==================================================================== CERT-Renater Note d'Information No. 2019/VULN236 _____________________________________________________________________ DATE : 01/08/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache VCL versions 2.1 up to and including 2.5. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/201907.mbox/%3C3529220.nYnEilkyyp@treebeard%3E http://mail-archives.apache.org/mod_mbox/www-announce/201907.mbox/%3c4804582.GJmuaxtNGq@treebeard%3e http://mail-archives.apache.org/mod_mbox/www-announce/201907.mbox/%3c1771468.2jJZdyOtZb@treebeard%3e _____________________________________________________________________ CVE-2018-11772: Apache VCL SQL injection attack in privilege management Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 _____________________________________________________________________ CVE-2018-11773: Apache VCL improper form validation in block allocation management Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 _____________________________________________________________________ CVE-2018-11774: Apache VCL SQL injection attack in VM management Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================