All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A command injection vulnerability (CWE-77, a flaw where special characters bypass security checks and let attackers run unauthorized commands) exists in the Websense TRITON Appliance Manager's network diagnostics tool. Remote authenticated users can execute arbitrary commands by inserting shell metacharacters (special symbols like pipes or semicolons) into command parameters, such as the Destination field in the ping command.
Fix: Update to Websense TRITON V-Series appliances version 7.8.4 Hotfix 02 or later.
NVD/CVE DatabaseWebsense TRITON AP-WEB appliances (versions before 8.0.0) and V-Series 7.7 contain multiple XSS vulnerabilities (cross-site scripting, where attackers inject malicious code into web pages). Attackers can exploit these by injecting harmful scripts through specific parameters in the Data Security block page and Content Gateway, which the system fails to properly filter before displaying in error messages.
A cross-site scripting vulnerability (XSS, a flaw where attackers inject malicious code into web pages) was found in the Message Log feature of Websense TRITON AP-EMAIL email security appliances. Attackers could exploit this by crafting a malicious email sender address, allowing them to inject arbitrary web scripts or HTML that would execute when someone views the message log. The vulnerability affected versions before 8.0.0 and V-Series 7.7 appliances.
Websense TRITON AP-WEB and related security products contained multiple XSS vulnerabilities (cross-site scripting, where attackers inject malicious code into web pages seen by other users) in their reporting features. Attackers could exploit these vulnerabilities by inserting harmful scripts through specific parameters in the report scheduler and summary report pages.
CVE-2015-0412 is an unspecified vulnerability in Oracle Java SE versions 6u85, 7u72, and 8u25 that affects JAX-WS (a Java web service framework). Remote attackers can exploit this flaw through sandboxed Java Web Start applications and Java applets to compromise confidentiality, integrity, and availability, though it only affects client-side Java deployments.
CVE-2014-8559 is a bug in the Linux kernel (version 3.17.2 and earlier) where the d_walk function fails to properly manage rename_lock (a mechanism that prevents conflicts when files are renamed). A local user can exploit this to cause a denial of service (DoS), which means crashing or freezing the system so it becomes unresponsive.
CVE-2014-3584 is a denial of service (DoS) vulnerability in Apache CXF, a web services framework, where a specially crafted SAML token (an authentication credential) in a request's authorization header can cause an infinite loop, making the service unresponsive. The vulnerability affects CXF versions before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1.
CVE-2014-6517 is an unspecified security vulnerability in multiple versions of Oracle Java SE (a widely-used programming language and runtime environment) and related products that allows remote attackers to compromise confidentiality through JAXP (Java API for XML Processing, a tool for handling XML data). The vulnerability affects Java SE versions 6u81, 7u67, and 8u20, among others, but the specific technical details of how it works were not disclosed.
CVE-2014-3464 is a security flaw in Red Hat JBossWS (a web service framework used in JBoss Enterprise Application Platform versions 6.2.0 and 6.3.0) where the EJB invocation handler (the code that processes requests to Enterprise Java Beans, which are reusable server-side components) fails to properly block access to restricted JAX-WS handlers (specialized processors for web service messages). This allows authenticated remote users to bypass security restrictions by exploiting permissions they have to the EJB class itself.
CVE-2014-2510 is a vulnerability in EMC Documentum Foundation Services (DFS) versions 6.6, 6.7 SP1, and 6.7 SP2 that allows authenticated users to read files they shouldn't have access to through an XXE (XML External Entity, a flaw where specially crafted XML input tricks a parser into accessing external files) attack. The vulnerability affects components like My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage.
CVE-2014-2423 is an unspecified security flaw in Oracle Java SE versions 6u71, 7u51, and 8 (plus Java SE Embedded 7u51) that affects JAX-WS (a tool for building web services in Java). Remote attackers could exploit this vulnerability to compromise confidentiality (stealing data), integrity (modifying data), and availability (disrupting service), though the exact attack method was not publicly disclosed.
CVE-2014-2414 is a vulnerability in Oracle Java SE versions 6u71, 7u51, and 8, as well as Java SE Embedded 7u51, that allows remote attackers to compromise the security of affected systems through JAXB (Java Architecture for XML Binding, a tool for converting between XML and Java objects). The vulnerability could affect confidentiality (keeping data secret), integrity (preventing unauthorized changes), and availability (keeping systems running).
