Vulnerabilities Weekly Summary Ending March 18

By Jerry Adams on March 17, 2016

VMware reported that a vulnerability, CVE-2016-2075 in their vRealize Automation and vRealize Business Advanced products may allow for a Cross-Site Scripting (XSS) attack which could lead to a compromise of the user’s PC.  This vulnerability is only present on the Linux versions of the products and VMware has released patches (“VMSA-2016-0003“, Mar. 15 2016).

Mozilla reported a buffer over-read vulnerability, CVE-2016-2802 in their Firefox browser and Thunderbird email client caused by Graphite 2 font library.  Specifically an induce stack corruption can occur if a malicious graphite font is loaded causing the browser to crash.  Another related vulnerability, CVE-2016-2799 can cause uninitialized memory, out-of-bounds read, and out-of-bounds write errors if invalid data is entered.  Mozilla released patches to fix these vulnerabilities (Fuhrmannek, H. & Smith, T., Mar. 8 2016).

Lastly Hewlett-Packard announced three vulnerabilities. CVE-2016-1988 and CVE-2016-1989 affects HPE Network Automation.  CVE-2016-1992 affects ArcSight ESM.  Specifics of the vulnerabilities were not announced only to say that it could allow remote execution of code that may disclose sensitive information (“HPSBGN03444 rev.1“, Mar 3 2016)(“HPSBGN03558 rev.1“, Mar 3 2016).

References

(2016 Mar 15). “VMSA-2016-0003″. VMware Inc.  Retrieved from http://www.vmware.com/security/advisories/VMSA-2016-0003.html on March 17 2016.
Fuhrmannek, H. & Smith, T. (2016 Mar. 8). “Font vulnerabilities in the Graphite 2 library“. Mozilla Foundation. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ on March 17 2016.
(2016 Mar 03).  “HPSBGN03444 rev.1 – HPE Network Automation, Remote Code Execution, Disclosure of Sensitive Information“. Hewlett Packard Enterprise Development LP. Retrieved from http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05030906 on March 17 2016.
(2016 Mar 03).  “HPSBGN03558 rev.1 – ArcSight ESM and ESM Express, Remote Disclosure of Sensitive Information”. Hewlett Packard Enterprise Development LP. Retrieved from https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05048753 on March 17 2016.
Related Posts