Patch Central

Third Party Patch Roundup  – June 2019

As June comes to an end and we slide into the second half of this year that has gone by so quickly, security remains a number one concern for IT pros with a number of municipalities in Florida hit by cyberattacks, telcos around the world losing call record data to attackers, client data at Ford and TD bank (among others) exposedPCM cloud solutions provider hacked, and phishing attacks that bypass two-factor authentication getting easier to execute. 

 

Malware continues to proliferate, including malicious software targeting Apple’s macOS, LabCorp disclosed that 7.7 million of their customers had their information compromised, and the federal appeals court denied Facebook’s request to dismiss a lawsuit against the social network related to the data breach last year that affected as many as 30 million of its users.

Preventing such incidents is important to both the affected individuals and the companies that can be held liable for neglecting to protect the privacy of the data they collect and store, especially now with most organizations – even those outside the European Union – falling under the EU’s General Data Protection Regulation (GDPR) requirements.

One of the key elements in your multi-layered security strategy is keeping all the connected systems and devices on your network up to date with the latest security patches. Software vendors work hard to discover and create fixes for the vulnerabilities in their products and cloud services, but even when you move your resources to the cloud, security remains a shared responsibility.

This month was a relatively light patching month for most of our vendors. Apple, Adobe, and Mozilla patched fewer vulnerabilities than usual. Let’s take a look at some of those security updates released by popular software companies this month.

Apple

Apple came out with ten patches in May, but this month saw a much lighter slate of new version releases.

  • On June 10, Apple released the latest version of its mobile operating system, IOS 12.3.2 for the iPhone 8 Plus. Apple did not publish any CVE entries for this update, but did list it among its security updates for the month. 
  • On June 11, Apple released version 10.4 of iCloud for Windows 10. This update addresses twenty-five vulnerabilities, most of them in the WebKit component, and consequences of which include elevation of privilege, restricted memory read, arbitrary code execution, disclosure of process memory, and more. 
  • On June 20, Apple released a firmware update 7.8.1 for its AirPort Base Station product. This update addresses eight vulnerabilities that can be exploited to accomplish memory leak, denial of service, arbitrary code execution, failure to delete user information, and unexpected acceptance of IPv4 packets. 

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222 

Adobe

Adobe released bulletins/advisories for three security updates in June, all of which came out on their usual Patch Tuesday release date, June 11th:

  • APSB19-30 Security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user. 
  • APSB19-28 Security updates for Adobe Campaign Classic. This update addresses a critical vulnerability that could result in arbitrary code execution.
  • APSB19-27 Security updates for Adobe ColdFusion versions 2018, 2016 and 11. These updates resolve three critical vulnerabilities that could lead to arbitrary code execution. 

While Campaign Classic and ColdFusion affect fewer users, Adobe Flash Player has a very widespread installation base across operating system platforms, and the vulnerability it addresses is a critical use-after-free issue that should be patched as soon as possible. 

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html 

Google

Google released updates throughout the month for its web browser, desktop and mobile operating systems. 

  • On June 3, Google released the monthly Android Security Bulletin for Android, which contains details of vulnerabilities affecting Android devices and security patch levels that address the issues. The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. https://source.android.com/security/bulletin/2019-06-01 
  • On June 18, Google released a stable channel update for its desktop web browser, Chrome version 75.0.3770.100 for Windows, Mac, and Linux.  You can find a list of changes in the log. https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop_18.html 
  • On June 26, Google released a stable channel update for its Chrome OS, build 12105.75.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates. Specifically, it addresses Microarchitectural Data Sampling (MDS), a group of vulnerabilities that allow an attacker to potentially read sensitive data. To protect users, Chrome OS 74 disables Hyper-Threading by default. https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-chrome-os-m75.html 

For more information about Chrome updates, see https://chromereleases.googleblog.com 

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-11-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The most recent update was released on April 15th. The next regularly scheduled critical patch update will be in July 2019. 

