Security
Proprietary vulnerabilities
A recent—and recently deleted—blog post (still available courtesy of the Wayback Machine) demonstrates some rather eye-opening opinions on how some view their customers' efforts to find and report security holes. In the almost comically inept post, Oracle's Chief Security Officer Mary Ann Davidson admonishes customers not to try to "reverse engineer" Oracle's code to find security bugs. It is an attitude that is perhaps common in the proprietary world, but is diametrically opposed to standard practice in free-software communities.
The crux of Davidson's complaint is about customers that disregard Oracle's licensing terms and run various kinds of analysis tools against the sacred binaries. That leads to reports of vulnerabilities, most of which are likely false positives, she said. Oracle evidently tries to make it difficult for customers to report these kinds of bugs by requiring separate service requests for each issue, along with a proof-of-concept attack to document it.
It is unquestionably true that there are lots of false positives from these kinds of tools, so it is not surprising or unreasonable that Oracle might be unwilling to just take a raw report. But the company evidently goes further than that:
Davidson's tone throughout the post is dismissive and condescending, which
doesn't
help. She
suggests that customers should essentially just trust Oracle to ensure
the security of the software it ships. After all, Oracle and other large
organizations have assurance programs and certifications that provide
"Good Housekeeping seals
" to show that they have "good
code
". Exactly how certifications such as Common Criteria and FIPS-140
ensure that good code is left as an exercise for the reader (and the Oracle
customer).
Evidently there has been an upswing in the number of these kinds of reports recently, which is why Davidson wanted to address the issue. She noted that third parties cannot actually analyze the source code, so it is largely a waste of time for customers to look for these kinds of problems:
She continued with something of a non-lawyer FAQ about Oracle's license agreement and the evils of reverse engineering its code. It makes it clear that Oracle is actively hostile to its customers (or anyone else) finding bugs in its code if they have to resort to reverse engineering (which is rather loosely defined). The final question does acknowledge that others with "bad motives" may be ignoring the license agreement and doing pretty much any kind of analysis they want—probably without sharing the results with the company. To Davidson, though, the existence of these "cheaters" does not make it any more reasonable for those with "good motives" to follow suit.
No matter what the reason or the outcome—even if real bugs are found—reverse engineering is bad, mmmkay?
It would seem that Davidson went a bit too far, since the blog post was
pulled a day or so after it was posted on August 10. Ars Technica reported
that Oracle Executive Vice President and Chief Corporate Architect Edward
Screven made an email statement about the removal: "We removed the
post as it does not reflect our beliefs or our relationship with our
customers.
" As that article notes, the statement is missing some
important information: "Just how Oracle's chief security officer fell
out of alignment with Oracle's core beliefs and managed to spread her
heretic thoughts on customers was not addressed.
"
There are other posts by Davidson on her blog that have not been removed and show similar attitudes, so the post in question hardly comes completely out of left field. This particular piece may have just been over the top—or perhaps it simply had a much higher profile than the others. The company may not have liked how it came off looking based on that post, but it can't really complain too much, since much of what she said is certainly true.
In fact, as free-software users know, proprietary licenses restrict a whole raft of activities that are useful for security—or simply to add unanticipated features. Looking inside the code, running static and dynamic analysis, and finding bugs therein is all part of the "value proposition" for free software. Davidson actually makes the case—presumably unintentionally—for using free software rather than some proprietary tool. There is very little that a bad actor can do to a free-software package that those with good intentions can't also do—legally, and without worrying about a visit from Oracle's (or anyone else's) lawyers.
Some free-software projects even pro-actively invite security researchers to scrutinize their code—or even to reverse engineer it. In addition, while the number of false positives is quite high, there have been plenty of bugs found and fixed in open-source projects using tools like Coverity Scan. It would seem that even companies that want to strongly defend their code copyrights might be interested in any bugs that are found, regardless of the methods used to find them. Some companies do seem to have that attitude, which is generally shared by free-software projects, but some, like Oracle seemingly, are willing to throw the baby out with the bathwater.
