Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Wed, 17 Jun 2015 17:53:17 +0200
Type : VULN
Sujet : CERT-Renater : 2015/VULN107 (RSA : RSA Validation Manager Security Update for Multiple Vulnerabilities)
===================================================================
                           CERT-Renater

               Note d'Information No. 2015/VULN107
_____________________________________________________________________

DATE                : 16/06/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running RSA Validation Manager version 3.2
                        prior to Build 201.

======================================================================
http://www.securityfocus.com/archive/1/535777
______________________________________________________________________

ESA-2015-043: RSA Validation Manager Security Update for Multiple
Vulnerabilities

EMC Identifier: ESA-2015-043

CVE Identifier: CVE-2014-3566, CVE-2014-0098, CVE-2014-0231,
CVE-2014-0226, CVE-2013-1862, CVE-2012-3499, CVE-2015-0526, CVE-2013-2566

Severity Rating: CVSSv2 Base Score: See below for details

Affected Products:

RSA Validation Manager 3.2 prior to Build 201

Unaffected Products:

RSA Validation Manager 3.2 Build 201 or above

Summary:

RSA Validation Manager (RVM) requires a security update to address
potential multiple vulnerabilities.

Details:

RSA Validation Manager (RVM) contains security fixes to address the
following vulnerabilities:

CVE-2014-3566:The SSL protocol 3.0, as used in OpenSSL through 1.0.1i
and other products, uses nondeterministic CBC padding, which makes it
easier for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the "POODLE" issue.

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 for
more details.

CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2014-0098: The log_cookie function in mod_log_config.c in the
mod_log_config module in the Apache HTTP Server before 2.4.8 allows
remote attackers to cause a denial of service (segmentation fault and
daemon crash) via a crafted cookie that is not properly handled during
truncation.

See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098 for
more details.

CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2014-0231: The mod_cgid module in the Apache HTTP Server before
2.4.10 does not have a timeout mechanism, which allows remote attackers
to cause a denial of service (process hang) via a request to a CGI
script that does not read from its stdin file descriptor. See
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231

CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2014-0226: Race condition in the mod_status module in the Apache
HTTP Server before 2.4.10 allows remote attackers to cause a denial of
service (heap-based buffer overflow), or possibly obtain sensitive
credential information or execute arbitrary code, via a crafted request
that triggers improper scoreboard handling within the status_handler
function in modules/generators/mod_status.c and the
lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226for
more details.

CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2013-1862: mod_rewrite.c in the mod_rewrite module in the Apache
HTTP Server 2.2.x before 2.2.25 writes data to a log file without
sanitizing non-printable characters, which might allow remote attackers
to execute arbitrary commands via an HTTP request containing an escape
sequence for a terminal emulator.

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862 for
more details.

CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVE-2012-3499: Multiple cross-site scripting (XSS) vulnerabilities in
the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4
allow remote attackers to inject arbitrary web script or HTML via
vectors involving hostnames and URIs in the (1) mod_imagemap, (2)
mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3499 for
more details.

CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-2566: The RC4 algorithm, as used in the TLS protocol and SSL
protocol, has many single-byte biases, which makes it easier for remote
attackers to conduct plaintext-recovery attacks via statistical analysis
of ciphertext in a large number of sessions that use the same plaintext.

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 for
more details.

CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Reflected Cross-Site Scripting Vulnerability (CVE-2015-0526): A
cross-site scripting vulnerability affecting the displayMode and
wrapPreDisplayMode parameter could potentially be exploited by an
attacker to execute arbitrary HTML and script code in RVM user\x{146}s
browser session.

CVSSv2 Base Score:7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

For more information about any of the Common Vulnerabilities and
Exposures (CVEs) mentioned here, consult the National Vulnerability
Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a
particular CVE, use the database\x{146}s search utility at
http://web.nvd.nist.gov/view/vuln/search.

Recommendation:

The following RVM release contains the resolution to these issues:

RSA Validation Manager 3.2 Build 201 or later

RSA recommends all customers upgrade to the version mentioned above at
the earliest opportunity.

Credit:

RSA would like to thank Ken Cijsouw (ken.cijsouw@sincerus.nl) for
reporting CVE-2015-0526.

Obtaining Downloads:

To obtain the latest RSA product downloads, log on to RSA SecurCare
Online at
https://knowledge.rsasecurity.com and click Products in the top
navigation menu. Select the specific product whose download you want to
obtain. Scroll to the section for the product download that you want and
click on the link.

Obtaining Documentation:

To obtain RSA documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click Products in the top
navigation menu. Select the specific product whose documentation you
want to obtain.
Scroll to the section for the product version that you want and click
the set link.

Severity Rating:

For an explanation of Severity Ratings, refer to the Knowledge Base
Article, \x{147}Security Advisories Severity Rating\x{148} at
https://knowledge.rsasecurity.com/scolcm/knowledge.aspx?solution¤6604.
RSA recommends all customers take into account both the base score and
any relevant temporal and environmental scores which may impact the
potential severity associated with particular security vulnerability.

Obtaining More Information:

For more information about RSA products, visit the RSA web site at
http://www.rsa.com.

Getting Support and Service:

For customers with current maintenance contracts, contact your local RSA
Customer Support center with any additional questions regarding this RSA
SecurCare Note. For contact telephone numbers or e-mail addresses, log
on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click
Help & Contact, and then click the Contact Us - Phone tab or the Contact
Us - Email tab.

General Customer Support Information:

http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all
major versions. Please refer to the link below for additional details.

http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories

RSA, The Security Division of EMC, distributes SCOL Security Advisories in
order to bring to the attention of users of the affected RSA products
important security information. RSA recommends that all users determine
the applicability of this information to their individual situations and
take appropriate action. The information set forth herein is provided
"as is" without warranty of any kind. RSA disclaim all warranties,
either express or implied, including the warranties of merchantability,
fitness for a particular purpose, title and non-infringement. In no
event shall RSA or its suppliers be
liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if RSA or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing
limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription

RSA SecurCare Notes & Security Advisories are targeted e-mail messages
that RSA sends you based on the RSA product family you currently use.
If you\x{146}d like to stop receiving RSA SecurCare Notes & Security
Advisories, or if you\x{146}d like to change which RSA product family
Notes & Security Advisories you currently receive, log on to RSA
SecurCare Online at
https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following
the instructions on the page, remove the check mark next to the RSA
product family whose Notes & Security Advisories you no longer want to
receive. Click the Submit button to save your selection.

Sincerely,

RSA Customer Support

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]