SB17-002: Vulnerability Summary for the Week of December 26, 2016

Title: SB17-002: Vulnerability Summary for the Week of December 26, 2016

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

01/02/2017 06:10 PM EST

Original release date: January 02, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
cisco -- cloudcenter_orchestrator	A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system. Affected Products: This vulnerability affect all releases of Cisco CloudCenter Orchestrator (CCO) deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface).	2016年12月26日	10.0	CVE-2016-9223 BID CONFIRM
debian -- debian_linux	Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.	2016年12月23日	7.5	CVE-2016-7966 SUSE DEBIAN MLIST BID FEDORA
hp -- thinpro	HP ThinPro 4.4 through 6.1 mishandles the keyboard layout control panel and virtual keyboard application, which allows local users to bypass intended access restrictions and gain privileges via unspecified vectors.	2016年12月29日	7.2	CVE-2016-2246 HP BID
kde -- kmail	KMail since version 5.3.0 used a QWebEngine based viewer that had _javascript_ enabled. HTML Mail contents were not sanitized for _javascript_ and included code was executed.	2016年12月23日	7.5	CVE-2016-7968 MLIST BID MISC
linux -- linux_kernel	The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.	2016年12月28日	7.2	CVE-2012-6704 CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.	2016年12月28日	7.2	CVE-2016-9576 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.	2016年12月28日	7.2	CVE-2016-9793 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.	2016年12月28日	7.2	CVE-2016-9806 CONFIRM MLIST CONFIRM MLIST BID CONFIRM CONFIRM
modx -- modx_revolution	Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist.	2016年12月24日	7.5	CVE-2016-10037 BID CONFIRM CONFIRM
modx -- modx_revolution	Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove.	2016年12月24日	7.5	CVE-2016-10038 BID CONFIRM CONFIRM
modx -- modx_revolution	Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles.	2016年12月24日	7.5	CVE-2016-10039 BID CONFIRM CONFIRM
pivotal_software -- rabbitmq	An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.	2016年12月29日	7.5	CVE-2016-9877 BID CONFIRM
s9y -- serendipity	include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.	2016年12月30日	7.5	CVE-2016-10082 CONFIRM CONFIRM
shutter-project -- shutter	/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Run a plugin" action.	2016年12月29日	9.3	CVE-2016-10081 CONFIRM
tarantool -- tarantool	An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.	2016年12月23日	7.8	CVE-2016-9037 BID MISC
vmware -- workstation_pro	Untrusted search path vulnerability in the installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.	2016年12月29日	7.2	CVE-2016-7085 BID CONFIRM
vmware -- workstation_pro	The installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse setup64.exe file in the installation directory.	2016年12月29日	7.2	CVE-2016-7086 BID CONFIRM
vmware -- vsphere_data_protection	VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.	2016年12月29日	10.0	CVE-2016-7456 BID SECTRACK CONFIRM
vmware -- vrealize_operations	VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors.	2016年12月29日	8.0	CVE-2016-7457 BID CONFIRM
vmware -- fusion_pro	The drag-and-drop (aka DnD) function in VMware Workstation Pro 12.x before 12.5.2 and VMware Workstation Player 12.x before 12.5.2 and VMware Fusion and Fusion Pro 8.x before 8.5.2 allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (out-of-bounds memory access on the host OS) via unspecified vectors.	2016年12月29日	7.2	CVE-2016-7461 BID CONFIRM
vmware -- vrealize_operations	The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.	2016年12月29日	7.5	CVE-2016-7462 BID CONFIRM MISC