Oracle customers can read more about this update in the executive summary on the Oracle Support site at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Mozilla

On June 11, Mozilla released Security Advisory 2019-16 to announce vulnerability fixes contained in Firefox 67.0.2. This update addresses the following moderately severe vulnerability that affects only Firefox running on Windows operating systems. 

  • CVE-2019-11702: IE protocols can be used to open known local files – This update fixes a problem with a hyperlink using protocols associated with Internet Explorer, such as IE.HTTP:, being used to open local files at a known location with IE if a user approves execution when prompted.

On June 18, Mozilla released Security Advisory 2019-18 to announce vulnerability fixes contained in 67.0.3 and Firefox ESR 60.7.1. This update addresses the following critical vulnerability:

  • CVE-2019-11707: Type confusion in Array.pop – This update fixes a type confusion vulnerability that can occur when manipulating JavaScript objects, due to issues in Array.pop. This vulnerability can be exploited to crash the system. Targeted attacks have been detected in the wild that exploit this flaw.

On June 20, Mozilla released Security Advisory 2019-19 to announce vulnerability fixes contained in Firefox 67.0.4 and Firefox ESR 60.7.2. This update addresses the following high severity vulnerability:

  • CVE-2019-11708: sandbox escape using Prompt:Open – this update fixes an issue pertaining to insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes that cause the non-sandboxed parent process to open web content chosen by a compromised child process. This is an arbitrary code execution vulnerability. 

