Post on 22-Dec-2021
SECURITY
INTELLIGENCE
ADVISORY
www.satt r i x .com
25th May 2021 - 24th June 2021
02©
INTENT
This report is intended to help quantify the scope of that risk as organizations’ struggle to balance their cybersecurity policies and protections against the needs of their employees for access to the Web and its resources.
BACKGROUND
Every organization – large, medium and small has a huge risk and a typical challenge of managing vulnerabilitiespresent in the operating systems, Vulnerabilities that are not attended possess a very high risk and can costyour organization various threats and damage. There is threat from users within the system, competitors whowant to know accurate details about your business model etc. There is a certain way to identify and updatepatches for your vulnerabilities to avoid all these serious threats and curb the damage thereof. There’s also amethod in which specialists get into your system and run a check to identify how strong the system is. Perform-ing vulnerability assessments guarantee all normal system vulnerabilities are taken into consideration. Whenassessments are conducted regularly, new threats are identified quickly.
WHAT DOES THE VULNERABILITY
ADVISORY COVER?
We monitor around 2000 applications,appliances and operating systems, andtests and verifies the vulnerabilitiesreported in them.
We are focusing each vulnerabilitydisclosed in those 2000 products.
The systems and applications monitoredby Sattrix Research Team are those in usein the environment of the customers.
In the instance of customers usingproducts that aren’t already beingmonitored by our team, these products canbe submitted to us and we will initiatemonitoring them the next business day. Weonly monitor public or commerciallyavailable solutions.
The Vulnerability Database coversvulnerabilities that can be exploited in alltypes of products – software, hardware,firmware, etc.
The vulnerabilities verified by our team aredescribed in client database as an Advisoryand listed in the Sattrix Vulnerability Reports,detailing what IT Security teams need to knowto mitigate the risk posed by the vulnerabilityin their environment.
The Vulnerability Database coversvulnerabilities that can be exploited in alltypes of products and also, we cover zero daysand eos/eol.
We create daily and weekly reports includingall the details of that vulnerability and totalvulnerability count in last week and provide itto customer as well.
The Sattrix Advisory descriptions includeseverity, under investigation product,Affected Product, cve id, Sattrix score,reference links and remediations.
Sattrix researchers monitor the vulnerabilitieswithin 5 business working days.
COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED
EXECUTIVE SUMMARY
Overall Monthly Vulnerability Trend Chart
With CVE
Linear (With CVE)
No CVE
Linear (No CVE)
EOS/EOL
Linear (EOS/EOL)
Released Vulnerabilities and severity wise count
Low
Medium
Critical
High
This graph present threat levels basedon vulnerability identified.
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 03
849, 37%
122, 6%
166, 7%
1145, 50%
100
200
300
400
25May
30May
03Jun
06Jun
10Jun
15Jun
18Jun
22Jun
0
EXECUTIVE SUMMARY
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 04
2282, 97% 15, 1%
60, 2%
This graph present total released vulnerabilities including Zero-day vulnerability and EOS/EOL with their count.
With CVE
No CVE
EOS/EOL
Product wise Released EOS/EOL count
0
2
4
6
8
10
12
Ce
ntO
S
No
de
.js
Ch
ec
kP
oin
t
Pa
lo A
lto
Alp
ine
Lin
ux
Po
stg
reS
Q
RS
A
Ora
cle
Tre
nd
Mic
ro
IBM
Ad
ob
e
Mic
roso
ft
Ela
stic
VM
Wa
re
Mc
Afe
e
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 05
Product wise Released Non-CVE ID or Zero Day vulnerabilities count
Critical CVE Count
