17 FEB – 28 FEB, 2020
SECURITY INTELLIGENCE
ADVISORY
Intent
This report is intended to help quantify the scope of that risk as organizations’ struggle to balance their cyber security policies and
protections against the needs of their employees for access to the Web and its resources.
Background
Every organization – large, medium and small has a huge risk and a typical challenge of managing vulnerabilities present in the
operating systems, Vulnerabilities that are not attended to possess a very high risk and can cost your organization various threats
and damage. There is threat from users within the system, competitors who want to know accurate details about your business
model etc. There is a certain way to identify and update patches for your vulnerabilities to avoid all these serious threats and curb
the damage thereof. There’s also a method in which specialists get into your system and run a check to identify how strong the
system is. Performing vulnerability assessments guarantee all normal system vulnerabilities are taken into consideration. When
assessments are conducted regularly, new threats are identified quickly.
What does the Vulnerability Advisory cover?
1. We monitor around 2000 applications, appliances and operating systems, and tests and verifies the vulnerabilities
reported in them.
2. We are focusing each vulnerability disclosed in those 2000 products.
3. The systems and applications monitored by Sattrix Research Team are those in use in the environment of the customers.
4. In the in seance of customers using products that aren’t already being monitored by our team, these products can be
submitted to us and we will initiate monitoring them the next business day. We only monitor public or commercially
available solutions.
5. The Vulnerability Database covers vulnerabilities that can be exploited in all types of products – software, hardware,
firmware, etc.
6. The vulnerabilities verified by our team are described in client database as an Advisory and listed in the sattrixs’
Vulnerability Reports, detailing what IT Security teams need to know to mitigate the risk posed by the vulnerability in their
environment.
7. The Vulnerability Database covers vulnerabilities that can be exploited in all types of products and also, we cover zero
days and eos/eol.
8. We create daily and weekly report including all the details of that vulnerability and total vulnerability count in last week
and provide it to customer as well.
9. The sattrix Advisory descriptions include severity, under investigation product, Affected Product, cve id, sattrix score,
reference links and remediations.
EXECUTIVE SUMMARY
Overall Monthly Vulnerability Trend Chart
Released Vulnerabilities and severity wise count
o
This graph present threat levels based on vulnerability identified.
-20 0 20 40 60 80 100 120 140 160 180 27-Jan 28-Jan 29-Jan 30-Jan 31-Jan 01-Fe b 02-Fe b 03-Fe b 04-Fe b 05-Fe b 06-Fe b 07-Fe b 08-Fe b 09-Fe b 10-Fe b 11-Fe b 12-Fe b 13-Fe b 14-Fe b 15-Fe b 16-Fe b 17-Fe b 18-Fe b 19-Fe b 20-Fe b 21-Fe b 22-Fe b 23-Fe b 24-Fe b 25-Fe b 26-Fe b 27-Fe b 28-Fe bTrend Chart for one month
With CVE No CVE EOS/EOL Linear (With CVE) Linear (No CVE) Linear (EOS/EOL)
critical 5%
High 30%
Medium 57%
Low 8%
Sever ity Cou n to
This graph present total released vulnerabilities including Zero-day vulnerability and EOS/EOL with their count.
