Vulnerability Summary for the Week of November 14, 2016

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity dotcms -- dotcms SQL injection vulnerability in the 2016-11-14 7.5 CVE-2016-8902 MISC categoriesServlet servlet in dotCMS before 3.3.1 MISC (link is allows remote not authenticated attackers to external) execute arbitrary SQL commands via the sort MISC (link is external) parameter. MISC (link is external) emc -- avamar_data_store EMC Avamar Data Store (ADS) and Avamar 2016-11-15 7.2 CVE-2016-0909 miscellaneous Virtual Edition (AVE) versions 7.3 and older CONFIRM (link contain a vulnerability that may expose the is external) Avamar servers to potentially be compromised by malicious users. exponentcms -- In 2016-11-15 7.5 CVE-2016-9287 CONFIRM (link exponent_cms /framework/modules/notfound/controllers/notf is external) oundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into getSearchResults. The method getSearchResults is defined in the search model with the parameter '$term' used directly in SQL. Impact is a SQL injection. exponentcms -- In 2016-11-11 7.5 CVE-2016-9288 CONFIRM (link exponent_cms framework/modules/navigation/controllers/navi is external) gationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection. The payload can be used like this: /navigation/DragnDropReRank/target/1. linux -- linux_kernel The __ext4_journal_stop function in 2016-11-16 9.3 CVE-2015-8961 CONFIRM fs/ext4/ext4_jbd2.c in the Linux kernel before CONFIRM (link 4.3.3 allows local users to gain privileges or is external) cause a denial of service (use-after-free) by CONFIRM CONFIRM (link leveraging improper access to a certain error is external) field. linux -- linux_kernel Double free vulnerability in the 2016-11-16 9.3 CVE-2015-8962 CONFIRM sg_common_write function in drivers/scsi/sg.c CONFIRM (link in the Linux kernel before 4.4 allows local users is external) to gain privileges or cause a denial of service CONFIRM (link is external) (memory corruption and system crash) by detaching a device during an SG_IO ioctl call. linux -- linux_kernel Race condition in kernel/events/core.c in the 2016-11-16 7.6 CVE-2015-8963 CONFIRM Linux kernel before 4.4 allows local users to gain CONFIRM (link privileges or cause a denial of service (use-after- is external) free) by leveraging incorrect handling of an CONFIRM (link is external) swevent data structure during a CPU unplug operation. linux -- linux_kernel The tty_set_termios_ldisc function in 2016-11-16 7.1 CVE-2015-8964 CONFIRM drivers/tty/tty_ldisc.c in the Linux kernel before CONFIRM (link 4.5 allows local users to obtain sensitive is external) information from kernel memory by reading a CONFIRM (link is external) tty data structure. linux -- linux_kernel Use-after-free vulnerability in the disk_seqf_stop 2016-11-16 9.3 CVE-2016-7910 CONFIRM function in block/genhd.c in the Linux kernel CONFIRM (link before 4.7.1 allows local users to gain privileges is external) by leveraging the execution of a certain stop CONFIRM CONFIRM (link operation even if the corresponding start is external) operation had failed. linux -- linux_kernel Race condition in the get_task_ioprio function in 2016-11-16 9.3 CVE-2016-7911 block/ioprio.c in the Linux kernel before 4.6.6 CONFIRM CONFIRM (link allows local users to gain privileges or cause a is external) denial of service (use-after-free) via a crafted CONFIRM ioprio_get system call. CONFIRM (link is external) linux -- linux_kernel Use-after-free vulnerability in the 2016-11-16 9.3 CVE-2016-7912 CONFIRM ffs_user_copy_worker function in CONFIRM (link drivers/usb/gadget/function/f_fs.c in the Linux is external) kernel before 4.5.3 allows local users to gain CONFIRM CONFIRM (link privileges by accessing an I/O data structure is external) after a certain callback call. linux -- linux_kernel The xc2028_set_config function in 2016-11-16 9.3 CVE-2016-7913 CONFIRM drivers/media/tuners/tuner-xc2028.c in the CONFIRM (link Linux kernel before 4.6 allows local users to gain is external) privileges or cause a denial of service (use-after- CONFIRM (link is external) free) via vectors involving omission of the firmware name from a certain data structure. linux -- linux_kernel The assoc_array_insert_into_terminal_node 2016-11-16 7.1 CVE-2016-7914 CONFIRM function in lib/assoc_array.c in the Linux kernel CONFIRM (link before 4.5.3 does not check whether a slot is a is external) leaf, which allows local users to obtain sensitive CONFIRM CONFIRM (link information from kernel memory or cause a is external) denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite. linux -- linux_kernel Race condition in the environ_read function in 2016-11-16 7.1 CVE-2016-7916 CONFIRM fs/proc/base.c in the Linux kernel before 4.5.4 CONFIRM (link allows local users to obtain sensitive information is external) from kernel memory by reading a CONFIRM CONFIRM /proc/*/environ file during a process-setup time CONFIRM (link interval in which environment-variable copying is external) is incomplete. CONFIRM (link is external) objective_development -- Little Snitch version 3.0 through 3.6.1 suffer from 2016-11-15 7.2 CVE-2016-8661 MISC (link is little_snitch a buffer overflow vulnerability that could be external) locally exploited which could lead to an escalation of privileges (EoP) and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to the "OSMalloc" and "copyin" kernel API calls. samsung -- Integer overflow in SystemUI in KK(4.4) and 2016-11-11 7.8 CVE-2016-9277 CONFIRM (link samsung_mobile L(5.0/5.1) on Samsung Note devices allows is external) attackers to cause a denial of service (UI restart) via vectors involving APIs and an activity that computes an out-of-bounds array index, aka SVE-2016-6906.

Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity

7-zip -- p7zip A null pointer dereference bug affects the 16.02 and 2016-11-11 5.0 CVE-2016-9296 MISC (link is many old versions of p7zip. A lack of null pointer external) check for the variable folders.PackPositions in MISC (link is function external) MISC (link is CInArchive::ReadAndDecodePackedStreams in external) CPP/7zip/Archive/7z/7zIn.cpp, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files. artifex -- mujs Artifex Software, Inc. MuJS before 2016-11-11 5.0 CVE-2016-9294 CONFIRM (link 5008105780c0b0182ea6eda83ad5598f225be3ee is external) allows context-dependent attackers to conduct CONFIRM (link "denial of service (application crash)" attacks by is external) using the "malformed labeled break/continue in JavaScript" approach, related to a "NULL pointer dereference" issue affecting the jscompile.c component. dotcms -- dotcms SQL injection vulnerability in the "Site Browser > 2016-11-14 6.5 CVE-2016-8903 Templates pages" screen in dotCMS before 3.3.1 MISC MISC (link is allows remote authenticated attackers to execute external) arbitrary SQL commands via the orderby parameter. MISC (link is external) MISC (link is external) dotcms -- dotcms SQL injection vulnerability in the "Site Browser > 2016-11-14 6.5 CVE-2016-8904 MISC Containers pages" screen in dotCMS before 3.3.1 MISC (link is allows remote authenticated attackers to execute external) arbitrary SQL commands via the orderby parameter. MISC (link is external) MISC (link is external) dotcms -- dotcms SQL injection vulnerability in the JSONTags servlet 2016-11-14 6.5 CVE-2016-8905 MISC in dotCMS before 3.3.1 allows remote authenticated MISC (link is attackers to execute arbitrary SQL commands via external) the sort parameter. MISC (link is external) MISC (link is external) dotcms -- dotcms SQL injection vulnerability in the "Site Browser > 2016-11-14 6.5 CVE-2016-8906 MISC Links pages" screen in dotCMS before 3.3.1 allows MISC (link is remote authenticated attackers to execute arbitrary external) SQL commands via the orderby parameter. MISC (link is external) MISC (link is external) dotcms -- dotcms SQL injection vulnerability in the "Content Types > 2016-11-14 6.5 CVE-2016-8907 MISC Content Types" screen in dotCMS before 3.3.1 MISC (link is allows remote authenticated attackers to execute external) arbitrary SQL commands via the orderby parameter. MISC (link is external) MISC (link is external) dotcms -- dotcms SQL injection vulnerability in the "Site Browser > 2016-11-14 6.5 CVE-2016-8908 MISC HTML pages" screen in dotCMS before 3.3.1 allows MISC (link is remote authenticated attackers to execute arbitrary external) SQL commands via the orderby parameter. MISC (link is external) MISC (link is external) exponentcms -- A Blind SQL Injection Vulnerability in Exponent CMS 2016-11-11 6.4 CVE-2016-9272 CONFIRM (link exponent_cms through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and is external) CONFIRM (link denial of service. is external) CONFIRM (link is external) exponentcms -- SQL Injection in 2016-11-11 5.0 CVE-2016-9282 CONFIRM (link exponent_cms framework/modules/search/controllers/searchCont is external) roller.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter. exponentcms -- SQL Injection in 2016-11-11 5.0 CVE-2016-9283 CONFIRM (link exponent_cms framework/core/subsystems/expRouter.php in is external) Exponent CMS v2.4.0 allows remote attackers to read database information via address/addContentToSearch/id/ and a trailing string, related to a "sef URL" issue. exponentcms -- getUsersByJSON in 2016-11-11 5.0 CVE-2016-9284 CONFIRM (link exponent_cms framework/modules/users/controllers/usersControl is external) ler.php in Exponent CMS v2.4.0 allows remote attackers to read user information via users/getUsersByJSON/sort/ and a trailing string. exponentcms -- framework/modules/addressbook/controllers/addr 2016-11-11 5.0 CVE-2016-9285 CONFIRM (link exponent_cms essController.php in Exponent CMS v2.4.0 allows is external) remote attackers to read user information via a modified id number, as demonstrated by address/edit/id/1, related to an "addresses, countries, and regions" issue. exponentcms -- framework/modules/users/controllers/usersControl 2016-11-11 5.0 CVE-2016-9286 CONFIRM (link exponent_cms ler.php in Exponent CMS v2.4.0patch1 does not is external) properly restrict access to user records, which allows remote attackers to read address information, as demonstrated by an address/show/id/1 URI. git_for_windows_p