Medium Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
antisamy_project -- antisamy	In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.	2016年12月24日	4.3	CVE-2016-10006 BID CONFIRM
cisco -- intercloud_fabric	A vulnerability in Cisco Intercloud Fabric for Business and Cisco Intercloud Fabric for Providers could allow an unauthenticated, remote attacker to connect to the database used by these products. More Information: CSCus99394. Known Affected Releases: 7.3(0)ZN(0.99).	2016年12月26日	6.5	CVE-2016-9217 BID CONFIRM
cisco -- jabber_guest	A vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate connections to arbitrary hosts. More Information: CSCvc31635. Known Affected Releases: 10.6(9). Known Fixed Releases: 11.0(0).	2016年12月26日	6.4	CVE-2016-9224 BID SECTRACK CONFIRM
google -- android	The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data.	2016年12月23日	4.3	CVE-2016-6910 MISC BID
imagemagick -- imagemagick	An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.	2016年12月23日	6.8	CVE-2016-8707 BID MISC
kde -- kde-cli-tools	A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.	2016年12月23日	4.0	CVE-2016-7787 SUSE SUSE MLIST BID
kde -- kmail	KMail since version 5.3.0 used a QWebEngine based viewer that had _javascript_ enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.	2016年12月23日	5.8	CVE-2016-7967 MLIST BID MISC
linux -- linux_kernel	fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.	2016年12月28日	4.7	CVE-2016-6213 CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.	2016年12月28日	6.9	CVE-2016-6786 CONFIRM CONFIRM BID CONFIRM CONFIRM
linux -- linux_kernel	kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.	2016年12月28日	6.9	CVE-2016-6787 CONFIRM CONFIRM BID CONFIRM CONFIRM
linux -- linux_kernel	Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.	2016年12月28日	4.9	CVE-2016-9685 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.	2016年12月28日	4.6	CVE-2016-9755 CONFIRM MLIST BID CONFIRM CONFIRM CONFIRM MLIST
linux -- linux_kernel	KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.	2016年12月28日	6.9	CVE-2016-9777 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.	2016年12月28日	4.6	CVE-2016-9794 CONFIRM MLIST BID CONFIRM CONFIRM CONFIRM
novell -- leap	Turning all screens off in Plasma-workspace and kscreenlocker while the lock screen is shown can result in the screen being unlocked when turning a screen on again.	2016年12月23日	4.6	CVE-2016-2312 FEDORA FEDORA MISC MISC CONFIRM
pivotal_software -- spring_framework	An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.	2016年12月29日	5.0	CVE-2016-9878 BID CONFIRM
piwigo -- piwigo	Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.	2016年12月30日	4.3	CVE-2016-10083 CONFIRM CONFIRM
piwigo -- piwigo	admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).	2016年12月30日	6.5	CVE-2016-10084 CONFIRM CONFIRM
piwigo -- piwigo	admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.	2016年12月30日	6.5	CVE-2016-10085 CONFIRM CONFIRM
qemu -- qemu	QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.	2016年12月29日	4.9	CVE-2016-9846 MLIST MLIST BID MLIST
qemu -- qemu	Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.	2016年12月29日	4.9	CVE-2016-9913 CONFIRM MLIST MLIST BID MLIST
qemu -- qemu	Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.	2016年12月29日	4.9	CVE-2016-9914 CONFIRM MLIST MLIST BID MLIST
qemu -- qemu	Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.	2016年12月29日	4.9	CVE-2016-9915 CONFIRM MLIST MLIST BID MLIST
qemu -- qemu	Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.	2016年12月29日	4.9	CVE-2016-9916 CONFIRM MLIST MLIST BID MLIST
siemens -- desigo_web_module_pxa40-w0_firmware	Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.	2016年12月23日	5.0	CVE-2016-9154 BID CONFIRM MISC
sprecher-automation -- sprecon-e_service_program	An issue was discovered in Sprecher Automation SPRECON-E Service Program before 3.43 SP0. Under certain preconditions, it is possible to execute telegram simulation as a non-admin user. As prerequisites, a user must have created an online-connection, validly authenticated and authorized as administrator, and executed telegram simulation. After that, the online-connection must have been closed. Incorrect caching of client data then may lead to privilege escalation, where a subsequently acting non-admin user is permitted to do telegram simulation. In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to a service/maintenance computer with SPRECON-E Service Program running. Additionally, a valid admin-user must have closed the service connection beforehand without closing the program, having executed telegram simulation; the attacker then has access to the running software instance. Hence, there is no risk from external attackers.	2016年12月25日	4.6	CVE-2016-10041 CONFIRM
tarantool -- msgpuck	An exploitable incorrect return value vulnerability exists in the mp_check function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mp_check function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability.	2016年12月23日	5.0	CVE-2016-9036 BID MISC
tiki -- tikiwiki_cms/groupware	Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.	2016年12月23日	4.3	CVE-2016-9889 BID CONFIRM
vmware -- identity_manger	VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.	2016年12月29日	5.0	CVE-2016-5334 BID CONFIRM
vmware -- tools	The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7080.	2016年12月29日	4.6	CVE-2016-7079 BID CONFIRM
vmware -- tools	The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7079.	2016年12月29日	4.6	CVE-2016-7080 BID CONFIRM
vmware -- workstation_pro	Multiple heap-based buffer overflows in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.	2016年12月29日	6.9	CVE-2016-7081 BID CONFIRM
vmware -- workstation_pro	VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via an EMF file.	2016年12月29日	5.9	CVE-2016-7082 BID CONFIRM
vmware -- workstation_pro	VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via TrueType fonts embedded in EMFSPOOL.	2016年12月29日	5.9	CVE-2016-7083 BID CONFIRM
vmware -- workstation_pro	tpview.dll in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via a JPEG 2000 image.	2016年12月29日	6.9	CVE-2016-7084 BID CONFIRM
vmware -- horizon_view	Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors.	2016年12月29日	5.0	CVE-2016-7087 BID CONFIRM
vmware -- vsphere_client	VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	2016年12月29日	5.0	CVE-2016-7458 BID CONFIRM
vmware -- vcenter_server	VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	2016年12月29日	4.0	CVE-2016-7459 BID CONFIRM
vmware -- vrealize_automation	The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	2016年12月29日	6.4	CVE-2016-7460 BID CONFIRM

