Security Bulletin: Synthetic Playback Agent 8.1.4 is affected by multiple vulnerabilities

Summary

Synthetic Playback Agent has addressed the following vulnerabilities:

CVE-ID: CVE-2019-11710
CVE-ID: CVE-2019-11721
CVE-ID: CVE-2019-11711
CVE-ID: CVE-2019-11730
CVE-ID: CVE-2019-11720
CVE-ID: CVE-2019-11714
CVE-ID: CVE-2019-11725
CVE-ID: CVE-2019-11715
CVE-ID: CVE-2019-11712
CVE-ID: CVE-2019-11723
CVE-ID: CVE-2019-9811
CVE-ID: CVE-2019-11713
CVE-ID: CVE-2019-11724
CVE-ID: CVE-2019-11718
CVE-ID: CVE-2019-11729
CVE-ID: CVE-2019-11719
CVE-ID: CVE-2019-11716
CVE-ID: CVE-2019-11727
CVE-ID: CVE-2019-11717
CVE-ID: CVE-2019-11728
CVE-ID: CVE-2019-11709

Vulnerability Details

CVE-ID: CVE-2019-11710

Description: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163521 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2019-11721
Description: Mozilla Firefox could allow a remote attacker to conduct spoofing attacks. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof a standard ‘k’ character in the addressbar.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11711
Description: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a script injection within domain through inner window reuse. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163503 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2019-11730
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a same-origin policy that treats all files in a directory as having the same-origin. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to to read attachments the victim received from other correspondents.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163515 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11720
Description: Mozilla Firefox is vulnerable to cross-site scripting, caused by the incorrect treatment of unicode characters. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163513 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-ID: CVE-2019-11714
Description: Mozilla Firefox is vulnerable to a denial of service, caused by an error when NeckoChild is accessed off of main thread. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163506 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVE-ID: CVE-2019-11725
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to block websocket resources. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to bypass safebrowsing protections.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163518 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11715
Description: Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input while parsing page content. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163508 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-ID: CVE-2019-11712
Description: Mozilla Firefox is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by NPAPI plugins. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to bypass CORS requirements. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163504 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11723
Description: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leaking of cookies during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163516 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2019-9811
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error using the installation of a malicious language pack. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to escape the sandbox.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163502 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11713
Description: Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in HTTP/2 when a cached HTTP/2 stream is closed while still in use. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163505 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVE-ID: CVE-2019-11724
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by retired site input.mozilla.org having remote troubleshooting permissions. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to bypass restrictions to launch further attacks on the system.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163517 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11718
Description: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the Activity Stream writing unsanitized content to innerHTML. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163511 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2019-11729
Description: Mozilla Firefox is vulnerable to a denial of service, caused by the improperly validation of empty or malformed p256-ECDH public keys before being copied into memory and used. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163507 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVE-ID: CVE-2019-11719
Description: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when importing a curve25519 private key in PKCS#8format. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163512 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2019-11716
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the globalThis failure to be enumerable until accessed. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to bypass the sandbox.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163509 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11727
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to force Network Security Services (NSS) to sign PKCS#1 v1.5 signatures to be used for TLS 1.3 messages.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163519 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11717
Description: Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the improper escaping of caret character in origins. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof origin attributes.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163510 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11728
Description: Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to use Alt-Svc header to scan all TCP ports of any host.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163520 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVE-ID: CVE-2019-11709
Description: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/163522 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Product

|

Affected Versions

—|—

Synthetic Playback Agent

|

8.1.4 - 8.1.4 IF07

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—

Synthetic Playback Agent

|

8.1.4 IF08

|

| 8.1.4.0-IBM-APM-SYNTHETIC-PLAYBACK-AGENT-IF0008

Workarounds and Mitigations

None