[CERT-daily] Tageszusammenfassung - Dienstag 13-12-2016

Tue Dec 13 18:36:21 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 12-12-2016 18:00 − Dienstag 13-12-2016 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** (Adobe) Security Bulletins Posted ***
---------------------------------------------
- Adobe Animate (APSB16-38)
- Adobe Flash Player (APSB16-39)
- Adobe Experience Manager Forms (APSB6-40)
- Adobe DNG Converter (APSB16-41)
- Adobe Experience Manager (APSB16-42)
- Adobe InDesign (APSB16-43)
- Adobe ColdFusion Builder (APSB16-44)
- Adobe Digital Editions (APSB16-45)
- Adobe RoboHelp (APSB16-46)
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1426


*** The importance of cryptography for the digital society ***
---------------------------------------------
Following the Council meeting on 8th and 9th December 2016 in Brussels, ENISA's paper gives an overview into aspects around the current debate on encryption, while highlighting the Agency's key messages and views on the topic.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/the-importance-of-cryptography-for-the-digital-society


*** Vuln: PHP ext/wddx/wddx.c Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94846


*** Vuln: PHP ext/standard/var.c Incomplete Fix Use After Free Remote Code Execution Vulnerability ***
---------------------------------------------
Use After Free in PHP7 unserialize()
---------------------------------------------
http://www.securityfocus.com/bid/94849


*** Unrestricted Backend Login Backdoor Method Seen in OpenCart ***
---------------------------------------------
>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach in OpenCart version 1.5.6.4.
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html


*** State of the Web 2016: Jede zweite Website ist ein Sicherheitsrisiko ***
---------------------------------------------
Schwachstellen im Internet werden immer mehr, stellt Menlo Security in seinem Bericht über den "State of the Web" fest. Eine wichtige Rolle spielt das Nachladen externer Inhalte über Werbe-Netzwerke und Content Delivery Networks.
---------------------------------------------
https://heise.de/-3569114


*** Netgear-Lücke dramatischer als angenommen, erste Sicherheits-Updates ***
---------------------------------------------
Die hochkritische Lücke im Web-Interface betrifft deutlich mehr Netgear-Router als bislang angenommen. Für eine Handvoll Gerät hat der Hersteller inzwischen eine Beta-Firmware herausgegeben, die das Problem löst.
---------------------------------------------
https://heise.de/-3569299


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995588
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU  Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21995474
---------------------------------------------
*** IBM Security Bulletin: Vulnerability CVE-2016-7099 and CVE-2016-5325 in Node.js affects IBM i ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021765
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Enterprise Content Management System Monitor (CVE-2016-6304, CVE-2016-2177) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995038
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Enterprise Content Management System Monitor (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995042
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba, BIND and Libreswan affect IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994231
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload affect IBM Enterprise Content Management System Monitor (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995043
---------------------------------------------
*** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ***
http://www.ibm.com/support/docview.wss?uid=swg21994534
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL and PHP affect IBM Tealeaf Customer Experience (CVE-2016-2107, CVE-2016-6290, CVE-2016-7125) ***
http://www.ibm.com/support/docview.wss?uid=swg21992307
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg21994537
---------------------------------------------