Fabian Yamaguchi

**Name of the Vulnerable Software and Affected Versions** Graylog versions prior to 6.0.14 Graylog versions prior to 6.1.10 Graylog versions prior to 6.2.0 **Description** Graylog is a log management platform. An issue exists where user session cookies can be obtained by submitting an HTML form within an Event Definition Remediation Step field. To successfully exploit this, an attacker requires a user account with the ability to create event definitions and permissions to view alerts. An active Input capable of receiving form data, such as an HTTP input, TCP raw, or syslog, must also be present on the Graylog server. **Recommendations** Graylog versions prior to 6.0.14 should be updated to version 6.0.14 or later. Graylog versions prior to 6.1.10 should be updated to version 6.1.10 or later. Graylog versions prior to 6.2.0 should be updated to version 6.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Graylog versions 2.0.0 through 5.1.10 Graylog versions 5.2.0 through 5.2.3 **Description** The issue allows arbitrary classes to be loaded and instantiated using a HTTP PUT request to the "/api/system/cluster config/" endpoint. Graylog's cluster config system uses fully qualified class names as config keys, and to validate the existence of the requested class, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated, executing arbitrary code during class instantiation. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. **Recommendations** For Graylog versions 2.0.0 through 5.1.10, update to version 5.1.11 or later. For Graylog versions 5.2.0 through 5.2.3, update to version 5.2.4 or later. As a temporary workaround, consider restricting access to the "/api/system/cluster config/" endpoint to minimize the risk of exploitation. Restrict access to the `java.io.File` class to prevent information exposure. Ensure that only authorized users with the `clusterconfigentry:create` and `clusterconfigentry:edit` permissions can perform requests to the vulnerable endpoint.

**Name of the Vulnerable Software and Affected Versions** Graylog versions 4.3.0 through 5.1.10 Graylog versions 4.3.0 through 5.2.3 **Description** The issue allows reauthenticating with an existing session cookie to re-use that session id, even if for different user credentials. This could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. A proxy could be leveraged to clear the `authentication` cookie for the Graylog server URL for the "/api/system/sessions" endpoint, as that is the only one vulnerable. **Recommendations** For Graylog versions 4.3.0 through 5.1.10, update to version 5.1.11 or later to resolve the issue. For Graylog versions 4.3.0 through 5.2.3, update to version 5.2.4 or later to resolve the issue. As a temporary workaround, consider using short session expiration and explicit log outs of unused sessions to limit the attack vector. Restrict access to the "/api/system/sessions" endpoint by clearing the `authentication` cookie for the Graylog server URL using a proxy.