Low Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
dotclear -- dotclear	Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).	2016年12月29日	3.5	CVE-2016-9891 BID CONFIRM CONFIRM CONFIRM CONFIRM MISC
linux -- linux_kernel	arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.	2016年12月28日	2.1	CVE-2016-9588 CONFIRM MLIST BID CONFIRM CONFIRM
linux -- linux_kernel	arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.	2016年12月28日	2.1	CVE-2016-9756 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM
pivotal_software -- cloud_foundry	Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.	2016年12月23日	2.6	CVE-2016-6659 BID CONFIRM
qemu -- qemu	QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.	2016年12月29日	2.1	CVE-2015-8701 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.	2016年12月29日	3.6	CVE-2015-8743 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.	2016年12月29日	2.1	CVE-2015-8744 CONFIRM MLIST MLIST BID CONFIRM
qemu -- qemu	QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.	2016年12月29日	2.1	CVE-2015-8745 CONFIRM MLIST MLIST BID SECTRACK CONFIRM
qemu -- qemu	The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.	2016年12月29日	2.1	CVE-2015-8818 CONFIRM MLIST MLIST CONFIRM
qemu -- qemu	QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.	2016年12月29日	2.1	CVE-2016-1922 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.	2016年12月29日	2.1	CVE-2016-1981 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.	2016年12月29日	2.1	CVE-2016-2197 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.	2016年12月29日	2.1	CVE-2016-2198 MLIST MLIST CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.	2016年12月29日	2.1	CVE-2016-9776 MLIST MLIST BID CONFIRM MLIST
qemu -- qemu	QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.	2016年12月29日	2.1	CVE-2016-9845 MLIST MLIST BID MLIST
qemu -- qemu	Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.	2016年12月23日	2.1	CVE-2016-9907 MLIST BID
qemu -- qemu	Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.	2016年12月23日	2.1	CVE-2016-9908 MLIST BID
qemu -- qemu	Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.	2016年12月23日	2.1	CVE-2016-9911 MLIST BID
qemu -- qemu	Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.	2016年12月23日	2.1	CVE-2016-9912 MLIST BID
qemu -- qemu	Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.	2016年12月23日	2.1	CVE-2016-9921 MLIST BID
qemu -- qemu	Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.	2016年12月23日	2.1	CVE-2016-9923 MLIST BID
s9y -- serendipity	Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.	2016年12月25日	3.5	CVE-2016-9681 BID MISC MISC
vmware -- tools	VMware Tools 9.x and 10.x before 10.1.0 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.	2016年12月29日	2.1	CVE-2016-5328 BID CONFIRM
vmware -- fusion	VMware Fusion 8.x before 8.5 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.	2016年12月29日	2.1	CVE-2016-5329 BID CONFIRM
vmware -- esxi	Cross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM.	2016年12月29日	3.5	CVE-2016-7463 BID SECTRACK CONFIRM

Severity Not Yet Assigned

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
libvncserver -- libvncclient	Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.	2016年12月31日	not yet calculated	CVE-2016-9941 CONFIRM CONFIRM
libvncserver -- libvncclient	Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.	2016年12月31日	not yet calculated	CVE-2016-9942 CONFIRM CONFIRM
linux -- linux_kernel	The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.	2016年12月30日	not yet calculated	CVE-2016-10088 CONFIRM MLIST CONFIRM
phpmailer -- phpmailer	The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.	2016年12月30日	not yet calculated	CVE-2016-10045 MLIST MISC FULLDISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC EXPLOIT-DB
phpmailer -- phpmailer	The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address.	2016年12月30日	not yet calculated	CVE-2016-10033 MISC FULLDISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC CONFIRM EXPLOIT-DB EXPLOIT-DB
qemu -- qemu	QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.	2016年12月29日	not yet calculated	CVE-2015-8817 CONFIRM CONFIRM MLIST MLIST CONFIRM MLIST
sap_hybris -- hybris_management_console	Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.	2016年12月31日	not yet calculated	CVE-2016-6857 MISC
sap_hybris -- hybris_management_console	Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.	2016年12月31日	not yet calculated	CVE-2016-6858 MISC
sap_hybris -- hybris_management_console	Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.	2016年12月31日	not yet calculated	CVE-2016-6856 MISC
sap_hybris -- hybris_management_console	Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.	2016年12月31日	not yet calculated	CVE-2016-6859 MISC
shutter -- shutter	App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Show in Folder" action.	2016年12月29日	not yet calculated	CVE-2015-0854 CONFIRM
swift_mailer -- swift_mailer	The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.	2016年12月30日	not yet calculated	CVE-2016-10074 MISC FULLDISC BID CONFIRM MISC EXPLOIT-DB
zend -- zend	The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.	2016年12月30日	not yet calculated	CVE-2016-10034 BID CONFIRM MISC

This product is provided subject to this Notification and this Privacy & Use policy.

A copy of this publication is available at www.us-cert.gov. If you need help or have questions, please send an email to info@xxxxxxxxxxx. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@xxxxxxxxxxxxxxxx to your address book.

OTHER RESOURCES:

STAY CONNECTED:

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help

This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery