits a key file-sharing protocol in all supported versions of Windows. That includes Windows 10, the latest and most secure version of the Microsoft operating system. The exploit is probably not worth worrying about, but you'd never know that based on the statement Microsoft officials issued on Thursday when asked what kind of threat the exploit poses:

"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible," an unnamed spokesperson replied in an e-mail. "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

An employee at Microsoft's outside PR firm, WE Communications, wouldn't explain why the statement advised customers to use Windows 10 and Edge when the exploit works on all versions of Windows and doesn't require that targets use a browser. Ars reminded the employee that an advisory issued hours earlier by the CERT Coordination Center at Carnegie Mellon University warned that the vulnerability might leave users of all supported versions of Windows open to code-execution attacks.

Read 7 remaining paragraphs | Comments

 
Artifex MuJS 'regexp.c' Integer Overflow Vulnerability
 
Mini-XML Stack Exhaustion Multiple Denial of Service Vulnerabilities
 
Business LaLa Call App CVE-2017-2104 SSL Certificate Validation Security Bypass Vulnerability
 
SOGo CVE-2016-6188 Denial of Service Vulnerability
 
Barracuda NextGen Firewal F-Series Denial of Service Vulnerability
 
Mp3splt 'free_options()' Function Null Pointer Dereference Denial of Service Vulnerability
 
Multiple GStreamer Plug-ins Buffer Overflow and Denial Of Service Vulnerabilities
 
Apache Ranger CVE-2016-8746 Security Bypass Vulnerability
 
QEMU 'hw/scsi/megasas.c' Denial of Service Vulnerability
 
OpenBSD httpd CVE-2017-5850 Denial of Service Vulnerability
 
Akamai NetSession CVE-2016-10157 DLL Loading Remote Code Execution Vulnerability
 
Lenovo XClarity Administrator CVE-2016-8233 Information Disclosure Vulnerability
 
Ghostscript Remote Command Execution Vulnerability
 
FFmpeg CVE-2016-10191 Heap Buffer Overflow Vulnerability
 
Drupal Better Exposed Filters Module Cross Site Scripting Vulnerability
 
FFmpeg CVE-2016-10190 Heap Buffer Overflow Vulnerability
 
IBM Security Key Lifecycle Manager CVE-2016-6096 Cross Site Scripting Vulnerability
 
IBM Security Key Lifecycle Manager CVE-2016-6093 Security Bypass Vulnerability
 
IBM Security Key Lifecycle Manager CVE-2016-6094 Information Disclosure Vulnerability
 
WordPress Cryptographic Security Bypass Vulnerability
 

One of our readers, Dalibor Cerar, sent us an email about an issue impacting Cisco...at this point. While its a hardware issue, the result if it occurs is a self inflicted Denial of Service. Cisco released a notice on February 2 that some of its products had an issue with the Clock Signal component manufactured by a supplier. This was discovered late in November 2016. According to Cisco:

Although the Cisco products with this component are currently performing normally, we expect product failures to increase over the years, beginning after the unit has been in operation for approximately 18 months. Once the component has failed, the system will stop functioning, will not boot, and is not recoverable.

Keep in mind, Cisco says the component is used by other companies so I would expect to see this list grow to other vendors.

Here is the current list of the known Cisco/Meraki products and the link to their Field Notice:


Optical Networking:
FN-64230 : NCS1K-CNTLR

Routing:
FN-64231 : NCS5500 Line Cards
FN-64252 : IR809/IR829 Industrial Integrated Services Routers
FN-64253 : ISR4331, ISR4321, ISR4351 and UCS-E120

Security:
FN-64228 : ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516
FN-64250 : Cisco ISA3000 Industrial Security Appliance
Meraki Notification - MX 84

Switches:
FN-64251 - Nexus 9000 Series N9K-C9504-FM-E/N9K-C9508-FM-E/N9K-X9732C-EX
Meraki Notification - MS350 Series

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status