Brief items
Security quotes of the week
Thank goodness the producers of the various films named "She" over the years didn't try this stunt. Or how about a [movie] titled "The" for real chuckles?
The impact of such takedown abuse is indeed the Internet equivalent of saturation bombing -- with no consideration given to the innocent parties who will be affected, and in the case of the DMCA, then have to find the time and money to fight back against this abuse -- simply to get their videos back on the Net.
For most of human history, surveillance has been expensive. Over the last couple of decades, it has become incredibly cheap and almost ubiquitous. That a few bits and pieces are becoming expensive again isn't a cause for alarm.
Privacy Badger 1.0
The Electronic Frontier Foundation has announced the 1.0 release of the Privacy Badger browser extension. "As you browse the Web, Privacy Badger looks at any third party domains that are loaded on a given site and determines whether or not they appear to be tracking you (e.g. by setting cookies that could be used for tracking, or fingerprinting your browser). If the same third party domain appears to be tracking you on three or more different websites, Privacy Badger will conclude that the third party domain is a tracker and block future connections to it." The extension is distributed under GPLv3; see this page for more information.
An active Firefox exploit
Mozilla has posted a warning about a Firefox vulnerability that is currently being actively exploited on the net. "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files." There is a security update for the problem.
New vulnerabilities
activemq: denial of service
Package(s): | activemq | CVE #(s): | CVE-2014-3576 CVE-2014-3612 CVE-2014-3600 | ||||
Created: | August 10, 2015 | Updated: | August 12, 2015 | ||||
Description: | From the Debian advisory:
It was discovered that the Apache ActiveMQ message broker is susceptible to denial of service through an undocumented, remote shutdown command. | ||||||
Alerts: |
|
community-mysql: unspecified vulnerabilities
Package(s): | community-mysql | CVE #(s): | |||||||||
Created: | August 10, 2015 | Updated: | August 12, 2015 | ||||||||
Description: | Latest upstream release, 5.6.25, fixes unspecified vulnerabilities. | ||||||||||
Alerts: |
|
devscripts: two vulnerabilities
Package(s): | devscripts | CVE #(s): | CVE-2015-5705 CVE-2015-5704 | ||||||||
Created: | August 12, 2015 | Updated: | August 12, 2015 | ||||||||
Description: | From the Red Hat bugzilla:
1249635 (CVE-2015-5704): In scripts/licensecheck.pl, there is executed code, that is vulnerable to shell command injection via shell metacharacters in filename. my $mime = `file --brief --mime --dereference $file`; 1249645 (CVE-2015-5705): In scripts/licensecheck.pl, there is code segment vulnerable to argument injection. my $mime = `file --brief --mime --dereference $file`; | ||||||||||
Alerts: |
|
drupal6-cck: unspecified vulnerability
Package(s): | drupal6-cck | CVE #(s): | |||||||||
Created: | August 7, 2015 | Updated: | August 12, 2015 | ||||||||
Description: | Version drupal7-feeds-2.0-alpha9 fixes unspecified vulnerabilities. | ||||||||||
Alerts: |
|
elasticsearch: two vulnerabilities
Package(s): | elasticsearch | CVE #(s): | CVE-2015-5377 CVE-2015-5531 | ||||
Created: | August 11, 2015 | Updated: | August 12, 2015 | ||||
Description: | From the Elasticsearch 1.7.0 and 1.6.1 release announcement:
Remote code execution vulnerability Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol (used for communication between nodes and Java clients) that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253. Deployments are vulnerable even when Groovy dynamic scripting is disabled. Users that do not want to upgrade can address the vulnerability by securing the transport protocol port (default 9300) to allow access by only trusted agents. We have been assigned CVE-2015-5377 for this issue. Directory traversal vulnerability Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent Snapshot-Restore API calls from untrusted sources. We have been assigned CVE-2015-5531 for this issue. | ||||||
Alerts: |
|
firefox: multiple vulnerabilities
Package(s): | firefox | CVE #(s): | CVE-2015-4474 CVE-2015-4477 CVE-2015-4482 CVE-2015-4483 CVE-2015-4490 | ||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 12, 2015 | Updated: | March 28, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Arch Linux advisory:
