Monthly Patches are out for Siemens, Schneider Electric, and SAP. New Alerts for F5, Extreme Networks, and Linux. Monthly Patches for Microsoft and Adobe are expected later today.
Siemens
Siemens has published 23 bulletins in their Monthly Patches, 12 new and 11 updated. Highest CVSSv3 score of 9.8
More info.
The CPCI85 firmware of SICAM A8000 CP-8031 and CP-8050 contains a hard-coded ID in the SSH authorized_keys configuration file. Only devices with activated debug support are affected. CVSSv3 score of 9.8
More info.
The Mendix Forgot Password module contains a user enumeration vulnerability that could allow an attacker to retrieve valid users. CVSSv3 score of 5.3
More info.
The SCALANCE W1750D device contains multiple vulnerabilities that could allow a remote attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to information disclosure, DoS, or RCE. CVSSv3 score of 9.8
More info.
Simcenter Amesim contains a vulnerable SOAP endpoint that could allow a remote attacker to perform DLL injection and execute arbitrary code in the context of the affected application process. CVSSv3 score of 9.8
More info.
Schneider Electric has published 2 new bulletins in their Monthly Patches. Highest CVSSv3 score of 9.8
More info.
Multiple vulnerabilities in SpaceLogic C-Bus Toolkit products that could allow RCE and result in tampering of the SpaceLogic C-Bus home automation system. CVSSv3 score of 9.8
More info.
A vulnerability in EcoStruxure Power Monitoring Expert and EcoStruxure Power Operation products could allow a remote attacker to execte arbitrary code. CVSSv3 score of 9.8
More info.
SAP Monthly Patches include 9 bulletins, 6 of which are new and rated Medium. It is worth noting that there is an update to a bulletin from April 2018 that addresses Chromium in SAP Business Client rated CVSSv3 score of 10.
More info.
F5 has published several new bulletins. Highest listed CVSSv3 score of 7.5
More info.
BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check fails to detect and block certain requests, and the system forwards the request to the back-end servers without logging a violation.
More info.
A specifically crafted HTTP request may bypass BIG-IP HTTP RFC enforcement and may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
More info.
Undisclosed requests can cause the BIG-IP Traffic Management Microkernel (TMM) to terminate, allowing a remote attacker to cause a DoS. CVSSv3 score of 7.5
More info.
BIG-IP APM OAuth Bearer Single Sign-On (SSO) may forward HTTP headers as-is without the expected processing.
More info.
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility. CVSSv3 score of 8.1
More info.
When TCP Verified Accept is enabled on a BIG-IP TCP profile that is configured on a virtual server, undisclosed requests can cause a DoS. CVSSv3 score of 7.5
More info.
The BIG-IP SPK TMM f5-debug-sidecar and f5-debug-sshd containers contain hardcoded credentials. CVSSv3 score of 7.4
More info.
When IPsec is configured on a BIG-IP virtual server, undisclosed traffic can cause the TMM to terminate, resulting in a DoS. CVSSv3 score of 7.5
More info.
Extreme Networks has published 27 new security advisories covering their products.
More info.
Red Hat has updated kpatch. More info.
Oracle Linux has updated the kernel. More info.
