Security Weekly

DPTech Security Weekly (20150406-20150410)

Date:2015-04-10

This week 50 Vulnerabilities have been found,including 15 web application Vulnerabilities, 16 operating system Vulnerabilitiesand 19 application Vulnerabilities. Among these Vulnerabilities, 15 are of highseverity, 15 of middle severity and 20 of low severity. Overall, the threats ofVulnerabilities found this week is ordinary.

 

1. IBM Systems DirectorStorage Control GNU C Library Buffer Overflow Vulnerability

Vulnerability discovered time: 2015-04-06

CVE Reference(s):

CVE-2015-0235

BUGTRAQ:

The affected system:

IBMSystems Director Storage Control 4.x

Vulnerability description:

IBM hasacknowledged a vulnerability in IBM Systems Director Storage Control, which canbe exploited by malicious people to compromise a vulnerable system.

 

Thevulnerability is caused due to a bundled vulnerable version of the GNU Clibrary.

 

Thevulnerability is reported in versions 4.2.1.0, 4.2.1.0, 4.2.1.1, 4.2.2.0,4.2.2.1, 4.2.3.0, 4.2.3.1, 4.2.3.2, 4.2.4.0, 4.2.4.1, and 4.2.6.0.

 

Source reference:

http://secunia.com/advisories/63679/

 Expertsuggestion:

https://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097332

https://www.ibm.com/support/docview.wss?uid=nas78dc6fe4b87296c8686257deb00321310

 

2. IBM License Metric Tool Two Cross-Site Request Forgery andClickjacking Vulnerabilities

Vulnerability discovered time: 2015-04-08

CVE Reference(s):

CVE-2014-4774

CVE-2014-4778

BUGTRAQ:

The affected system:

IBMLicense Metric Tool 9.x

Vulnerability description:

Twovulnerabilities have been reported in IBM License Metric Tool, which can beexploited by malicious people to conduct cross-site request forgery andclickjacking attacks.

 

1) Theapplication allows users to perform certain actions via HTTP requests viaiframes without performing any validity checks to verify the requests. This canbe exploited to perform certain unspecified actions by tricking a user intoe.g. clicking a specially crafted link via clickjacking.

 

2) Theapplication allows users to perform certain actions via HTTP requests withoutperforming any validity checks to verify the requests. This can be exploited toperform certain unspecified actions if a logged-in user visits a malicious website.

 

Thevulnerabilities are reported in versions prior to 9.1.0.2.

 

Source reference:

http://secunia.com/advisories/63962/

 Expertsuggestion:

http://www.ibm.com/support/docview.wss?uid=swg21701389