Mozilla
Oracle
Cisco
Adobe
0 105 15 20
8
6
4
2
0
IBM
25
10
12
Trend Micro
SUSE
Microsoft
30
IBM
Micor
soft
DLink
SUSE
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 06
0 2010 30 40 50 60 70 80 90 100
Produc wise chart for CVE - Part-1
Couchbase
Fancy ProductionDesigner
PixarAnimation Studio
10Web
Django
Foxit
GE
Date wise Released Vulnerabilities Count, fortnightly summarized
0-150
151-300
301-450
451-610
Fedora
0-100 101-200 201-300 301-400
Cisco telos
0
50
100
150
200
250
300
350
400
25-M
ay
26-M
ay
27-M
ay
28-M
ay
31-M
ay
01-J
un
02-J
un
03-J
un
04-J
un
07-J
un
08-J
un
09-J
un
10-J
un
11-J
un
14-J
un
15-J
un
16-J
un
17-J
un
18-J
un
21-J
un
22-J
un
23-J
un
24-J
un
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 07
0 200100 300 400 500 600 700 800 900 1000
Produc wise chart for CVE - Part-2
GNU
Lenovo
McAfee
Mongodb
Nginx
OPENSLS SoftwareFoundation
Pivotal
Pulse Secure
Trendmicro
VMWare CloudFoundry
WowThemes
AUTOMATTIC
FreeBSD
Apache
IBM X-Force
Joomla
NPM
Vector 35
VMWare
Redis
Citrix
Ffmpeg
Rapid 7
Cyberark
Jenkins CI
RUCKUS
0-150
151-300
301-450
451-610
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 08
Produc wise chart for CVE - Part-3
0 200100 300 400 500 600 700 800 900 1000
WordPress
Huawei
Debian
Google Chrome
Juniper
F5
Siemens
Adobe
HPE
Cisco
Microsoft
Ubuntu
Oracle Linux
Red Hat
IBM
SUSE
0-150
151-300
301-450
451-610
TOP VULNERABILITIES
OF THE WEEK
27 / 05 /
2021
CVE ID Vendor Product Summary RecommendationData
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 09
CVE-2020-10771CVE-2020-26258CVE-2020-26259CVE-2021-21290CVE-2021-21295CVE-2021-21341CVE-2021-21342CVE-2021-21343CVE-2021-21344CVE-2021-21345CVE-2021-21346CVE-2021-21347CVE-2021-21348CVE-2021-21349CVE-2021-21350CVE-2021-21351CVE-2021-21409CVE-2021-31917
Red Hat Red Hat JBoss Data Grid Text-Only Advisories x86_64
Red Hat Data Grid 8.2.0 security update
Updates are available please see below reference link https://access.redhat.com/errata/RHSA-2021:2139
31 / 06 /
2021
CVE-2020-14060CVE-2020-14062CVE-2020-4561CVE-2020-9546CVE-2019-14892CVE-2019-14893CVE-2019-14379CVE-2019-16942CVE-2020-8141CVE-2020-11113CVE-2020-10969CVE-2021-20190CVE-2016-1000031
IBM IBM Cognos Analytics 11.1IBM Cognos Analytics 11.0
IBM Cognos Analytics has addressed multiple vulnerabilities
Updates are available please see below reference link: https://www.ibm.com/support/pages/node/6451705
1 / 06 /
2021
CVE-2021-25643 Couch-base
Couchbase Server 5.0.x, 5.1.x,6.6.0-6.6.1, 6.0.0-6.0.5, 6.5.0-6.5.1
An issue was discovered in Couchbase Server 5.0.x, 5.1.x, 6.0.0 through 6.0.5, 6.5.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens, /listRebalanceTokens, or /listMetadataTokens call.
Updates are available please see below reference link https://www.vulnerabilitycenter.com/#!vul=133575
3 / 06 /
2021
CVE-2018-25009CVE-2018-25010
SUSE SUSE OpenStack Cloud Crowbar 9
Security update for libwebp Updates are available please see below
CVE ID Vendor Product Summary RecommendationData
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 10
07 / 06 /
2021
CVE-2018-25011CVE-2018-25012CVE-2020-36328CVE-2020-36331CVE-2018-25009CVE-2018-25010
SUSE SUSE Manager Server 4.0, SUSE Manager Retail Branch Server 4.0, SUSE Manager Proxy 4.0, SUSE Linux Enterprise Workstation Extension 15-SP3SUSE Linux Enterprise Workstation Extension 15-SP2SUSE Linux Enterprise Server for SAP 15-SP1, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Server 15-SP1-LTSS, SUSE Linux Enterprise Server 15-SP1-BCLSUSE Linux Enterprise Server 15-LTSSSUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS, SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS, SUSE LinuxEnterprise High Performance Computing 15-LTSS
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS.
