[gentoo-announce] [ GLSA 200904-01 ] Openfire: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200904-01 ] Openfire: Multiple vulnerabilities
Date:	Thu, 02 Apr 2009 20:51:35
Message-Id:	`49D52543.6050707@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200904-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Openfire: Multiple vulnerabilities

9

      Date: April 02, 2009

10

      Bugs: #246008, #254309

11

        ID: 200904-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities were discovered in Openfire, the worst of

19

which may allow remote execution of arbitrary code.

20

21

Background

22

==========

23

24

Ignite Realtime Openfire is a fast real-time collaboration server.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package          /  Vulnerable  /                      Unaffected

31

    -------------------------------------------------------------------

32

  1  net-im/openfire       < 3.6.3                            >= 3.6.3

33

34

Description

35

===========

36

37

Two vulnerabilities have been reported by Federico Muttis, from CORE

38

IMPACT's Exploit Writing Team:

39

40

* Multiple missing or incomplete input validations in several .jsps

41

  (CVE-2009-0496).

42

43

* Incorrect input validation of the "log" parameter in log.jsp

44

  (CVE-2009-0497).

45

46

Multiple vulnerabilities have been reported by Andreas Kurtz:

47

48

* Erroneous built-in exceptions to input validation in login.jsp

49

  (CVE-2008-6508).

50

51

* Unsanitized user input to the "type" parameter in

52

  sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)

53

54

* A Cross-Site-Scripting vulnerability due to unsanitized input to

55

  the "url" parameter. (CVE-2008-6510, CVE-2008-6511)

56

57

Impact

58

======

59

60

A remote attacker could execute arbitrary code on clients' systems by

61

uploading a specially crafted plugin, bypassing authentication.

62

Additionally, an attacker could read arbitrary files on the server or

63

execute arbitrary SQL statements. Depending on the server's

64

configuration the attacker might also execute code on the server via an

65

SQL injection.

66

67

Workaround

68

==========

69

70

There is no known workaround at this time.

71

72

Resolution

73

==========

74

75

All Openfire users should upgrade to the latest version:

76

77

    # emerge --sync

78

    # emerge --ask --oneshot --verbose ">=net-im/openfire-3.6.3"

79

80

References

81

==========

82

83

  [ 1 ] CVE-2008-6508

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508

85

  [ 2 ] CVE-2008-6509

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509

87

  [ 3 ] CVE-2008-6510

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510

89

  [ 4 ] CVE-2008-6511

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511

91

  [ 5 ] CVE-2009-0496

92

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496

93

  [ 6 ] CVE-2009-0497

94

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497

95

96

Availability

97

============

98

99

This GLSA and any updates to it are available for viewing at

100

the Gentoo Security Website:

101

102

  http://security.gentoo.org/glsa/glsa-200904-01.xml

103

104

Concerns?

105

=========

106

107

Security is a primary focus of Gentoo Linux and ensuring the

108

confidentiality and security of our users machines is of utmost

109

importance to us. Any security concerns should be addressed to

110

security@g.o or alternatively, you may file a bug at

111

http://bugs.gentoo.org.

112

113

License

114

=======

115

116

Copyright 2009 Gentoo Foundation, Inc; referenced text

117

belongs to its owner(s).

118

119

The contents of this document are licensed under the

120

Creative Commons - Attribution / Share Alike license.

121

122

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200904-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Openfire: Multiple vulnerabilities
9	Date: April 02, 2009
10	Bugs: #246008, #254309
11	ID: 200904-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities were discovered in Openfire, the worst of
19	which may allow remote execution of arbitrary code.
20
21	Background
22	==========
23
24	Ignite Realtime Openfire is a fast real-time collaboration server.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-im/openfire < 3.6.3 >= 3.6.3
33
34	Description
35	===========
36
37	Two vulnerabilities have been reported by Federico Muttis, from CORE
38	IMPACT's Exploit Writing Team:
39
40	* Multiple missing or incomplete input validations in several .jsps
41	(CVE-2009-0496).
42
43	* Incorrect input validation of the "log" parameter in log.jsp
44	(CVE-2009-0497).
45
46	Multiple vulnerabilities have been reported by Andreas Kurtz:
47
48	* Erroneous built-in exceptions to input validation in login.jsp
49	(CVE-2008-6508).
50
51	* Unsanitized user input to the "type" parameter in
52	sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)
53
54	* A Cross-Site-Scripting vulnerability due to unsanitized input to
55	the "url" parameter. (CVE-2008-6510, CVE-2008-6511)
56
57	Impact
58	======
59
60	A remote attacker could execute arbitrary code on clients' systems by
61	uploading a specially crafted plugin, bypassing authentication.
62	Additionally, an attacker could read arbitrary files on the server or
63	execute arbitrary SQL statements. Depending on the server's
64	configuration the attacker might also execute code on the server via an
65	SQL injection.
66
67	Workaround
68	==========
69
70	There is no known workaround at this time.
71
72	Resolution
73	==========
74
75	All Openfire users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=net-im/openfire-3.6.3"
79
80	References
81	==========
82
83	[ 1 ] CVE-2008-6508
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508
85	[ 2 ] CVE-2008-6509
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509
87	[ 3 ] CVE-2008-6510
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510
89	[ 4 ] CVE-2008-6511
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511
91	[ 5 ] CVE-2009-0496
92	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496
93	[ 6 ] CVE-2009-0497
94	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497
95
96	Availability
97	============
98
99	This GLSA and any updates to it are available for viewing at
100	the Gentoo Security Website:
101
102	http://security.gentoo.org/glsa/glsa-200904-01.xml
103
104	Concerns?
105	=========
106
107	Security is a primary focus of Gentoo Linux and ensuring the
108	confidentiality and security of our users machines is of utmost
109	importance to us. Any security concerns should be addressed to
110	security@g.o or alternatively, you may file a bug at
111	http://bugs.gentoo.org.
112
113	License
114	=======
115
116	Copyright 2009 Gentoo Foundation, Inc; referenced text
117	belongs to its owner(s).
118
119	The contents of this document are licensed under the
120	Creative Commons - Attribution / Share Alike license.
121
122	http://creativecommons.org/licenses/by-sa/2.5