Oracle's numerous updates, Fixes for LenovoEMC NAS and Cisco products, and more: Patch Tuesday - Week 3, July 2019
Cisco has fixed four high-severity flaws in the past seven days. These vulnerabilities were present in Cisco IOS, Cisco ASA and FTD software products. Among them, the cross-site request forgery flaw (CVE-2019-1904) in Cisco IOS XE had the highest severity with a CVSS score of 8.8. The remaining flaws included denial-of-service(DoS) issues in Cisco IOS XR, Cisco ASA, and FTD (CVE-2018-0473, CVE-2019-1873, CVE-2019-1849).
Along with this, Cisco has also patched a medium severity flaw (CVE-2018-15393) in Content Security Management Appliance (SMA) software.
Users of these products are advised to apply software updates released by Cisco.
Numerous vulnerabilities that existed in Citrix’s SD-WAN products were patched in the last seven days. These vulnerabilities allowed attackers to execute commands as root users in the products as well as permitted changing root privileges. Affected products also include NetScaler SD-WAN. In addition to releasing patches, Citrix has also recommended users to restrict access to the management console present in these products.
Lenovo has fixed a major information disclosure(ID) flaw (CVE-2019-6160) that potentially exposed terabytes of data from its LenovoEMC NAS products. In addition, it has also addressed a privilege escalation vulnerability (CVE-2018-18095) in Intel SSD for Data Centers (DC) S4500/S4600 Series firmware. Although the ID flaw was Lenovo-specific, the Intel flaw impacted all devices that used its SSD. This includes Lenovo products such as System x, ThinkServer, and ThinkSystem.
Oracle has rolled out a massive Critical Patch Update that contains 319 security updates. These address security flaws present in its various product lines. It also includes security fixes for Java SE product. Some of the product lines covered in this update include Application Express, Diagnostic Assistant, Enterprise Manager, JD Edwards, Fusion Middleware, MySQL, Oracle Financial Services Applications, Oracle Supply Chain Products, Oracle Banking Platform and many more.
RedHat released a string of updates to address various flaws, mainly those affecting its Enterprise Linux (RHEL) product lines. However, these flaws were in applications that worked in the RHEL, such as vim, Keepalived, Thunderbird, and Firefox. Flaws ranged from deserialization issues to arbitrary code execution flaws. Furthermore, vulnerabilities in JBoss Middleware were also patched by Red Hat.
Latest software updates by Ubuntu fix multiple vulnerabilities that existed in certain libraries, codecs, and servers. The programs affected by vulnerabilities include Squid, WavPack, NSS, Redis, Zipios, FlightCrew, and Exiv2. Most of the flaws in these programs consist mainly of DoS issues that stemmed from faulty working. Users that have these applications are advised to update to the latest versions to mitigate the flaws.