AMD firmware update, Security enhancements in Magento, and more: Patch Tuesday - Week 4, June 2019
A major security vulnerability in AMD’s Secure Encrypted Virtualization (SEV) due to improper cryptographic implementations was fixed by the chip maker. It was discovered that the encryption keys that AMD SEV used could be compromised by exploiting this vulnerability (CVE-2019-9836). Thus, encryption in virtual machines (VM) using Linux becomes invalid. AMD has patched this flaw in the firmware update released yesterday. VM users running Linux are advised to apply the update immediately. The update can also be found here.
Apple has released a firmware update for its AirPort series of Wi-Fi routers. The updates address serious vulnerabilities which could lead to denial-of-service (DoS) or allowed remote code execution (RCE). Issues that resulted in these vulnerabilities include out-of-bounds read, null pointer dereference, use after free and improper memory handling.
The update, 7.8.1, is available for AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n. Users are advised to update to this version.
Cisco has released software updates to fix two high-severity security flaws existing in specific products. A command injection vulnerability (CVE-2019-1878), found in Cisco TelePresence Endpoint, could allow attackers to execute malicious shell commands. Likewise, a DoS flaw (CVE-2019-1845) in Cisco Unified Communications Manager IM and Presence Service, Cisco TelePresence Video Communication Server, and Cisco Expressway Series could allow attackers to bar authentication to users. Users of these products are suggested to install the software updates.
HP has fixed a serious privilege escalation (PE) vulnerability that was present in its Support Assistant application. It could permit attackers to escalate system privileges and subsequently allowed them to modify directories or files. The flaw (CVE-2019-6328) has been patched in version 8.8 which was released last week.
HP devices running Support Assistant 8.7.50 and earlier are suggested to update to this version.
With the release of Magento 2.3.2, 2.2.9, and 2.1.18, Magento Commerce has provided 75 critical security enhancements that fix multiple vulnerabilities existing in its CMS platform. Vulnerabilities include RCE, cross-site scripting (XSS), information disclosure (ID), cross-site request forgery (CSRF), insecure direct object reference (IDOR), amongst others. The updates cover both Open Source and Commerce variants of the platform.
The company has also announced that it will be ending security support to Magento 2.1.8 and prior versions.
The last seven days saw RedHat release major security updates for its Enterprise Linux (RHEL) and Virtualization products. In a series of advisories published by the company, two of them address critical vulnerabilities (CVE-2019-11707, CVE-2019-11708) found in Firefox that affect RHEL 6 and RHEL 7. Other important updates resolve security issues that were in kernels for RHEL as well as those in Virtualization.
A detailed list of affected products can be found in the advisories which can be found here.
Ubuntu has fixed numerous vulnerabilities that were present in certain software components, libraries, and the Linux kernel. High-impact vulnerabilities included DoS and RCE. The following are the components patched with updates.
- OpenStack Neutron
- Firefox for Ubuntu
- Linux kernel
Users are advised to apply the respective software update provided by Ubuntu. The advisories can be found here.