A security flaw was found in Oracle Java SE versions 6u71, 7u51, and 8, as well as Java SE Embedded 7u51, that allows attackers to compromise confidentiality (the privacy of data) through JAXP (Java API for XML Processing, a tool for handling XML documents). The exact nature of the vulnerability is not specified in the available information, and the severity rating has not yet been officially assigned.
CVE-2014-0458 is an unspecified vulnerability in Oracle Java SE versions 6u71, 7u51, and 8 (as well as Java SE Embedded 7u51) that allows remote attackers to compromise confidentiality, integrity, and availability through JAX-WS (Java API for XML Web Services, a tool for building web services). The vulnerability affects multiple versions of Java and was discovered in 2014.
CVE-2014-0452 is an unspecified vulnerability in Oracle Java SE versions 6u71, 7u51, and 8, as well as Java SE Embedded 7u51, that allows remote attackers to compromise confidentiality (reading private data), integrity (modifying data), and availability (disrupting service) through JAX-WS (Java API for XML Web Services, a tool for building web services). The vulnerability details remain undisclosed in the source material.
A vulnerability in Websense security products (versions 7.7.3 and earlier) allows authenticated users to view saved passwords in plaintext by modifying web page code that normally hides passwords as dots. An attacker with login access could change a password field's HTML element from type="password" to type="text" to expose stored credentials in the Log Database or User Directories components.
Multiple integer overflows (math errors where numbers become too large for their storage space) were found in camera driver code for Linux-based Android devices, allowing attackers to crash the system by sending many commands through an ioctl call (a way programs request special actions from the operating system kernel).
Spring Framework versions before 3.2.4 and certain 4.0.0 versions have a vulnerability where XML processing doesn't block external entity resolution, allowing attackers to read files, disrupt service, or perform CSRF attacks (cross-site request forgery, where attackers trick users into performing unwanted actions) through specially crafted XML input. This is classified as an XXE issue (XML External Entity, a type of attack that exploits how XML parsers handle external references).
Fix: Upgrade Websense TRITON APX to Version 8.0 or later, as stated in the vendor advisory: 'Vulnerabilities resolved in TRITON APX Version 8.0'.
NVD/CVE DatabaseFix: Update to Websense TRITON AP-EMAIL version 8.0.0 or later, as referenced in the vendor advisory at http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0.
NVD/CVE DatabaseFix: Update to Websense TRITON AP-WEB version 8.0.0 or later, or apply Hotfix 02 for version 7.8.3 and Hotfix 01 for version 7.8.4 of Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere.
NVD/CVE DatabaseFix: Update Apache CXF to version 2.6.11, 2.7.8, or 3.0.1 or later.
NVD/CVE DatabaseSpring Framework versions before 3.2.8 and 4.0.x before 4.0.2 contain a vulnerability in their XML handling component that fails to disable external entity resolution, allowing attackers to read files, cause service disruptions, and perform CSRF attacks (cross-site request forgery, where an attacker tricks you into performing unwanted actions on a website you're logged into) through malicious XML input. This is an XXE (XML External Entity) vulnerability, a flaw where an application processes external references in XML files unsafely.
Fix: Update Spring Framework to version 3.2.8 or later, or update Spring Framework 4.0.x to version 4.0.2 or later.
NVD/CVE DatabaseFix: Apply Hotfix 31 to Websense Triton Unified Security Center, Web Filter, Web Security, Web Security Gateway, or Web Security Gateway Anywhere version 7.7.3.
NVD/CVE DatabaseSpring Framework versions before 3.2.4 and 4.0.0.M1 have a vulnerability in their XML processing tool (Spring OXM wrapper with JAXB marshaller) that fails to disable entity resolution, which is a security feature that prevents processing of external XML entities. This allows attackers to read arbitrary files (files they shouldn't access), cause denial of service (making the application unavailable), and conduct CSRF attacks (cross-site request forgery, tricking users into performing unwanted actions) by embedding malicious XML external entity declarations in input data.
Fix: Upgrade Spring Framework to version 3.2.4 or 4.0.0.M1 or later. Red Hat provides patches and updates referenced in advisories RHSA-2014-0212, RHSA-2014-0245, RHSA-2014-0254, and RHSA-2014-0400. A patch is also available in the Spring Framework GitHub repository (https://github.com/spring-projects/spring-framework/pull/317/files).
NVD/CVE Database