**Name of the Vulnerable Software and Affected Versions** libarchive versions prior to 3.2.1 **Description** The issue is related to an integer overflow in the ISO9660 writer, which can be triggered by verifying filename lengths when writing an ISO9660 archive. This can lead to a buffer overflow, causing a denial of service or potentially allowing remote attackers to execute arbitrary code. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ISO9660 writer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to errors in checking the length of string containers in the MP4 demultiplexer of the VideoLAN VLC media player. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service via a specially crafted .MP4 file. The `MP4 ReadBox String` function is specifically vulnerable, allowing remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of .MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer underflow in the MP4 demuxer, specifically in the MP4 ReadBox String function. This can be exploited by remote attackers using a specially crafted MP4 file with a box size less than 7, potentially allowing them to execute arbitrary code or cause a denial of service. The vulnerability is associated with errors in checking the length of string containers. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer truncation in the MP4 Demuxer of the VideoLAN VLC media player. This can be exploited by remote attackers to cause a denial of service or possibly execute arbitrary code via a specially crafted .MP4 file. The problem arises from an incorrect cast operation from a 64-bit integer to a 32-bit integer in the `MP4 ReadBox String` function. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of .MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer truncation in the automated updater, specifically in the GetUpdateFile function, which allows remote attackers to conduct buffer overflow attacks. This can lead to the execution of arbitrary code or cause a denial of service, resulting in an application crash. The attack can be performed via a crafted file containing an overly long string argument. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider disabling the automated updater until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 **Description** The issue is related to a buffer overflow in the RTP streaming code, specifically in the `rtp packetize xiph config` function, due to improper bounds checking. This allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted file containing an overly long string argument. The vulnerability can be exploited by a specially crafted ogg file, potentially leading to memory corruption or arbitrary code execution. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider disabling the RTP streaming functionality until a patch is available. Restrict access to potentially malicious files, especially those containing overly long string arguments, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 VLC media player versions 2.2.x prior to 2.2.1 **Description** The issue is related to an integer overflow in the Encode function, specifically in the Schroedinger codec, which can lead to a buffer overflow. This allows remote attackers to execute arbitrary code or cause a denial of service via a crafted file. The vulnerability is due to improper bounds checking in the Schroedinger- and Dirac- encoders. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later. For versions 2.2.x prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider disabling the Schroedinger and Dirac encoders until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pidgin versions prior to 2.10.8 **Description** The issue allows a remote attacker to cause a denial of service by manipulating OIM XML headers or via crafted SOAP responses, OIM XML responses, or Content-Length headers, leading to a NULL pointer dereference and crash. **Recommendations** For versions prior to 2.10.8, update to version 2.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to MSN protocol functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service by leveraging root privileges for a zero-length write operation in the `lbs debugfs write` function. **Recommendations** For versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.12.1 **Description** The issue is related to the `aac send raw srb` function in the Linux kernel, which does not properly validate a certain size value. This can be exploited by local users with `CAP SYS ADMIN` privileges to cause a denial of service or possibly have other unspecified impacts via a crafted SRB command using the `FSACTL SEND RAW SRB` ioctl call. Local users can potentially elevate their privileges by exploiting the `aacraid` driver. **Recommendations** For Linux kernel versions through 3.12.1, consider restricting access to the `FSACTL SEND RAW SRB` ioctl call to minimize the risk of exploitation. As a temporary workaround, consider disabling the `aac send raw srb` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size. This is due to a buffer overflow in the `qeth snmp command` function in `drivers/s390/net/qeth core main.c`. The `ioctl` call `IOC QETH ADP SET SNMP CONTROL` is involved in the system call. **Recommendations** For Linux kernel versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `qeth snmp command` function until a patch is available. Avoid using the `IOC QETH ADP SET SNMP CONTROL` ioctl call with incompatible length values in the command-buffer size until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to a buffer overflow in the exitcode proc write function, which can be exploited by local users with write privileges to the /proc/exitcode file. This could potentially allow users to cause a denial of service or have other unspecified impacts, possibly including privilege escalation. The estimated number of potentially affected devices is not specified. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting write access to the /proc/exitcode file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple buffer overflows in the Linux kernel, specifically in the drivers/staging/wlags49 h2/wl priv.c file. This can be exploited by local users with the CAP NET ADMIN capability to cause a denial of service or possibly have other unspecified impacts. The exploitation is related to the `wvlan uil put info` and `wvlan set station nickname` functions when a long station-name string is provided. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting the CAP NET ADMIN capability to minimize the risk of exploitation. Additionally, avoid providing long station-name strings to prevent triggering the buffer overflows in the `wvlan uil put info` and `wvlan set station nickname` functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the mp get count function in drivers/staging/sb105x/sb pci mp.c not initializing a certain data structure, which can be exploited via a TIOCGICOUNT ioctl call. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the TIOCGICOUNT ioctl call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel memory. This is due to the bcm char ioctl function in drivers/staging/bcm/Bcmchar.c not initializing a certain data structure, which can be exploited via an IOCTL BCM GET DEVICE DRIVER INFO ioctl call. **Recommendations** For versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the bcm char ioctl function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple integer overflows in Alchemy LCD frame-buffer drivers. Local users can create a read-write memory mapping for the entirety of kernel memory and gain privileges via crafted `mmap` operations. This is related to the `au1100fb fb mmap` function in `drivers/video/au1100fb.c` and the `au1200fb fb mmap` function in `drivers/video/au1200fb.c`. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the `au1100fb fb mmap` and `au1200fb fb mmap` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Libav versions 0.5.x through 0.5.8 Libav versions 0.6.x through 0.6.5 Libav versions 0.7.x through 0.7.5 Libav versions 0.8.x through 0.8.1 **Description** The issue is related to a heap-based buffer overflow in the `vqa decode chunk` function within the VQA codec of libavcodec. This can be triggered by remote attackers using a crafted VQA media file where the image size is not a multiple of the block size, potentially leading to a denial of service or arbitrary code execution. **Recommendations** For Libav versions 0.5.x through 0.5.8, update to version 0.5.9 or later. For Libav versions 0.6.x through 0.6.5, update to version 0.6.6 or later. For Libav versions 0.7.x through 0.7.5, update to version 0.7.6 or later. For Libav versions 0.8.x through 0.8.1, update to version 0.8.2 or later.