Android August security bulletin, Cisco and NVIDIA fix critical flaws, and more: Patch Tuesday - Week 1, August 2019

Canonical

Canonical has released updates to address a number of security issues in Ubuntu. The security flaws existed in the OS kernels, libraries and other applications meant for Ubuntu. Flaws included deserialization, integer overflow, and input-related issues that could lead to denial-of-service (DoS), arbitrary code execution or information disclosure (ID).

Some of the applications that housed the vulnerabilities are Sigil, Mercurial and Burrows-Wheeler Aligner, GLib (library) among others. The updates address all the flaws in these applications.

The advisories can be found here.

Cisco

Cisco fixed two critical flaws that impacted its 220 Series Smart Switches. The flaws are a remote code execution(RCE) vulnerability (CVE-2019-1913) and an authentication bypass flaw (CVE-2019-1912). While the latter had a CVSS score of 9.1, the code execution flaw scored 9.8 on CVSS. Both the vulnerabilities have been addressed by Cisco with software updates.

Cisco also addressed a medium-severity command injection issue (CVE-2019-1914) in the switches. Apart from these, the company has addressed other medium-severity bugs in Cisco Unified Computing System(UCS) and Cisco Identity Services Engine (ISE).

CNCF

In a security audit, Cloud Native Computing Foundation (CNCF), which maintains the Kubernetes container platform, found 34 vulnerabilities in the code for Kubernetes. Among them, four were high-severity flaws, 15 medium-severity, eight low-severity and seven informational severity flaws. As of now, CNCF has resolved two flaws, CVE-2019-11247 and CVE-2019-11249. These are fixed in Kubernetes 1.13.9, 1.14.5, and 1.15.2.

Google

Google has released the August 2019 security patch for its Android platform. The security patch which is split into two patch levels (2019-08-01 and 2019-08-05) fixes 26 flaws altogether in the OS. Among the flaws, a code execution flaw (CVE-2019-2130) present in the System component was reported as the most severe vulnerability, followed with a critical flaw in Broadcom component. The remaining flaws are marked as high-severity.

The August update also addresses two serious flaws that were discovered in Qualcomm chips earlier.

HP

A medium-severity bug in HP InkJet printers was resolved by HP this week. The flaw, reported as CVE-2019-6332, could be exploited to perform cross-site scripting (XSS) attacks through the printers. It has a CVSS score of 5.1 and has been addressed with a software update.

A complete list of affected printer products can be found here.

NVIDIA

Major security vulnerabilities that were present in NVIDIA SHIELD TV and NVIDIA GPU Display Driver are patched by NVIDIA. The flaws in these products could lead to DoS, escalation of privilege or RCE. The most critical flaw was an input validation issue (CVE‑2018‑6241) in SHIELD TV, which received a CVSS score of 9.8. Regarding the flaws in GPU display driver, they affect GeForce, Quadro, NVS and Tesla GPUs for Windows systems.

More details on the updates can be found here.

Red Hat

Red Hat has released security updates to address numerous flaws impacting its RHEL distributions. The flaws were present in third-party applications as well as in kernels of RHEL. Some of the affected applications were LibreOffice, IcedTea and systemd. Flaws remediated included stack overflow, integer overflows, buffer overflows, out-of-bounds read, among others. Users are advised to update to the latest version of all the components to resolve the issues. The security advisories can be found here.

VMware

VMware has resolved two high severity security bugs that were present in vSphere ESXi, Workstation and Fusion products. The first was an out-of-bounds read vulnerability (CVE-2019-5521) while the second one was an out-of-bounds write vulnerability (CVE-2019-5684). Exploiting the flaws could either lead to ID or a DoS condition. VMware mentions that the flaws could be exploited only if attackers have access to a virtual machine with 3D graphics enabled.