Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 6 Commits 2 Checks 0 Files changed

**Conversation**

misc.c : \_libssh2\_check\_length()

Removed cast and one-lined check.

Credit : Yuriy M. Kaminskiy

misc.c : \_libssh2\_check\_length()

Removed cast and one-lined check. 

Credit : Yuriy M. Kaminskiy

return 0;

  

return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;

return (len <= (size\_t)((buf->data + buf->len) - buf->dataptr));

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

This weakens the check in case buf->dataptr is already behind buf->data + buf->len because when ((buf->data + buf->len) - buf->dataptr) is negative, the conversion to size_t turns it into a big positive number.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

It theoretically does, but dataptr should be greater than or equal to data if the API is used correctly (famous last words, I know). Also, in the original case if dataptr was less than data it would be a negative number which would be less than the test and incorrectly return true, which is also bad. Furthermore, the cast to a signed value from unsigned isn't great and could loose precision.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

I think the expression could be split up in several parts to become more readable and then the logic is easier to follow and confirm. Something like:

 char \*endp \= &buf\->data\[buf\->len\];
 size\_t left \= endp \- buf\->dataptr;
 return (len <= left);

it could even protect against the wrap-around case @kdudka mentioned:

 char \*endp \= &buf\->data\[buf\->len\];
 size\_t left \= endp \- buf\->dataptr;
 return ((len <= left) && (left <= buf\->len));

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I'll go ahead and make the change to @bagder's last suggestion.

Updated suggested patch to protect against incorrect usage which could cause a wrap-around value to return success.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

Reviewers

 bagder bagder left review comments

 kdudka kdudka approved these changes

CVE-2019-13115: Simplified _libssh2_check_length by willco007 · Pull Request #350 · libssh2/libssh2

Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).

Sign up

**Sign up for this Training**

Training Registration

**Registration Complete!**

A confirmation has been sent to the email address provided.

An Applied Risk team member will contact you as soon as possible for further details.

Sign up

**Sign up for this Training**

Resource Download

**Thank you for downloading the whitepaper**

A confirmation has been sent to the email address provided.

If you have any questions, do not hesitate to contact our team of industrial cyber security professionals.

Free Whitepaper

**Download the whitepaper**

Resource Download

**Thank you for downloading the whitepaper**

A confirmation has been sent to the email address provided.

If you have any questions, do not hesitate to contact our team of industrial cyber security professionals.

Apply

**Apply for Resources Overview**

CVE-2019-7265: Resources - Applied Risk

IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467.

**CVEID:** CVE-2016-5699  
**DESCRIPTION:** urllib2 and urllib for Python are vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  
CVSS Base Score: 6.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114200 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID**: CVE-2016-8858  
**DESCRIPTION**: OpenSSH is vulnerable to a denial of service, caused by an error in the kex\_input\_kexinit() function. By sending specially crafted data during the key exchange process, a remote attacker could exploit this vulnerability to consume all available memory resources.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118127 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:** CVE-2017-7525  
**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134639 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2017-15095  
**DESCRIPTION:** Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/135123 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2017-17485  
**DESCRIPTION:** Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137340 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2018-7489  
**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 7.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139549 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:** CVE-2018-14721  
**DESCRIPTION:** FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155136 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:** CVE-2018-19360  
**DESCRIPTION:** An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155091 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2018-19361  
**DESCRIPTION:** An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155092 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2018-19362  
**DESCRIPTION:** An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155093 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2019-4224  
**DESCRIPTION:** IBM PureApplication System is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.  
CVSS Base Score: 6.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159240 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:** CVE-2019-4225  
**DESCRIPTION:** IBM PureApplication System stores potentially sensitive information in log files that could be read by a local user.  
CVSS Base Score: 4.4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159242 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4234  
**DESCRIPTION:** IBM Pure Application System weakness in the implementation of locking feature in pattern editor. An attacker by intercepting the subsequent requests can bypass business logic to modify the pattern to unlocked state.  
CVSS Base Score: 4.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159416 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2019-4235  
**DESCRIPTION:** IBM Pure Application System does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.  
CVSS Base Score: 5.9  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159417 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4241  
**DESCRIPTION:** IBM Pure Application System could allow an authenticated user with local access to bypass authentication and obtain administrative access.  
CVSS Base Score: 8.4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159467 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2019-4241: Security Bulletin: Multiple vulnerabilities affect IBM PureApplication System

