Cisco's mid-April updates, Chrome 74, Drupal patches and more: Patch Tuesday - Week 4, April 2019

Cisco

The last seven days saw Cisco publish a number of advisories to address 31 security flaws in some of its router products and software. Out of these flaws, two were marked as critical, six were of high impact and the rest 23 were identified as medium impact. Medium and high-impact vulnerabilities consisted of cross-site scripting (XSS), denial-of-service(DoS), cross-site request forgery (CSRF) and other flaws that led to unauthorized access. The product lines that were primarily affected are wireless LAN controllers, Aironet series access points, and the Umbrella platform.

The two critical flaws, one found in Cisco IOS XR 64-Bit software and the other in Cisco IOS and IOS XE software, could allow attackers to compromise devices with remote attacks. The former could allow internal applications to be accessed without authorization while the latter could let on remote code execution (RCE) attacks on devices.

Cisco has released patches for most of these flaws. Users are advised to update their devices/software to the latest version. The advisories can be found here.

Drupal

For this month, Drupal has released two security advisories which focus on major vulnerabilities found in Drupal core. The vulnerabilities are designated as ‘moderately critical’ by Drupal. The first advisory highlights a severe XSS flaw in Drupal modules associated with jQuery. The flaw affected older versions of Drupal 8.6, Drupal 8.5 and earlier, Drupal 7.

The second advisory details three vulnerabilities in the Symfony PHP framework used by Drupal core. These flaws could result in XSS, RCE attack or an authentication bypass in Drupal core. Drupal 8.6 and Drupal 8.5 are primarily affected.

Users are advised to install the latest update issued by Drupal for all the affected versions. The update details are indicated in the advisories.

Google

Google has released the latest version of its popular browser Chrome for Windows, Mac, and Linux systems. The version, 74.0.3729.108, fixes a total of 39 security vulnerabilities. Five of them were High severity with the rest being labeled as Medium severity. Three of the five High severity flaws were use-after-free (UAF) flaws that could allow attackers to conduct remote attacks. Other important flaws included integer overflow, memory corruption and buffer overflows that spanned across the browser’s features.

Chrome users are advised to update to Chrome 74 to remediate these flaws.

RedHat

RedHat has published a total of 16 security advisories in the past seven days. The advisories address multiple, serious vulnerabilities found across its Enterprise Linux distribution, CloudForms platform and RedHat Single Sign-On(RH-SSO). Out of the 16 advisories released, 12 were labeled as ‘Important’ and the remaining four were considered ‘Moderate’. Major vulnerabilities highlighted in the advisories included out-of-bounds, RCE, server-side request forgery (SSRF), DoS, Information Disclosure(ID) among others.

The flaws are fixed in the updates mentioned in the advisories. They can be found here.

Ubuntu

Numerous vulnerabilities in Ubuntu were fixed this week. Security flaws found in FreeRADIUS, AdvanceCOMP, Dovecot, ZNC, and NTFS-3G for Ubuntu were remediated with the updates. Furthermore, follow-on updates for earlier PHP vulnerabilities were also released. The flaws included RCE, DoS, privilege escalations, and authentication bypass, which were evident for the aforementioned tools. Apart from the usual Ubuntu versions, the latest release - 19.04 was also affected by some of these flaws.

Users are advised to update to the latest version which fixes these flaws. The advisories can be found here.