Cisco’s security updates, Mozilla Firefox 67, Ubuntu patch for Wireshark vulnerabilities and more: Patch Tuesday - Week 2, May 2019
Cisco has published a total of 47 security advisories in the last seven days. The advisories address multiple vulnerabilities found across a range of Cisco’s products. Vulnerabilities included hardware tampering, denial-of-service (DoS), information disclosure (ID), arbitrary code execution (ACE), privilege escalation(PE) and command injection vulnerability. The most serious flaws that were patched are the three critical ACE flaws (CVE-2019-1821, CVE-2019-1822, and CVE-2019-1823) found in Cisco Prime Infrastructure and Cisco Evolved Programmable Network.
Other high-impact flaws that are fixed include a PE flaw in Cisco Nexus 9000 Series ACI, ID flaw in Cisco Video Surveillance Manager, a DoS vulnerability in EVPN implementation of Cisco IOS XR software, SQL injection flaws in Cisco Prime Infrastructure, a DoS vulnerability in Cisco Small Business Series Switches, ACE flaws in Cisco Webex Network Recording Player and a DoS issue in Cisco IOS XR for Cisco ASR 9000 series.
The remaining advisories address medium-severity flaws found in products such as NX-OS, FXOS, Cisco Firepower, Cisco Nexus 3000 and 9000 series. Users are advised to update their software to the latest version in affected products.
HP has released security updates to remediate 13 vulnerabilities associated with Intel CSME, Trusted Execution Engine and Intel Active Management Technology. Flaws remedied included escalation of privilege, Dos and ID vulnerability. In addition, HP is bringing out updates to mitigate the critical MDS flaws which surfaced last week. These flaws are associated with Intel’s CPUs. Users are advised to apply these security updates as and when they are available.
Intel has issued fixes to a host of security vulnerabilities it discovered last week. The high-impact vulnerabilities were found in Intel Converged Security & Management Engine (Intel CSME), Intel Server Platform Services, Intel Trusted Execution Engine Interface, Intel Dynamic Application Loader, and Intel Active Management Technology.
The vulnerabilities included Escalation of Privilege, DoS and ID flaws. Intel has also recommended users of the affected products to update to the latest version.
Mozilla releases a new version of its popular browser Firefox. Known as Firefox 67, Mozilla has fixed some severe security vulnerabilities that were found in earlier versions of the browser. The new version mainly patches memory safety bugs identified in Firefox 66. Altogether, 21 security bugs are addressed in Firefox 67. Vulnerabilities primarily consisted of use-after-free errors, buffer overflows, among others.
In addition, Mozilla has announced new versions of Firefox ESR (version 60.7) and its email client Thunderbird (version 60.7). These releases also mitigate security flaws evident in previous versions.
Ubuntu releases software updates to address major security vulnerabilities discovered in many software products, notably Wireshark and MediaInfo. Wireshark for Ubuntu 18.10, 18.04 LTS and 16.04 LTS incorrectly handled certain input. An attacker could exploit this flaw to crash the application. Similarly, MediaInfo for Ubuntu 19.04, 18.10 and 18.04 LTS incorrectly handled multimedia files that could be leveraged by attackers to carry out DoS attacks.
Numerous security flaws in WebKitGTK+ (for Ubuntu 19.04, 18.10 and 18.04 LTS) were also mitigated with an update. Other vulnerabilities addressed by Ubuntu lay in curl, PHP, Firefox, urllib3, LibRaw, and libvirt components. Users are suggested to update to the latest version to resolve the issues.