Untrusted search path vulnerability in Git 1.x for 2016-11-11 4.4 CVE-2016-9274 MISC (link is roject -- Windows allows local users to gain privileges via a external) git_for_windows Trojan horse git.exe file in the current working MISC (link is directory. NOTE: 2.x is unaffected. external) linux -- linux_kernel The hid_input_field function in drivers/hid/hid- 2016-11-16 4.3 CVE-2016-7915 core.c in the Linux kernel before 4.6 allows CONFIRM CONFIRM (link physically proximate attackers to obtain sensitive is external) information from kernel memory or cause a denial CONFIRM (link of service (out-of-bounds read) by connecting a is external) device, as demonstrated by a Logitech DJ receiver. linux -- linux_kernel The nfnetlink_rcv_batch function in 2016-11-16 4.3 CVE-2016-7917 CONFIRM net/netfilter/nfnetlink.c in the Linux kernel before CONFIRM (link 4.5 does not check whether a batch message's is external) length field is large enough, which allows local CONFIRM (link is external) users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability. novell -- Vulnerability in Novell Open Enterprise Server 2016-11-15 6.4 CVE-2016-5763 CONFIRM (link open_enterprise_se (OES2015 SP1 before Scheduled Maintenance is external) rver_11 Update 10992, OES2015 before Scheduled CONFIRM (link Maintenance Update 10990, OES11 SP3 before is external) CONFIRM (link Scheduled Maintenance Update 10991, OES11 SP2 is external) before Scheduled Maintenance Update 10989) CONFIRM (link might allow authenticated remote attackers to is external) perform unauthorized file access and modification. siemens -- Unquoted Windows search path vulnerability in 2016-11-15 6.9 CVE-2016-7165 CONFIRM (link primary_setup_tool Siemens SIMATIC WinCC before 7.0 SP2 Upd 12, 7.0 is external) SP3 before Upd 8, and 7.2 through 7.4; SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced before 14; SIMATIC WinCC Runtime Professional; SIMATIC WinCC (TIA Portal) Professional; SIMATIC STEP 7 5.x; SIMATIC STEP 7 (TIA Portal) before 14; SIMATIC NET PC-Software before 14; TeleControl Server Basic before 3.0 SP2; SINEMA Server before 13 SP2; SIMATIC PCS 7 through 8.2; SINEMA Remote Connect Client; SIMATIC WinAC RTX 2010 SP2; SIMATIC WinAC RTX F 2010 SP2; SIMATIC IT Production Suite; SOFTNET Security Client 5.0; SIMIT 9.0; Security Configuration Tool (SCT); and Primary Setup Tool (PST), when the installation does not use the %PROGRAMFILES% directory, might allow local users to gain privileges via a Trojan horse executable file. wireshark -- In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector 2016-11-17 4.3 CVE-2016-9372 CONFIRM wireshark could loop excessively, triggered by network traffic CONFIRM or a capture file. This was addressed in CONFIRM plugins/profinet/packet-pn-rtc-one.c by rejecting input with too many I/O objects. wireshark -- In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the 2016-11-17 4.3 CVE-2016-9373 CONFIRM wireshark DCERPC dissector could crash with a use-after-free, CONFIRM triggered by network traffic or a capture file. This CONFIRM was addressed in epan/dissectors/packet-dcerpc- nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings. wireshark -- In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the 2016-11-17 4.3 CVE-2016-9374 CONFIRM wireshark AllJoyn dissector could crash with a buffer over- CONFIRM read, triggered by network traffic or a capture file. CONFIRM This was addressed in epan/dissectors/packet- alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable. wireshark -- In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the 2016-11-17 4.3 CVE-2016-9375 CONFIRM wireshark DTN dissector could go into an infinite loop, CONFIRM triggered by network traffic or a capture file. This CONFIRM was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful. wireshark -- In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the 2016-11-17 4.3 CVE-2016-9376 CONFIRM wireshark OpenFlow dissector could crash with memory CONFIRM exhaustion, triggered by network traffic or a CONFIRM capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large. xmlsoft -- libxml2 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 2016-11-15 6.8 CVE-2016-9318 MISC and earlier and other products, does not offer a flag MISC (link is directly indicating that the current document may external) be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Low Severity Vulnerabilities

There were no low vulnerabilities recorded this week.

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT