Monthly Patches are out for SAP, Schneider Electric, and Siemens. New Alerts for Ivanti (PoC), Rockwell Automation, Phoenix Contact, PEPPERL+FUCHS, AVEVA, Splunk, and Linux. Later this afternoon is Monthly Patches for Microsoft and Adobe, tomorrow should be Palo Alto Networks and Juniper Networks.
SAP
SAP Security Patch Day saw the release of 17 new Security Notes, 2 rated Hot News, 3 rated High, and 12 rated Medium, and 8 updates to previously released Security Notes. Of the new notes, highest CVSSv3 score of 9.8
More info.
Schneider Electric Monthly Patches include 2 new bulletins and 14 updated bulletins. Of the new bulletins, highest CVSSv3 score of 7.5
More info.
A buffer overflow vulnerability exists that could cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP. CVSSv3 score of 7.5
More info.
Siemens Monthly Patches include 9 new bulletins and 18 updated bulletins. Of the new bulletins, highest CVSSv4 score of 9.4
More info.
SINEC NMS and Location Intelligence are affected by multiple vulnerabilities in third-party software. Highest CVSSv4 score of 9.4
More info. And here.
INTRALOG WMS is affected by vulnerabilities in the SQL Client-Server communication and in the .NET framework. Successful exploitation could allow a remote attacker to decrypt and modify client-server communication, or potentially execute arbitrary code on the application servers. Highest CVSSv4 score of 8.8
More info.
SINEC Traffic Analyzer is affected by multiple vulnerabilities. Highest CVSSv4 score of 8.7
More info.
Ivanti has published 3 new bulletins identifying vulnerabilities in Avalanche, Neurons for ITSM, and vTM. Highest CVSSv3 score of 9.8
More info.
Ivanti Virtual Traffic Manager (vTM) has addressed a critical vulnerability that allows a remote attacker to achieve authentication bypass and creation of an administrator user. CVSSv3 score of 9.8
PoC publicly available.
More info.
Ivanti has released updates for Ivanti Neurons for ITSM which addresses a critical severity vulnerability and a high severity vulnerability. Highest CVSSv3 score of 9.6
More info.
Rockwell Automation has published 8 new bulletins for Pavilion8, GuardLogix/ControlLogix 5580/5380, AADvance Standalone OPC-DA Server, FactoryTalk View Site, DataMosaix, and Emulate3D. Highest CVSSv4 score of 8.7
More info.
Phoenix Contact
CHARX SEC products contain 2 vulnerabilities that could allow a remote attacker to reset a password or change the device configuration. Highest CVSSv3 score of 8.6
More info. and here.
Device Master ICDM-RX/* contains a vulnerability that allows a remote attacker to interact with a user via dialog box. Highest CVSSv3 score of 7.1
More info.
AVEVA has published 3 new bulletins that update SuiteLink Server, Reports for Operations 2023, and Historian Server. Highest CVSSV4 score of 8.7
More info.
SuiteLink server contains a vulnerability that could allow a remote attacker to consume excessive system resources and slow down processing of Data I/O for the duration of the attack. CVSSV4 score of 8.7
More info.
Historian Server contains a vulnerability that could allow a remote attacker to cause a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered into opening a specially crafted URL. CVSSv4 score of 8.5
More info.
Splunk has updated Python for Scientific Computing to fix several vulnerabilities, the highest rated Critical.
More info.
Linux
Red Hat has updated the kernel. More info.
Oracle Linux has updated the kernel. More info.
Debian has updated the kernel. More info.
Ubuntu has updated the kernel. More info.
Comments