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories//mfsa2018-26/ 

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of June, Ubuntu issued the following fifty-seven security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-4041-2: Linux kernel (HWE) update USN-4041-1 provided updates for the Linux kernel in Ubuntu. This update provides the corresponding updates for the Linux kernel for Ubuntu 16.04 ESM. USN-4017-2 fixed vulnerabilities in the Linux kernel. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem.
  • USN-4041-1: Linux kernel update USN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem. 
  • USN-4042-1: poppler vulnerabilities It was discovered that poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service, or possibly execute arbitrary code. 
  • USN-4039-1: CImg vulnerabilities It was discovered that allocation failures could occur in CImg when loading crafted bmp images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-7587) It was discovered that a heap-based buffer over-read existed in CImg when loading crafted bmp images. An attacker could possibly use this issue to execute arbitrary code.
  • USN-4040-2: Expat vulnerability USN-4040-1 fixed a vulnerability in expat. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that Expat incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4040-1: Expat vulnerability It was discovered that Expat incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4038-2: bzip2 vulnerabilities USN-4038-1 fixed several vulnerabilities in bzip2. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. 
  • USN-4038-1: bzip2 vulnerabilities Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3189) It was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
  • USN-4037-1: policykit-desktop-privileges update The policykit-desktop-privileges Startup Disk Creator policy allowed administrative users to overwrite disks. As a security improvement, this operation now requires authentication.
  • USN-4036-1: OpenStack Neutron vulnerability Erik Olof Gunnar Andersson discovered that OpenStack Neutron incorrectly handled certain security group rules in the iptables firewall module. An authenticated attacker could possibly use this issue to block further application of security group rules for other instances.
  • USN-4035-1: Ceph vulnerabilities It was discovered that Ceph incorrectly handled read only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 16.04 LTS. 
  • USN-4034-1: ImageMagick vulnerabilities It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. 
  • USN-4033-1: libmysofa vulnerability It was discovered that a libmysofa component does not properly validate multiplications and additions, and may crash with some specific input.
  • USN-4032-1: Firefox vulnerability It was discovered that a sandboxed child process could open arbitrary web content in the parent process via the Prompt:Open IPC message. When combined with another vulnerability, an attacker could potentially exploit this to execute arbitrary code.
  • USN-4031-1: Linux kernel vulnerability It was discovered that the Linux kernel did not properly separate certain memory mappings when creating new userspace processes on 64-bit Power (ppc64el) systems. A local attacker could use this to access memory contents or cause memory corruption of other processes on the system.
  • USN-4030-1: web2py vulnerabilities It was discovered that web2py does not properly check denied hosts before verifying passwords. An attacker could possibly use this issue to perform brute-force attacks. (CVE-2016-10321) It was discovered that web2py allows remote attackers to obtain environment variable values. An attacker could possibly use this issue to gain administrative privileges.
  • USN-3977-3: Intel Microcode update USN-3977-1 and USN-3977-2 provided mitigations for Microarchitectural Data Sampling (MDS) vulnerabilities in Intel Microcode for a large number of Intel processor families. This update provides the corresponding updated microcode mitigations for the Intel Sandy Bridge processor family. 
  • USN-4028-1: Thunderbird vulnerabilities Multiple memory safety issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code.
  • USN-4027-1: PostgreSQL vulnerability Alexander Lakhin discovered that PostgreSQL incorrectly handled authentication. An authenticated attacker or a rogue server could use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.
  • USN-4023-1: Mosquitto vulnerabilities It was discovered that Mosquitto broker incorrectly handled certain specially crafted input and network packets. A remote attacker could use this to cause a denial of service.
  • USN-4026-1: Bind vulnerability It was discovered that Bind incorrectly handled certain malformed packets. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
  • USN-4024-1: Evince update As a security improvement, this update adjusts the AppArmor profile for the Evince thumbnailer to reduce access to the system and adjusts the AppArmor profile for Evince and Evince previewer to limit access to the DBus system bus. Additionally adjusts the evince abstraction to disallow writes on parent directories of sensitive files.
  • USN-4022-1: Gunicorn vulnerability It was discovered that gunicorn improperly handled certain input. An attacker could potentially use this issue execute a cross-site scripting (XSS) attack.
  • USN-4019-2: SQLite vulnerabilities USN-4019-1 fixed several vulnerabilities in sqlite3. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that SQLite incorrectly handled certain SQL files. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service.
  • USN-4020-1: Firefox vulnerability A type confusion bug was discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit this by causing a denial of service, or executing arbitrary code.
  • USN-4021-1: libvirt vulnerabilities Daniel P. Berrangé discovered that libvirt incorrectly handled socket permissions. A local attacker could possibly use this issue to access libvirt. (CVE-2019-10132) It was discovered that libvirt incorrectly performed certain permission checks. A remote attacker could possibly use this issue to access the guest agent and cause a denial of service.
  • USN-4019-1: SQLite vulnerabilities It was discovered that SQLite incorrectly handled certain SQL files. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. This issue only affected Ubuntu 16.04 LTS. 
  • USN-4018-1: samba vulnerabilities It was discovered that Samba incorrectly handled certain RPC messages. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2019-12435) It was discovered that Samba incorrectly handled LDAP pages searches. A remote attacker could possibly use this issue to cause Samba to crash.
