[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities

To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>, "'dm@xxxxxxxxxxxxxxxxx'" <dm@xxxxxxxxxxxxxxxxx>
Subject: ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities
From: Security Alert <Security_Alert@xxxxxxx>
Date: Thu, 29 Jan 2015 15:58:04 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities

EMC Identifier: ESA-2015-002
        
CVE Identifier: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902, 
CVE-2012-5885, CVE-2011-3389, CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, 
CVE-2013-1797, CVE-2013-0231, CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, 
CVE-2013-2634, CVE-2013-0268, CVE-2013-0913,CVE-2013-1772, CVE-2013-0216, 
CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, 
CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798, CVE-2013-4242, 
CVE-2014-0138, CVE-2014-0139, CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, 
CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, 
CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, 
CVE-2014-3512, CVE-2014-5139, CVE-2012-6085, CVE-2014-2403, CVE-2014-0446, 
CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, 
CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, 
CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, 
CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, 
CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, 
CVE-2014-0463, CVE-2014-2410 , CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, 
CVE-2014-2402, CVE-2014-0452, CVE-2010-5107, CVE-2014-1545, CVE-2014-1541, 
CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, 
CVE-2013-2005, CVE-2013-2002, CVE-2014-0092, CVE-2014-0015, CVE-2014-4220, 
CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, 
CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, 
CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, 
CVE-2014-4209, CVE-2014-4265, CVE-2014-4244,
CVE-2014-4216, CVE-2011-0020, CVE-2011-0064, CVE-2014-3638, CVE-2014-3639, 
CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-4330, 
CVE-2014-3613, CVE-2014-3620, CVE-2015-0512

Severity Rating: View details below for CVSSv2 scores

Affected products: 
Unisphere Central versions prior to 4.0

Summary: 
Unisphere Central requires an update to address various security 
vulnerabilities that could potentially be exploited by malicious users to 
compromise the affected system.

Details: 
Unisphere Central requires an update to address various security 
vulnerabilities:

1.      Unvalidated Redirect Vulnerability (CVE-2015-0512)

A potential vulnerability in Unisphere Central may allow remote attackers to 
redirect users to arbitrary web sites and conduct phishing attacks. The 
attacker can specify the location of the arbitrary site in the unvalidated 
parameter of a crafted URL. If this URL is accessed, the browser is redirected 
to the arbitrary site specified in the parameter.

CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

2.      Multiple Embedded Component Vulnerabilities

The following vulnerabilities affecting multiple embedded components were 
addressed:

?       PostgreSQL (CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902)
?       Apache Tomcat HTTP Digest Access Bypass (CVE-2012-5885)
?       SSL3.0/TLS1.0 Weak CBC Mode Vulnerability (CVE-2011-3389)
?       SUSE Kernel Updates (CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, 
CVE-2013-1797, CVE-2013-0231,CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, 
CVE-2013-2634, CVE-2013-0268, CVE-2013-0913, CVE-2013-1772, CVE-2013-0216, 
CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, 
CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798)
?       Libgcrypt (CVE-2013-4242)
?       cURL/libcURL Multiple Vulnerabilities (CVE-2014-0138, CVE-2014-0139, 
CVE-2014-0015, CVE-2014-3613, CVE-2014-3620)
?       OpenSSL Multiple Vulnerabilities (CVE-2010-5298, CVE-2014-0076, 
CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, 
CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, 
CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2014-3513, CVE-2014-3567, 
CVE-2014-3568, CVE-2014-3566)
?       GNU Privacy Guard (GPG2) Update (CVE-2012-6085)
?       Java Runtime Environment (CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, 
CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, 
CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, 
CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, 
CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, 
CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, 
CVE-2014-2410, CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, 
CVE-2014-0452, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, 
CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, 
CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, 
CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244, 
CVE-2014-4216)
?       OpenSSH Denial of Service (CVE-2010-5107)
?       Network Security Services (NSS) Update (CVE-2014-1545, CVE-2014-1541, 
CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538)
?        Xorg-X11 Update (CVE-2013-2005, CVE-2013-2002)
?       GnuTLS SSL Verification Vulnerability (CVE-2014-0092)
?       Pango Security Update (CVE-2011-0020, CVE-2011-0064)
?       D-Bus Denial of Service (CVE-2014-3638,CVE-2014-3639)
?       Perl Denial of Service (CVE-2014-4330)
CVSSv2 Base Score: Refer to NVD (http://nvd.nist.gov) for individual scores for 
each CVE listed above

For more information about any of the Common Vulnerabilities and Exposures 
(CVEs) mentioned here, consult the National Vulnerability Database (NVD) at 
http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the NVD 
database?s search utility at http://web.nvd.nist.gov/view/vuln/search

Resolution: 
The following Unisphere Central release contains resolutions to the above 
issues:
?       Unisphere Central version 4.0.

EMC strongly recommends all customers upgrade at the earliest opportunity. 
Contact EMC Unisphere Central customer support to download the required 
upgrades. 

Link to remedies:
Registered EMC Online Support customers can download patches and software from 
support.emc.com at: https://support.emc.com/products/28224_Unisphere-Central


If you have any questions, please contact EMC Support.

Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867. 


For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability. EMC 
Corporation distributes EMC Security Advisories, in order to bring to the 
attention of users of the affected EMC products, important security 
information. EMC recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
EMC disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall EMC or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if EMC or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages, 
so the foregoing limitation may not apply.

EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlTKSaIACgkQtjd2rKp+ALzINgCg01qlCrN0carogi8MwnbjGNrP
6oIAnRiS6bIIqnGmGN0c+ayX74Qad4vY
=5UIE
-----END PGP SIGNATURE-----
Prev by Date: Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385
Next by Date: Reflected XSS vulnarbility in Asus RT-N10 Plus Router
Previous by thread: Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385
Next by thread: Reflected XSS vulnarbility in Asus RT-N10 Plus Router
Index(es):
- Date
- Thread