CVEメモ

・Vulnerability Summary for CVE-2016-4373 (7/31)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4373

　←HPEのOM(Operations Manager)の脆弱性

HPSBGN03630 rev.2 - HP Operations Manager for Unix, Solaris, and Linux

using Apache Commons Collections (ACC), Remote Code Execution (7/25-8/11)

  https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05206507

  ←パッチを適用すれば、緩和できる

・Vulnerability Summary for CVE-2016-5254 (8/4-5)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5254

  ←Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3の脆弱性

　日本語版↓

　JVNDB-2016-004147

　Mozilla Firefox の nsXULPopupManager::KeyDown 関数における

  任意のコードを実行される脆弱性 (8/8)

　http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-004147.html

・Vulnerability Summary for CVE-2016-6258 (8/2)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6258

  ←Xen 4.7.x以前の脆弱性

　  Updateすれば良い

  Xen PV Pagetable Update Flaw Lets Local Users on an X86 PV Guest System

  Gain Elevated Privileges on the Host System (7/26)

　http://www.securitytracker.com/id/1036446

・APM access log vulnerability CVE-2016-1497 (8/10)

  https://support.f5.com/kb/en-us/solutions/public/k/31/sol31925518.html

・TMM vulnerability CVE-2016-5023 (8/11)

  https://support.f5.com/kb/en-us/solutions/public/k/19/sol19784568.html

・Vulnerability Summary for CVE-2016-6258 (8/3)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6258

・Vulnerability Summary for CVE-2016-1712 (8/3)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1712

・Vulnerability Summary for CVE-2016-1466 (8/7)

　https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1466

・Vulnerability Summary for CVE-2014-9863 (8/10)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9863

「Integer underflow in the diag driver in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28768146 and Qualcomm internal bug CR549470.」

・Vulnerability Summary for CVE-2014-9864 (8/10)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9864

「drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate ioctl calls, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28747998 and Qualcomm internal bug CR561841.」

・Vulnerability Summary for CVE-2016-3288

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3288

「Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code via a crafted web page, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3290.」

・Vulnerability Summary for CVE-2016-3313 (8/12)

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3313

「Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016, Word 2016 for Mac, and Word Viewer allow remote attackers to execute arbitrary code via a crafted file, aka "Microsoft Office Memory Corruption Vulnerability."」

・Vulnerability Summary for CVE-2016-3319

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3319

「The PDF library in Microsoft Windows 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; and Microsoft Edge allows remote attackers to execute arbitrary code via a crafted PDF file, aka "Microsoft PDF Remote Code Execution Vulnerability."」

  ←MS Windows該当versionのPDFライブラリの脆弱性

　Microsoft Security Bulletin MS16-096 - Critical

　Cumulative Security Update for Microsoft Edge (3177358) (8/9)

　https://technet.microsoft.com/library/security/MS16-096

　←パッチを当てれば良い。

　　特権ID未満なら影響も小さいとのこと