Security updates from Apple and Cisco, Drupal’s remedy for critical flaw, and more: Patch Tuesday - Week 4, July 2019
Apple has released a series of security updates this week. This includes the release of iOS 12.4, Safari 12.1.2, macOS Mojave 10.14.6, tvOS 12.4 and watchOS 5.3. In addition, iTunes for Windows, iCloud for Windows, iOS 10 and iOS 9 get new security updates.
The updates address multiple security issues that were present in the components of the software. Issues included out-of-bounds read, use-after-free, improper validation and memory corruption in some components. All of these flaws could either lead to arbitrary code execution or universal cross-site scripting(XSS) attacks.
Users are advised to update to the latest updates as applicable. The details of the updates can be found here.
Cisco has fixed several major flaws affecting some of its products. Among these flaws, one was a critical authentication bypass vulnerability (CVE-2019-1917) in Cisco Vision Dynamic Signage Director. The flaw could allow attackers to execute arbitrary actions through the REST API in this product. It has a CVSS score of 9.1.
Other products that contained high and medium-severity flaws were Cisco Enterprise License Manager, Cisco NX-OS Software, Cisco FindIT Network Management Software, Cisco IOS Access Points Software, Cisco Industrial Network Director, Cisco Identity Services Engine and software for Cisco Small Business switches. The flaws are addressed through software updates.
The advisories can be found here.
Drupal addressed a critical flaw that affected Drupal 8.7.4. Tracked as
CVE-2019-6342, the vulnerability is reported to be an access bypass flaw. It existed in a component known as Workspaces module when enabled in Drupal 8.7.4. Other versions of Drupal such as Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.
Drupal has suggested disabling the module as a workaround for the flaw. Furthermore, sites that have reverse proxy caches are advised to be cleared of this data.
A major vulnerability in Intel Processor Diagnostic Tool has been resolved by Intel recently. This flaw is reported to be an improper access control issue that could lead to privilege escalation, information disclosure or denial of service(DoS) conditions. Tracked as CVE-2019-11133, the flaw has a CVSS score of 8.2. It has been patched in version 220.127.116.11. This latest version can be found here.
In a series of advisories published in the past seven days, RedHat has addressed multiple security issues in a number of applications, both internal as well as third-party software for its platform. The fixes are for platforms such as OpenJDK implementations in RedHat Enterprise Linux Server(RHEL) products. OpenJDK had security numerous issues that could lead to incidents such as partial DoS attacks, unauthorized access, etc.
Apart from this, RedHat has also released security updates for its JBoss Middleware. The product housed many deserialization issues and remote code execution flaws.
Multiple Linux kernel vulnerabilities in Ubuntu OS have been remedied by Canonical. Flaws included use-after-free issues, integer overflows and race conditions that could either lead to DoS or information disclosure incidents.
Canonical has also fixed flaws in software such as Evince, ClamAV, Thunderbird, and LibreOffice for Ubuntu. Along with this, the company has patched vulnerabilities in the Squid server software and ‘libmspack’ library.