Android July updates, VMware fixes SACK vulnerabilities, Cisco security updates, and more: Patch Tuesday - Week 1, July 2019
Cisco has released software updates to address major vulnerabilities in Data Center Network Manager and DNA Center products. While the DNA Center had a severe authentication bypass flaw (CVE-2019-1848), the Data Center Network Manager housed two critical security flaws - a remote code execution(RCE) vulnerability (CVE-2019-1620) as well as an authentication bypass issue (CVE-2019-1619). Both these flaws have a CVSS score of 9.8. Cisco has fixed them in a software update.
Other flaws addressed also include medium and high-severity flaws in Network Manager and a denial-of-service(DoS) issue in the Cisco IOS XR software. Users of these products are advised to apply the updates to patch these flaws.
In its July security bulletin, Google addresses multiple critical vulnerabilities that were found in the Android platform. The bulletin covers 12 flaws in Android as well as 21 vulnerabilities existing in Qualcomm components. The most serious security issue was a RCE vulnerability in Media framework component. According to Google, it could allow attackers to execute arbitrary code within the context of a privileged process.
Moreover, five critical flaws and 16 high-severity flaws in Qualcomm components were also patched. These were found in kernels, audio and other closed-source components. All these fixes will be rolled out in system updates brought out by manufacturers.
A medium-severity privilege escalation vulnerability (CVE-2018-3700) in Intel USB 3.0 eXtensible Host Controller Windows 7 Driver has been addressed by HP. The vulnerability which affected numerous HP products running Windows 7 OS was fixed with an update developed by Intel. Users are advised to apply the patch to resolve the flaw. HP products affected by the flaw can be found here.
RedHat has released numerous software updates to resolve a host of security vulnerabilities that existed across its products. Affected products are RedHat Enterprise Linux Server, Red Hat Enterprise Linux Desktop, Red Hat OpenStack, Red Hat OpenShift and RedHat Satelllite. Some of the serious flaws include heap buffer overflows, path traversal vulnerability, integer overflow issues, and type confusion vulnerabilities.
The advisories can be found here.
For this week, Ubuntu fixed several key security issues stemming from external applications as well as its kernel. The updated applications include Mozilla Thunderbird, ZNC, Django, and bzip2, as well as software libraries such as CImg, poppler, and expat. Vulnerabilities ranged from RCE, DoS, to privilege escalations. All these flaws are resolved in the updates released by Ubuntu. The security notices can be found here.
VMware released product updates to fix the dangerous SACK vulnerabilities. These flaws could allow attackers to carry out DoS attacks in affected VMware products. The two flaws, CVE-2019-11477 and CVE-2019-11478 have a CVSS score of 7.5 and 5.3 respectively. Some of the products affected by the flaws are AppDefense, Container Service Extension, Enterprise PKS, Horizon, NSX for vSphere, Integrated OpenStack, Skyline Collector amongst others.