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

Release date: April 25, 2019

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.1.7. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

NPAPI is deprecated in Google Chrome. This means Web Client Pro will not function in Google Chrome. As a workaround, access Web Client Pro using another browser.

**New features and improvements**

Return to top

Serv-U 15.1.7 is a service release containing three hotfixes, and additional fixes, described here.

**Previous releases**

Serv-U 15.1.6 included the following new features and updates:

*   Support for Explicit SSL when connected to SMTP server
*   Support for HTTP Strict Transport Security
*   Support for Elliptic-curve Diffie-Hellman (ECDH) key exchange
*   Forward secrecy is enabled by default (new installations only)
*   TLS 1.0 is disabled by default (new installations only)
*   Disabled SSL/TLS ciphers based on 64-bit block size (new installations only)
*   Support for Secure LDAP protocol (Windows installation only)
*   Various fixes described in the Fixed Issues section.

Serv-U 15.1.5 was a service release containing security fixes, described in the Fixed Issues section.

Serv-U 15.1.4 was a service release containing two hotfixes, described in the Fixed Issues section.

Serv-U 15.1.3 was a service release containing two hotfixes, described in the Fixed Issues section.

For earlier Serv-U 15.x.x releases, please visit the Previous Versions page.

**Fixed issues**

Return to top

Serv-U 15.1.7 fixes the following issues.

 

Case Number

Description

423241

Fixed issue where writing files to disk could cause bottleneck

1197511

Corrected SSL error handling on Socket level

00063383

Fixed issue with service when sending download link to guest user

00068104

Corrected format for X-Csrf-Token HTTP header (FTP Voyager JV)

00159690

Fixed issue with ODBC database validation

00200302

CSRF issues resolved.

00186124

Can now add a user to a collection when the user exists in another collection

00204425

Serv-U no longer deletes incorrect files from directories with delete rules

00229117

Serv-U no longer response incorrectly when empty user name and password is used to log on

00284847

Issues in web management interface fixed

00061457

Special characters from E-mail notification template not sent correctly

00039051, 00081081, 00195143, 00263829, 00260387, 00218061, 1362493, 1338156

Updated jquery libraries

00054823, 1320710, 1335744

Files list returned corrected from LIST Command

00085995, 00201705

CVE-1999-0017 vulnerability fixed.

00187355, 00065590, 00053277, 00105077, 00123871

Multiple issues in SFTP protocol resolved

00240051, 00267281, 00260953, 00280283, 00285641

WinSCP upload issues resolved

n/a

Resolved a privilege escalation issue, logged as CVE-2018-19999 – with thanks to Chris Moberly at The Missing Link.

n/a

Resolved a privilege escalation issue, logged as CVE-2019-12181 – with thanks to Guy Levin (@va\_start).

Serv-U 15.1.6 fixes the following issues.

 

Case Number

Description

961565, 1183341, 887731, 1123968, 1125053, 901145, 1091444, 1131439, 1080928, 796814, 799615, 787936, 1036534

Fixed an issue with limited top level domain.

1050275

Fixed an issue with long timeout where LDAP server was unavailable

166489, 1126605, 914000

Fixed an issue with SSH Ciphers description.

1186645, 979487

Fixed an impersonation issue during downloads.

1039205

Fixed an issue with password stale event.

1086638, 1209329

Fixed an issue with special characters in File Sharing notification template.

