This week security researchers have warned about serious vulnerabilities in Treck TCP/IP stack, a high-performance TCP/IP protocol suite designed for embedded systems, that could expose hundreds of millions of IoT devices to remote hijacking.
Treck TCP/IP contains a total of 19 vulnerabilities collectively tracked as Ripple20, which could be exploited to achieve remote code execution, perform denial-of-service attacks, and to obtain potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.
Adobe has released an out-of-band update addressing 18 critical flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition. All 18 flaws allow remote execution of arbitrary code.
A high-risk flaw (CVE-2020-11969) has been patched in Apache TomEE Webapp that could be used by a remote attacker to gain unauthorized access to the application. The vulnerability exists due to JMX interface is accessible by unauthenticated users via the 1099/TCP port if Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter.
Two serious vulnerabilities (CVE-2020-2587, CVE-2020-2586) have been found in the Oracle Human Resources product of Oracle E-Business Suite that allow a remote authenticated user to escalate privileges within the application.
Successful exploitation of the above flaws can lead to unauthorized creation, deletion or modification access to critical data, or can be exploited for a partial denial of service (partial DoS) of Oracle Human Resources.
Drupal developers issued updates to fix a number of vulnerabilities in Drupal core, including a flaw that could allow an attacker to execute arbitrary code. The issue tracked as CVE-2020-13664 affects Drupal 8 and 9. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
According to Drupal team’s security advisory, “Windows servers are most likely to be affected.”
Users of the VLC (Video Lan Client) media player are advised to apply the latest update VLC 3.0.11, which fixes tree security vulnerabilities, two of which (CVE-2020-9308, CVE-2020-13428) could result in the remote code execution. The third bug (CVE-2019-19221) is an out-of-bounds read issue, which could allow a remote attacker to steal sensitive information.
Rockwell Automation FactoryTalk View SE solution contains a high risk vulnerability (CVE-2020-12029), which could lead to the remote code execution. The vulnerability exists due to insufficient validation of user-supplied input in filenames within a project directory.
Vendor recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later must be applied.