Monthly updates by Adobe and Microsoft, Siemens fixes critical bugs, Firefox 68 release and more: Patch Tuesday - Week 2, July 2019
Adobe has released security updates to address various vulnerabilities in some of its products. The products include Adobe Bridge CC, Adobe Experience Manager, and Adobe Dreamweaver. Although none of the flaws were deemed critical, they were of high severity. The flaws include an out-bounds read(CVE-2019-7963) in Bridge CC, cross-site request forgery (CVE-2019-7953) and cross-site scripting (CVE-2019-7954, CVE-2019-7955) flaws in Experience Manager, and DLL hijacking issue (CVE-2019-7956) in Dreamweaver.
Users are recommended to update to the latest versions which are mentioned in the advisories (linked above).
In the last seven days, Cisco patched 10 high-severity vulnerabilities that existed in its numerous products. The affected products include Cisco Unified Communications, Cisco Small Business Series, Cisco Web Security Appliance, Cisco Enterprise NFV Infrastructure, Cisco Jabber, and Cisco Nexus 9000 Series. Along with this, several medium-severity flaws were also fixed by Cisco. The flaws were include denial-of-service (DoS), cross-site scripting, command injection, among others.
In addition, Cisco also addressed issues found in Small Business 250/350/350X/550X Series Switches Firmware that were reported by a consulting firm.
The SACK Panic vulnerability and resource usage issue in Hypervisor have been fixed by Citrix. While the SACK Panic flaw (CVE-2019-11477) allowed an attacker to crash the storage network, the resource usage issue (CVE-2019-11478) would spike the memory and processor load in Citrix Hypervisor. Hotfixes have been released by Citrix to mitigate these two issues. In addition, it is also notifying affected customers and channel partners.
In a pair of advisories, Intel has addressed two security flaws found in Intel Processor Diagnostic Tool and Intel Solid State Drives. While the former had an improper access control flaw (CVE-2019-11133), the latter had an authentication issue (CVE-2018-18095) leading to privilege escalation. CVE-2019-11133, rated as high-severity, could lead to privilege escalation, RCE, and information disclosure incidents.
As part of its Patch Tuesday for July, Microsoft has fixed a total of 77 vulnerabilities for a range of products. Among these flaws, 14 were rated ‘critical’, 62 as ‘important’ and one was rated ‘moderate’. All the critical flaws are remote code execution (RCE) issues which affected browsers and server products. Following are the affected products fixed with security updates:
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Azure DevOps
- Open Source Software
- .NET Framework
- SQL Server
- Visual Studio
- Microsoft Exchange Server
Users are advised to apply these updates immediately. The release notes for the updates can be found here.
With the release of Firefox 68, Mozilla has addressed 21 major vulnerabilities that were present in the popular open source browser. Among them, Mozilla resolved two critical memory safety bugs that existed in earlier versions. Other flaws include use-after-free, out-of-bounds read, parsing, and sanitization errors.
Similarly, Mozilla has addressed security issues in Firefox ESR with the release of version 60.8. Just like Firefox, memory safety bugs found in ESR were also remediated. Users are recommended to update to this latest version.
Siemens has released security updates to address numerous vulnerabilities in its industrial products as well as software. With this, Siemens has also addressed critical issues such as BlueKeep vulnerability, and MDS issues, that affected its products. Flaws ranging from DoS issues to cross-site scripting and improper authentication in certain products were fixed with patches. The products affected by these flaws are SIMATIC WinCC, SIMATIC PCS7, SIMATIC RF6XXR, CP1604 and CP1616 devices, SIPROTEC 5 relays, DIGSI 5, Advanced Therapy Products from Siemens Healthineers.
VMware ESXi was affected by a partial DoS vulnerability (CVE-2019-5528) which was patched by the company recently. The flaw occurred due to multiple failed login attempts that would make ESXi unresponsive. Attackers could subsequently disconnect ESXi from vCenter leaving it in a DoS condition.
VMware has come up with both patches and workarounds for this issue. Users are recommended to apply these patches for remediation.
Ubuntu has addressed multiple software and kernel security issues in the past seven days. This includes flaws that could lead to information disclosure, RCE, or DoS. It has also fixed flaws in other components such as GVFs, Apport, Whoopsie, and Docker. Apart from this, some of the software libraries patched by Ubuntu are librvirt and bzip2. Furthermore, it has released follow-up updates for patches released earlier. The details for the security updates can be found here.