Updates are available please see below reference link https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
CVE-2021-28560CVE-2021-28557CVE-2021-28565CVE-2021-28564CVE-2021-21044CVE-2021-21038CVE-2021-21086CVE-2021-28562CVE-2021-28550CVE-2021-28553
SUSE Linux Enterprise Server for SAP 12-SP4SUSE Linux Enterprise Server for SAP 12-SP3SUSE Linux Enterprise Server 12-SP5SUSE Linux Enterprise Server 12-SP4-LTSSSUSE Linux Enterprise Server 12-SP3-LTSSSUSE Linux Enterprise Server 12-SP3-BCLSUSE Linux Enterprise Server 12-SP2-BCLHPE Helion Openstack 8
reference link: https://www.suse.com/support/update/announcement/2021/suse-su-20211830-1/
CVE ID Vendor Product Summary RecommendationData
© COPYRIGHT 2021 Sattrix. ALL RIGHTS RESERVED 11
11 / 06 /
2021
CVE-2021-31967 Microsoft VP9 Video Extensions
VP9 Video Extensions Remote Code Execution Vulnerability
Updates are available please see below reference link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31967
SUSE Linux Enterprise High Performance Computing 15-ESPOSSUSE Enterprise Storage 6SUSE CaaS Platform 4.0
09 / 06 /
2021
CVE-2020-36185 CVE-2020-36181 CVE-2020-36189CVE-2020-36188CVE-2020-36184CVE-2020-36180CVE-2020-36183CVE-2020-36179CVE-2020-36187CVE-2020-36186 CVE-2020-36182CVE-2021-20190
IBM IBM Security Guardium 11.1IBM Security Guardium 11.3
IBM Security Guardium is affected by a jackson-databind vulnerability
Updates are available please see below reference link: https://www.ibm.com/support/pages/node/6455267
14 / 06 /
2021
CVE-2021-29629 Fancy Product Designer
Fancy Product Designer < 4.6.9
Fancy Product Designer Plugin for WordPress, before 4.6.9, is prone toan arbitrary file upload and remote code execution vulnerability, due to insu�cient checks on file uploads. A remote attacker could exploit this issue to upload executable PHP files to any site with the plugin installed and achieve full site takeover.
Updates are available please see below reference link https://www.vulnerabilitycenter.com/#!vul=133859
15 / 06 /
2021
CVE-2015-7705 Siemens SIMATIC NET CP 443-1 OPC UA
Siemens SIMATIC NET CP 443-1 OPC UA Remote Unspecified Vulnerability
Updates are available please see below reference link https://www.vulnerabilitycenter.com/#!vul=134361
CVE ID Vendor Product Summary RecommendationData
w w w. s a t t r i x . c o m
USA / Sattrix Information Security IncorportationUK/EU /
MEA / Sattrix Information Security DMCCIndia / Sattrix Information Security (P) Ltd
28, Damubhai colony,Anjali cross roads, Bhattha, Ahmedabad – 007
516, 517 Shivalik Shilp,Iscon Cross Road, S G Highway, Ahmedabad
i n f o @ s a t t r i x . c o m+ 9 1 - 7 9 6 - 8 1 9 - 6 8 0 0
Global Presence
Golbal SOC
HQ
Disclaimer: The information in this document is subject to change without notice and should not be construed as a commitment by Sattrix Information Security (P) Ltd. Sattrix provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Sattrix or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Sattrix or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Sattrix, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners © Copyright 2019 Sattrix. All rights reserved.
Limitation of Liability: IN NO EVENT SHALL Sattrix, Sattrix AFFILIATES, OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, LICENSORS AND THIRD PARTY PARTNERS, BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER, EVEN IF Sattrix HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, WHETHER IN AN ACTION UNDER CONTRACT, TORT, OR ANY OTHER THEORY ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIALS. Because some jurisdictions do not allow limitations on how long an implied warranty lasts, or the exclusion or limitation of liability for consequential or incidental damages, some of the above limitations may not apply to you.
Sattrix Info Security Ltd
23 / 06 /
2021
CVE-2021-27219CVE-2021-27219CVE-2019-9169CVE-2020-27846CVE-2020-11984CVE-2018-25011CVE-2020-36328CVE-2020-36329CVE-2018-25011CVE-2018-25014CVE-2020-36328CVE-2020-36329CVE-2020-36318CVE-2020-1472CVE-2019-25032CVE-2019-25034CVE-2019-25035CVE-2019-25036CVE-2019-25038CVE-2019-25039CVE-2019-25042
Oracle Linux
Oracle Linux - 6,7,8 Oracle Linux Bulletin Updates are available please see below reference link: https://www.oracle.com/security-alerts/linuxbulletinapr2021.html