Oracle’s massive April Update, Cisco’s NX-OS fix and many more: Patch Tuesday - Week 3, April 2019

Apache

Apache has released security updates to fix a serious Remote Code Execution (RCE) flaw that existed in its open-source software Apache Tomcat. The flaw affected Tomcat versions starting from 8.5.0 to 8.5.39, and was caused by the Java Runtime Environment package which incorrectly handled command line arguments to Windows.

Users are advised to update to the version 8.5.40 which remediates this flaw.

Cisco

In the last week, Cisco addressed a couple of major vulnerabilities existing in its products. NX-OS and RV320/RV325 routers were the two products affected by these security bugs. While one flaw was concerning image signatures, the other one affected a web service. Following are the advisories published by Cisco which are described in brief.

• Cisco NX-OS Software Image Signature Verification Vulnerability: The Image Signature Verification feature in Cisco NX-OS Software contained a flaw that could allow attackers to gain admin-level privileges which can then be misused to install malicious software images. Improper verification of digital signatures in software images resulted in this flaw. Cisco has fixed this flaw with a patch which also involves a BIOS upgrade.
• Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability: The Online Help web service in Cisco’s RV320 and RV325 routers had a flaw that could allow attackers to launch reflected cross-site scripting (XSS) attacks against those who used Online Help. The web service incorrectly validated user-input that resulted in the flaw. Cisco has cited there are no workarounds for this flaw and has advised users to keep the routers updated to the latest version.

Red Hat

Red Hat has published two security advisories for vulnerabilities that affected many of its products. Vulnerabilities include information disclosure, authentication bypass, and open redirect flaw. Below are the advisories released by Red Hat.

• RHSA-2019:0765: rh-python36 had an information disclosure flaw which affected Red Hat Software Collections (RHSCL). The flaw was due to a function known as urlsplit that not handle NFKC normalization in Python. Red Hat has resolved this with a patch.
• RHSA-2019:0766: The mod_auth_mellon module in Apache HTTP servers had an authentication bypass along with an open redirect flaw that could attackers to launch phishing attacks. These flaws affected Red Hat Enterprise Linux Server products. Three patches made available by Red Hat remediate these two flaws.

Oracle

The April 2019 update bundle released by Oracle patches around 300 flaws found in Oracle’s enterprise software products. Some of the well-known products addressed in the update include Fusion Middleware, PeopleSoft applications, Oracle Database, MySQL, JavaSE, among others.

The updates address 53 vulnerabilities alone in Fusion Middleware, followed by MySQL which had 44 vulnerabilities. In addition, the updates resolve five critical remote code execution (RCE) vulnerabilities found in Java SE.

Users can find the complete advisory here.

Siemens

Siemens has published 11 security advisories that address multiple vulnerabilities in its industrial products. One of the critical flaws fixed by Siemens is a denial-of-service (DoS) vulnerability which affects its SIMATIC, SINEC-NMS, SINEMA, SINUMERIK and TeleControl range of products. DoS flaws that affected web server components in some of these products were also fixed.

Users of these line of products are advised to update to the latest software versions released by Siemens.

Ubuntu

Ubuntu fixes multiple vulnerabilities that were found in OpenJDK 11, libxslt and WebKitGTK+. It has also released a follow-on patch for an earlier issue in Firefox browser. Major vulnerabilities include cross-site scripting attacks, DoS attacks, and arbitrary code execution. Below are the advisories described in brief.

• USN-3949-1: OpenJDK 11 vulnerability: A memory disclosure flaw existed in the OpenJDK Library subsystem. Attackers could use this to expose sensitive information as well as bypass Java sandbox restrictions. Affected version is Ubuntu 18.04 LTS.
• USN-3948-1: WebKitGTK+ vulnerabilities: Multiple security issues were present in WebKitGTK+ Web and JavaScript engines. Attackers could exploit all these to conduct different attacks. Affected versions are Ubuntu 18.10 and Ubuntu 18.04 LTS.
• USN-3947-2: Libxslt vulnerability: This is a parallel update to the one found in USN-3947-1. This update fixes the flaw in Ubuntu 12.04 ESM.
• USN-3947-1: Libxslt vulnerability: The Libxslt application could be made to expose sensitive information through a specially crafted file. Attackers could abuse this to view sensitive information. Affected versions include Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.