1129144, 1115351

Fixed a possible crash of Gateway.

1163543

Fixed an issue with user creation wizard.

1123779

Fixed a memory leak issue related to SFTP sessions.

1231876, 1233371, 1209874

Fixed broken links to support site.

1124857, 1181653, 1215831, 1223871, 1230986, 1241567, 1326419

Fixed an issue with bare line feed character.

Serv-U 15.1.5 fixes the following issues.

 

Case Number

Description

1110916

Fixed potential vulnerability with unauthenticated privilege escalation Reported by – Trustwave SpiderLabs Contact - Leopold von Niebelschuetz-Godlewski

904433, 804380

Fixed an issue with possibility of unauthorized access to the files in installation folder on web server. Reported by – www.netspi.com Contact - Cody Wass (Cody. Wass@netspi.com)

1065565, 1061848, 1056263, 1054225, 1090081, 1045088

Fixed an issue where domain users were not able to login when ldap suffix was used.

741595

Fixed a memory leak issue that occurred during LDAP authentication.

951099, 1065736, 1022993

Fixed a memory leak issue that occurred during SFTP session.

882524, 909979, 871563, 867742, 867834, 981751, 877933

Fixed an issue with "Automatic idle connection timeout" limit.

Serv-U 15.1.4 fixes the following issues.

 

Case Number

Description

991668

ECDHE-RSA-AES256\* ciphers shown as enabled or disabled correctly

954294

Long (encrypted) passwords issue fixed.

984664, 1003106, 993854

OpenSSL vulnerabilities - updated to 1.0.2h

932381

SHA-1 Cert deprecation (Previous cert was due to expire in January 2017)

984485, 887910, 741595

LDAP suffix issue fixed

844572, 894400, 953313, 910253, 881308, 914055, 990080

Web client Favorites fixed.

1005791, 1005383, 990956, 984664, 982577, 966856, 948270, 963296, 941118, 934566, 927375, 917616, 900288, 883047, 885033, 884883, 876306, 876820, 874853, 872968, 857502, 862922, 853433

Serv-U no longer freezes in FIPS mode during SFTP connections.

Serv-U 15.1.3 fixes the following issues.

 

Case Number

Description

872782, 864631

Case sensitivity issues occurred when configuring Directory Access rules.

n/a

An issue with LDAP public key authentication.

n/a

Memory leak occurs during LDAP authentication.

853136

An issue with the expired password change functionality.

868638

An issue with multi-line FTP responses for the FEAT command.

n/a

An issue with the possibility of SQL injection in the invitation link used by secure file sharing.

625348

An issue with the possibility of persistent cross-site scripting in file sharing.

n/a

An issue with the possibility of the injection of additional email headers using a crafter subject in an upload or download request.

**Legal notices**

Return to top

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2019-12181: Serv-U File Server 15.1.7 Release Notes

A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose WS_FTP usernames as well as filenames.

CVE-2019-12143: WS_FTP Server 2018 Release Notes

An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.

CVE-2018-10690: Moxa_AWK_1121/Moxa_AWK_1121 at master · samuelhuntley/Moxa_AWK_1121

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CVE-2019-10149 Exim 4.87 to 4.91 ================================ We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better. Exim 4.92 is not vulnerable. Next steps: \* t0: Distros will get access to our non-public security Git repo (access is granted based on the SSH keys that are known to us) \* t0+7d: Coordinated Release Date: Distros should push the patched version to their repos. The Exim maintainers will publish the fixed source to the official and public Git repo. t0 is expected to be 2019-06-04, 10:00 UTC t0+7d is expected to be 2019-06-11, 10:00 UTC UPDATE: Details leaked, CRD is re-scheduled to 2019-06-05 15:15 UTC. Timeline -------- \* 2019-05-27 Report from Qualys to exim-security list \* 2019-05-27 Patch provided by Jeremy Harris \* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat \* 2019-06-03 This announcement to exim-users, oss-security \* 2019-06-04 10:00 UTC Grant restricted access to the non-public Git repo. \* 2019-06-04 This announcement to exim-maintainers, exim-announce, distros \* 2019-06-05 15:15 UTC Release the fix to the public

CVE-2019-10149

Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .

Security updates available for Adobe Acrobat and Reader | APSB19-17

**Bulletin ID**

**Date Published**

**Priority**

APSB19-17

April 09, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.  

Adobe recommends users update their software installations to the latest versions by following the instructions below.  
The latest product versions are available to end users via one of the following methods:

*   Users can update their product installations manually by choosing Help > Check for Updates.
*   The products will update automatically, without requiring user intervention, when updates are detected.
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.  

For IT administrators (managed environments):

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.  
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read 

Information Disclosure  

Important  

CVE-2019-7061

CVE-2019-7109

CVE-2019-7110

CVE-2019-7114

CVE-2019-7115

CVE-2019-7116

CVE-2019-7121

CVE-2019-7122

CVE-2019-7123

CVE-2019-7127

Out-of-Bounds Write

Arbitrary Code Execution  

Critical   

CVE-2019-7111

CVE-2019-7118

CVE-2019-7119

CVE-2019-7120

CVE-2019-7124 

Type Confusion  

Arbitrary Code Execution  

Critical   

CVE-2019-7117

CVE-2019-7128

Use After Free  

Arbitrary Code Execution  

Critical   

CVE-2019-7088

CVE-2019-7112

Heap Overflow

Arbitrary Code Execution  

Critical   

CVE-2019-7113

CVE-2019-7125

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Aleksandar Nikolic of Cisco Talos (CVE-2019-7125) 
    
*   Dhanesh Kizhakkinan of FireEye Inc.(CVE-2019-7113)
    
*   Esteban Ruiz (mr\_me) of Source Incite via Trend Micro's Zero Day Initiative (CVE-2019-7127)
    

*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-7061) 
    
*   Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-7114, CVE-2019-7115, CVE-2019-7124)
    
*   Steven Seeley (mr\_me) of Source Incite working with iDefense Labs (CVE-2019-7088, CVE-2019-7116, CVE-2019-7117, CVE-2019-7128) 
    
*   Steven Seeley via Trend Micro's Zero Day Initiative (CVE-2019-7127)
    
*   Wei Lei of STARLabs (CVE-2019-7118, CVE-2019-7119, CVE-2019-7120, CVE-2019-7121, CVE-2019-7122, CVE-2019-7123) 
    

*   Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy of Sciences and 360 Codesafe Team of Legendsec (CVE-2019-7112)
    
*   Zhiyuan Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. via Trend Micro's Zero Day Initiative (CVE-2019-7109, CVE-2019-7110, CVE-2019-7111) 
    

April 30, 2019: Updated Acknowledgements section

CVE-2019-7061: Adobe Security Bulletin

IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 may disclose sensitive information only available to a local user that could be used in further attacks against the system. IBM X-Force ID: 159148.

  

**Summary**

IBM TRIRIGA Application Platform may disclose sensitive information only available to a local user that could be used in further attacks against the system.

**Vulnerability Details**

**CVEID:** CVE-2019-4207  
**DESCRIPTION:** IBM TRIRIGA Application Platform may disclose sensitive information only available to a local user that could be used in further attacks against the system.  
CVSS Base Score: 4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159128 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Tririga

Affected Versions

IBM TRIRIGA Application Platform

3.5.3

IBM TRIRIGA Application Platform

3.6.0

**Remediation/Fixes**

**Product**

**VRMF**

**Remediation/First Fix**

IBM TRIRIGA Application Platform

3.5.3.6

The fix is available for download on FixCentral.

IBM TRIRIGA Application Platform

3.6.0.3

The fix is available for download on FixCentral.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

03 May 2019: Original version published

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"3.5.3;3.6.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

Tag

#ssh