3 replies to this topic

[AplusWebMaster]

FYI...

Apache Commons Collections Java library insecurely deserializes data
- https://blogs.oracle...t_cve_2015_4852
Nov 10, 2015 - "This Security Alert addresses security issue CVE-2015-4852, a deserialization vulnerability involving Apache Commons and Oracle WebLogic Server. This is a remote code execution vulnerability and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
- https://web.nvd.nist...d=CVE-2015-4852

- http://www.oracle.co...52-2763333.html
"... Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible..."
2015-Nov-12 - Rev 2. Versions Updated
> http://www.oracle.co...763334.html#FMW

> https://www.kb.cert.org/vuls/id/576313
Last revised: 15 Dec 2015

 

> https://commons.apac...collections.cgi
Last Published: 14 Nov 2015

- https://cxf.apache.o...advisories.html

- http://www.securityt....com/id/1034097
CVE Reference: https://web.nvd.nist...d=CVE-2015-4852
Updated: Nov 16 2015
Impact: A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued a proposed fix, available at:
- http://svn.apache.or...evision=1713307
The vendor's advisory is available at:
- https://issues.apach...COLLECTIONS-580
___

>> https://cxf.apache.o...15-5253.txt.asc
"... Severity: Major
Migration:
CXF 2.7.x users should upgrade to 2.7.18 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.7 or later as soon as possible.
CXF 3.1.x users should upgrade to 3.1.3 or later as soon as possible..."

> http://www.securityt....com/id/1034162
CVE Reference: https://web.nvd.nist...d=CVE-2015-5253
Nov 16 2015
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 2.7.18, 3.0.7, 3.1.3 ...
Solution: The vendor has issued a fix (2.7.18, 3.0.7, 3.1.3).
 

Edited by AplusWebMaster, 22 January 2016 - 01:52 PM.

[AplusWebMaster]

FYI...

Apache Tomcat - v6.x, 7.x, 8.x, 9.x / updates released
- https://en.wikipedia...i/Apache_Tomcat
"Apache Tomcat, often referred to as Tomcat, is an open-source web server developed by the Apache Software Foundation (ASF). Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment for Java code to run in. Tomcat is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation... and is open-source software...
> https://en.wikipedia...gh_availability
A high-availability feature has been added to facilitate the scheduling of system upgrades (e.g. new releases, change requests) without affecting the live environment. This is done by dispatching live traffic requests to a temporary server on a different port while the main server is upgraded on the main port. It is very useful in handling user requests on high-traffic web applications..."
- http://www.securityt....com/id/1035069
CVE Reference: CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
Feb 22 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.x, 7.x, 8.x, 9.x
Impact: A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can hijack the target user's session.
Solution: The vendor has issued a fix (6.0.45, 7.0.68, 8.0.32, 9.0.0.M3)...

> https://tomcat.apache.org/
 

[AplusWebMaster]

FYI...

Apache Struts - 2.3.32 / 2.5.10.1 released
- https://isc.sans.edu...l?storyid=22169
2017-03-09 - "On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing exploit attempts in the wild.
You should be running Struts 2.3.32 or 2.5.10.1. All prior versions are vulnerable.
Struts 2 is a Java framework that is commonly used by Java-based web applications. It is also knowns as "Jakarta Struts" and "Apache Struts". The Apache project currently maintains Struts. The vulnerability allows an attacker to include code in the "Content-Type" header of an HTTP request. The code will then be executed by the web server..."

1] https://cwiki.apache...splay/WW/S2-045
Mar 06, 2017
Maximum security rating: High
"... Upgrade to Struts 2.3.32: https://cwiki.apache...on Notes 2.3.32
or Struts 2.5.10.1: https://cwiki.apache... Notes 2.5.10.1..."

- https://www.us-cert....ecurity-Updates
Mar 08, 2017

- https://web.nvd.nist...d=CVE-2017-5638
Last revised: 03/15/2017 - "... as exploited in the wild in March 2017."

9.8 Critical

- http://www.securityt....com/id/1037973
CVE Reference: CVE-2017-5638
Mar 9 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.3.5 - 2.3.31, 2.5 - 2.5.10 ...
Impact: A remote user can execute arbitrary operating system commands on the target system.
Solution: The vendor has issued a fix (2.3.32, 2.5.10.1)...
___

- https://threatprotec...-vulnerability/
Mar 8, 2017

- https://arstechnica....1&post=32957185
Mar 9, 2017

- http://blog.trendmic...code-execution/
Mar 9, 2017
 

Edited by AplusWebMaster, 15 March 2017 - 09:34 AM.

[AplusWebMaster]

FYI...

Apache releases Security Updates
- https://www.us-cert....ecurity-Updates
April 12, 2017 - "The Apache Foundation has released security updates to address vulnerabilities in Apache Tomcat. Exploitation of one of these vulnerabilities may cause a remote attacker to obtain sensitive information. Users and administrators are encouraged to review..."

CVE-2017-5648
> https://mail-archive...766@apache.org>
CVE-2017-5650
> https://mail-archive...faf@apache.org>
CVE-2017-5651
> https://mail-archive...6c6@apache.org>