  • USN-4017-1: Linux kernel vulnerabilities Jonathan Looney discovered that the TCP retransmission queue implementation in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. 
  • USN-4017-2: Linux kernel vulnerabilities USN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. This update provides the corresponding updates for the Linux kernel for Ubuntu 16.04 ESM and Ubuntu 14.04 ESM. Jonathan Looney discovered that the TCP retransmission queue implementation in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment.
  • USN-3991-3: Firefox regression USN-3991-1 fixed vulnerabilities in Firefox, and USN-3991-2 fixed a subsequent regression. The update caused an additional regression that resulted in Firefox failing to load correctly after executing it in safe mode. This update fixes the problem. 
  • USN-4015-2: DBus vulnerability USN-4015-1 fixed a vulnerability in DBus. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Joe Vennix discovered that DBus incorrectly handled DBUS_COOKIE_SHA1 authentication. A local attacker could possibly use this issue to bypass authentication and connect to DBus servers. 
  • USN-4016-2: Neovim vulnerability It was discovered that Neovim incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. 
  • USN-4016-1: Vim vulnerabilities It was discovered that Vim incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-5953) It was discovered that Vim incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. 
  • USN-4015-1: DBus vulnerability Joe Vennix discovered that DBus incorrectly handled DBUS_COOKIE_SHA1 authentication. A local attacker could possibly use this issue to bypass authentication and connect to DBus servers with elevated privileges.
  • USN-4014-2: GLib vulnerability USN-4014-1 fixed a vulnerability in GLib. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that GLib incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information.
  • USN-4014-1: GLib vulnerability It was discovered that GLib incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information.
  • USN-4013-1: libsndfile vulnerabilities It was discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-4012-1: elfutils vulnerabilities It was discovered that elfutils incorrectly handled certain malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service.
  • USN-4008-3: Linux kernel (Xenial HWE) vulnerabilities USN-4008-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. Robert Święcki discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations.  
  • USN-3991-2: Firefox regression USN-3991-1 fixed vulnerabilities in Firefox. The update caused a regression which resulted in issues when upgrading between Ubuntu releases. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. 
  • USN-4011-2: Jinja2 vulnerabilities USN-4011-1 fixed several vulnerabilities in Jinja2. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Olivier Dony discovered that Jinja incorrectly handled str.format. An attacker could possibly use this issue to escape the sandbox. 
  • USN-4011-1: Jinja2 vulnerabilities Olivier Dony discovered that Jinja incorrectly handled str.format. An attacker could possibly use this issue to escape the sandbox. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10745) Brian Welch discovered that Jinja incorrectly handled str.format_map. An attacker could possibly use this issue to escape the sandbox. 
  • USN-4008-2: AppArmor update USN-4008-1 fixed multiple security issues in the Linux kernel. This update provides the corresponding changes to AppArmor policy for correctly operating under the Linux kernel with fixes for CVE-2019-11190. Without these changes, some profile transitions may be unintentionally denied due to missing mmap (’m’) rules. 
  • USN-3957-3: MariaDB vulnerabilities USN-3957-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2614 and CVE-2019-2627 in MariaDB 10.1. Ubuntu 18.04 LTS has been updated to MariaDB 10.1.40. In addition to security fixes, the updated package contain bug fixes, new features, and possibly incompatible changes. 
  • USN-4009-2: PHP vulnerabilities USN-4009-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that PHP incorrectly decoding certain MIME headers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. 
  • USN-4010-1: Exim vulnerability It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.
  • USN-4009-1: PHP vulnerabilities It was discovered that PHP incorrectly handled certain exif tags in images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11036) It was discovered that PHP incorrectly decoding certain MIME headers. 
  • USN-4007-2: Linux kernel (HWE) vulnerability USN-4007-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations.
  • USN-4006-2: Linux kernel (HWE) vulnerability USN-4006-1 fixed a vulnerability in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS. Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations.
  • USN-4008-1: Linux kernel vulnerabilities Robert Święcki discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid elf binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid elf binary. 
  • USN-4007-1: Linux kernel vulnerability Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid a.out binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid a.out binary. As a hardening measure, this update disables a.out support.
  • USN-4005-1: Linux kernel vulnerabilities It was discovered that a null pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol.
  • USN-4006-1: Linux kernel vulnerability Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid a.out binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid a.out binary. As a hardening measure, this update disables a.out support.
  • USN-4004-2: Berkeley DB vulnerability USN-4004-1 fixed a vulnerability in Berkeley DB. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that Berkeley DB incorrectly handled certain inputs. An attacker could possibly use this issue to read sensitive information.
  • USN-4004-1: Berkeley DB vulnerability It was discovered that Berkeley DB incorrectly handled certain inputs. An attacker could possibly use this issue to read sensitive information.
  • USN-4003-1: Qt vulnerabilities It was discovered that Qt incorrectly handled certain XML documents. A remote attacker could use this issue with a specially crafted XML document to cause Qt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-15518) It was discovered that Qt incorrectly handled certain GIF images. 
  • USN-4002-1: Doxygen vulnerability It was discovered that Doxygen incorrectly handled certain queries. An attacker could possibly use this issue to execute arbitrary code and compromise sensitive information.