About the security content of iOS 13.4 and iPadOS 13.4 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. Apple security documents reference...

2020.1 IPU – Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory

Summary: Potential security vulnerabilities in Intel® Converged Security and Manageability Engine CSME, Intel® Server Platform Services SPS, Intel® Trusted Execution Engine TXE, Intel® Active Management Technology AMT, Intel® Standard Manageability ISM and Intel® Dynamic Application Loader DAL ma...

GHSA-2PPP-9496-P23Q Insufficient Entropy in Spring Security

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

CVE-2020-0586

Improper initialization in subsystem for IntelR SPS versions before SPSE304.01.04.109.0 and SPSE304.08.04.070.0 may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access...

Input validation

Improper initialization in subsystem for IntelR SPS versions before SPSE304.01.04.109.0 and SPSE304.08.04.070.0 may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access...

CVE-2020-0586

CVE-2020-0586 affects Intel Server Platform Services (SPS) subsystems prior to SPS_E3_04.01.04.109.0 and SPS_E3_04.08.04.070.0. The root cause is improper initialization in SPS, which may allow a locally authenticated user to escalate privileges and/or cause a denial of service. Public sources (I...

CVE-2020-0586

Improper initialization in subsystem for IntelR SPS versions before SPSE304.01.04.109.0 and SPSE304.08.04.070.0 may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access...

Intel SPS Security Vulnerability

Intel Server Platform Services SPS is a server platform services program from Intel USA. A security vulnerability exists in Intel SPS versions prior to SPSE304.01.04.109.0 and SPSE304.08.04.070.0, which stems from the program not being properly initialized. A local attacker could exploit the...

CVE-2020-9833

A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.5. A local user may be able to read kernel memory...

Memory corruption

A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.5. A local user may be able to read kernel memory...

CVE-2020-9833

CVE-2020-9833 affects macOS via a memory initialization issue in kernel memory handling. The issue allows a local user to read kernel memory and is fixed in macOS Catalina 10.15.5. Affected components are kernel/memory handling paths referenced in multiple sources; remediation is applying the Cat...

Siemens SINUMERIK

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SINUMERIK Vulnerabilities: Buffer Underflow, Heap-based Buffer Overflow, Improper Initialization, Out-of-bounds Read, Stack-based Buffer Overflow, Access of Memory Location After...

LSN-0067-1: Kernel Live Patch Security Notice

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information kernel memory. CVE-2020-11494...

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

CVE-2020-5408

CVE-2020-5408 (IBM) affects IBM Sterling Connect:Direct Web Services. A fixed null initialization vector in CBC mode for the queryable text encryptor may allow a dictionary attack to derive unencrypted values, exposing sensitive information. Remediation is via upgrading to supported fixes: IBM St...

DEBIAN-CVE-2020-12831

An issue was discovered in FRRouting FRR aka Free Range Routing through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and tools/frrcommon.sh.in. NOTE: some...

Solving Uninitialized Stack Memory on Windows

This blog post outlines the work that Microsoft is doing to eliminate uninitialized stack memory vulnerabilities from Windows and why we’re on this path. This blog post will be broken down into a few parts that folks can jump to: Uninitialized Memory Background Potential Solutions to Uninitialize...

CVE-2019-11833

A flaw was found in the Linux kernel's implementation of ext4 extent management. The kernel doesn't correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem...

CVE-2020-5877

On BIG-IP 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, malformed input to the DATAGRAM::tcp iRules command within a FLOWINIT event may lead to a denial of service...

(Pwn2Own) Oracle VirtualBox OHCI Uninitialized Variable Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the...