Multiple enterprise vendors fix security bugs: Patch Tuesday - Week 3, February 2019

Cisco

Cisco has released three security advisories to fix major flaws in its products. They are described below.

1. Cisco Webex Meetings Online Content Injection Vulnerability - This vulnerability allowed remote attackers to inject arbitrary text into a user’s browser when using Cisco Webex.
2. Container Privilege Escalation Vulnerability Affecting Cisco Products : February 2019 - runc CLI tool used by certain Cisco products carried a vulnerability which allowed attackers to execute malicious files in containers leading to a privilege escalation attack.
3. Linux Kernel IP Fragment Reassembly Denial of Service Vulnerability Affecting Cisco Products : August 2018 - This Linux kernel vulnerability would let attackers conduct denial-of-service attacks.

IBM

The big blue company released a firmware update to fix vulnerabilities present in its Power Systems series. The vulnerability affected the Self Boot Engine component in P8 & P9 processors and could be exploited with malicious code to take down the processors’ functionality.

The security bulletin released by IBM can be found here.

Ubuntu

Ubuntu released two security advisories this week to patch moderately severe vulnerabilities in the OS. The two advisories are as follows.

1. USN-3891-1: systemd vulnerability - Vulnerability affected the systemd suite that can be crashed with a malicious D-Bus message. Ubuntu 18.10, 18.04 LTS & 16.04 LTS were the vulnerable versions.
2. USN-3850-2: NSS vulnerabilities - Vulnerabilities concerned the Network Security Service(NSS) library. It could allow attackers to conduct cache-timing attacks.

VMware

The virtualization software maker issued a security update to fix a descriptor vulnerability in runc container runtime. This flaw allows attackers to run arbitrary code in those products. Following are the products patched with the update.

1. VMware Integrated OpenStack with Kubernetes (VIO-K)
2. VMware PKS (PKS)
3. VMware vCloud Director Container Service Extension (CSE)
4. vSphere Integrated Containers (VIC)