- CVE-2015-4474 (Memory safety bugs fixed in Firefox 40): Tyson Smith, Bobby Holley, Chris Coulson, Byron Campen, and Eric Rahm reported memory safety problems and crashes that affect Firefox 39. - CVE-2015-4477 (MediaStream use-after-free): Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash. - CVE-2015-4482 (Out of bounds write in mar_read.c): Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the Updater to be run to use it. - CVE-2015-4483 (feed: protocol + POST method => mixed scripting): Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle (MITM) scripting attack on pages that accidentally include insecure content which would otherwise be blocked. - CVE-2015-4490 (Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification): Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but Mozilla's implementation allows these in the case of an asterisk wildcard. This could allow for more permissive CSP usage than expected by a web developer, possibly allowing for cross-site scripting (XSS) attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
firefox: multiple vulnerabilities
Package(s): | firefox | CVE #(s): | CVE-2015-4473 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 12, 2015 | Updated: | February 29, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
gnutls: denial of service
Package(s): | gnutls28 | CVE #(s): | CVE-2015-6251 | ||||||||||||||||||||||||||||||||||||
Created: | August 12, 2015 | Updated: | September 12, 2016 | ||||||||||||||||||||||||||||||||||||
Description: | From the Debian advisory:
Kurt Roeckx discovered that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free. A remote attacker can take advantage of this flaw by creating a specially crafted certificate that, when processed by an application compiled against GnuTLS, could cause the application to crash resulting in a denial of service. | ||||||||||||||||||||||||||||||||||||||
Alerts: |
|
kernel: multiple vulnerabilities
Package(s): | kernel | CVE #(s): | CVE-2015-5697 CVE-2015-5706 CVE-2015-5707 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 7, 2015 | Updated: | September 29, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Debian advisory:
CVE-2015-5697: A flaw was discovered in the md driver in the Linux kernel leading to an information leak. CVE-2015-5706: An user triggerable use-after-free vulnerability in path lookup in the Linux kernel could potentially lead to privilege escalation. CVE-2015-5707: An integer overflow in the SCSI generic driver in the Linux kernel was discovered. A local user with write permission on a SCSI generic device could potentially exploit this flaw for privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
lighttpd: log injection
Package(s): | lighttpd | CVE #(s): | CVE-2015-3200 | ||||||||||||
Created: | August 7, 2015 | Updated: | September 8, 2015 | ||||||||||||
Description: | From the Red Hat bugzilla:
A flaw was found in Lighttpd: When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding. | ||||||||||||||
Alerts: |
|
mantis: information disclosure
Package(s): | mantis | CVE #(s): | CVE-2015-5059 | ||||||||
Created: | August 7, 2015 | Updated: | August 12, 2015 | ||||||||
Description: | From the Red Hat bugzilla:
In MantisBT, the "Project Documentation" feature can be used to attach files to a project. When this feature is enabled ($g_enable_project_documentation = ON) and the threshold to view these files is left to its default value ($g_view_proj_doc_threshold = ANYBODY), any registered user in the system can download every such attachment, including those which are linked to private projects to which the user does not have access. This can be achieved by calling the download script directly, and specifying the ID of the file to download. | ||||||||||
Alerts: |
|
mozilla: information leak
Package(s): | firefox thunderbird seamonkey | CVE #(s): | CVE-2015-4495 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 7, 2015 | Updated: | September 2, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Arch Linux advisory:
Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer. Mozilla has received reports that an exploit based on this vulnerability has been found in the wild. A remote attacker can craft a malicious web page stealing arbitrary files from the host running firefox. Mozilla reports that this flaw is already exploited in the wild. At least one exploit is targeting Linux and reads /etc/passwd, then in all the user directories it can access looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
opensaml-java: missing host name verification
Package(s): | opensaml-java | CVE #(s): | CVE-2014-3603 | ||||||||||||||||
Created: | August 7, 2015 | Updated: | August 12, 2015 | ||||||||||||||||
Description: | From the Red Hat bugzilla:
It was discovered that HttpResource and FileBackedHttpResource implementations in OpenSAML Java and Shibboleth IdP did not enable hostname verification when using TLS connections. Additionally, OpenSAML Java makes use of Jakarta Commons HttpClient version 3.x, which does not perform verification of the server hostname against the server's X.508 certificate (CVE-2012-5783). This flaw can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject. | ||||||||||||||||||
Alerts: |
|
pure-ftpd: denial of service
Package(s): | pure-ftpd | CVE #(s): | |||||||||||||
Created: | August 12, 2015 | Updated: | September 9, 2015 | ||||||||||||
Description: | From the Red Hat bugzilla:
It was reported that the process handling a user session could be crashed by trying to match a file pattern longer than the maximum length for a path. | ||||||||||||||
Alerts: |
|
qemu: denial of service
Package(s): | qemu | CVE #(s): | CVE-2015-5745 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 12, 2015 | Updated: | September 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Mageia advisory:
Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest & the host. A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
rubygems: DNS hijacking
Package(s): | rubygems | CVE #(s): | CVE-2015-3900 | ||||||||||||||||
Created: | August 11, 2015 | Updated: | September 9, 2015 | ||||||||||||||||
Description: | From the CVE entry:
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." | ||||||||||||||||||
Alerts: |
|
subversion: two vulnerabilities
Package(s): | subversion | CVE #(s): | CVE-2015-3184 CVE-2015-3187 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 11, 2015 | Updated: | August 18, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Debian advisory:
CVE-2015-3184: Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. This issue does not affect the oldstable distribution (wheezy) because it only contains Apache httpd 2.2. CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz. When a node is copied from an unreadable location to a readable location the unreadable path may be revealed. This vulnerability only reveals the path, it does not reveal the contents of the path. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
swift: arbitrary object deletion
Package(s): | swift | CVE #(s): | CVE-2015-1856 | ||||||||||||||||||||
Created: | August 6, 2015 | Updated: | August 25, 2015 | ||||||||||||||||||||
Description: | From the Ubuntu advisory:
Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow_version is configured. An attacker could use this issue to delete objects. (CVE-2015-1856) | ||||||||||||||||||||||
Alerts: |
|
wordpress: multiple vulnerabilities
Package(s): | wordpress | CVE #(s): | CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5733 CVE-2015-5734 | ||||||||||||||||||||||||||||
Created: | August 7, 2015 | Updated: | August 12, 2015 | ||||||||||||||||||||||||||||
Description: | From the Arch Linux advisory:
- CVE-2015-2213: SQL injection in comments ID. - CVE-2015-5730: Timing attack in widgets. - CVE-2015-5731: Denial of service by locking a post from being edited. - CVE-2015-5732, CVE-2015-5733 CVE-2015-5734: XSS. A remote attacker could lock a post from being edited, or compromise a site running wordpress. | ||||||||||||||||||||||||||||||
Alerts: |
|
xfsprogs: information disclosure
Package(s): | xfsprogs | CVE #(s): | CVE-2012-2150 | ||||||||||||||||||||||||||||||||
Created: | August 12, 2015 | Updated: | January 5, 2016 | ||||||||||||||||||||||||||||||||
Description: | From the Red Hat bugzilla:
Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data. xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear. This could lead to exposure of stale disk data via the produced metadump image. | ||||||||||||||||||||||||||||||||||
Alerts: |
|
Page editor: Jake Edge
Next page:
Kernel development>>