Date wise Released Vulnerabilities Count, fortnightly summarized
With CVE, 540,
95%
No CVE, 16, 3%
EOS/EOL, 14, 2%
With CVE
No CVE
Total Counts Table: With CVE: 540 (95%) No CVE: 16 (3%) EOS / EOL: 14 (2%)
17-02-202018-02-202019-02-202020-02-202021-02-202024-02-202025-02-202026-02-202027-02-202028-02-2020
COUNT 22 115 154 37 35 49 54 24 35 33
Product wise Released EOS/EOL count
Product wise Released Non-CVE ID or Zero Day vulnerabilities count
0 1 2 3 4 5 6PostgreSQL CentOS Ubuntu Adobe Red Hat Microsoft
count 1 1 1 2 3 6
Pr o d u ctwise Ch ar t For EOL/EOS
0 2 4 6 8 10 12 F-Secure Rockwell Automation
UiPath Google Node.js
Count 1 1 1 1 12
Product wise Released vulnerabilities count
Top 10 Vulnerabilities product wise critical vulnerabilities
0 1 2 3 4 5 6 7 8 9 10 Cisco F-secure
IBL NetApp Oracle Rockwe ll Autom
ation
Vmwar e
Adobe Apache HPE Red Hat
IBM
Count 1 1 1 1 1 1 1 2 2 2 5 10
Cr itical CVE count
0 20 40 60 80 100 120 140 160
Adobe Fedora Rockw ell Autom ation FortiN et F-Secure IBL Junipe r NetAp p Trend Micro HPE Vmwa re Google Apach e F5 McAfe e
CISCO Oracle IBM SUSE Ubunt u
Red Hat Count 1 1 1 1 1 1 1 1 1 2 3 5 5 8 9 12 43 52 96 134 152
Top Vulnerabilities of the week
Date Sr. # CVE ID Vendor Product Summary Recommendation
19-02-2020 1 CVE- 2020-3943 Vmware
vRealize Operations for Horizon Adapter (6.6.x, 6.7.x)
An unauthenticated remote attacker who has network access to vRealize Operations, with
the Horizon Adapter running Fixed Version in : 6.7.1, 6.6.1
20-02-2020 2
CVE-
2020-3158 CISCO
Cisco Smart Software Manager satellite
7-2019077-201910
A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager
On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the
system with a high-privileged account.
Updates are available please see below reference link. https://tools.cisco.com/security /center/content/CiscoSecurityAd visory/cisco-sa-on-prem-static-cred-sL8rDs8 21-02-2020 3 CVE- 2020-1938 Apache Apache Tomcat 6.x, Apache Tomcat 7 .x <7.0.100, Apache Tomcat 8 .x <8.5.51, Apache Tomcat 9 .x <9.0.31
An attacker could exploit this vulnerability to execute arbitrary code or obtain sensitive
information on the system.
Upgrade to the latest version of Apache Tomcat (8.5.51, 9.0.31, 7.0.100 or later), available from the Apache Tomcat Web site. See
References. http://tomcat.apache.org/ 21-02-2020 4 CVE- 2020-3764 Adobe
Adobe Media Encoder-14.0 and earlier versions
Adobe has released security updates for Available Adobe Media Encoder.
Adobe recommends users update their software installations to the
latest versions. https://helpx.adobe.com/security
/products/media-encoder/apsb20-10.html Updates are available please see
below reference link.
21-02-2020 5
CVE-
2020-3765
Adobe Adobe After Effects- 16.1.2 and earlier versions
Adobe has released security updates for Adobe Adobe After Effects.
Adobe recommends users update their software installations to the
latest versions. https://helpx.adobe.com/security
/products/after_effects/apsb20-09.html
Updates are available please see below reference link.
24-02-2020 6 CVE- 2020-5311 Red Hat
Red Hat Enterprise Linux for x86_64 - Extended Update
Support 8.1 x86_64, Red Hat Enterprise Linux for
x86_64 8 x86_64
An update for python-pillow is now available for Red Hat Enterprise Linux 8.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8
Via RHSA-2020:0580 https://access.redhat.com/errat a/RHSA-2020:0580 24-02-2020 7 CVE- 2020-5312 Red Hat
Red Hat Enterprise Linux for x86_64 - Extended Update
Support 8.1 x86_64, Red Hat Enterprise Linux for
x86_64 8 x86_64, Red Hat Enterprise Linux
Server 7 x86_64, Red Hat Enterprise Linux for
An update for python-pillow is now available for Red Hat Enterprise Linux 7 and 8.
Updates are available please see below reference link. https://access.redhat.com/errat
a/RHSA-2020:0580 https://access.redhat.com/errat
Support 7.7 x86_64, Red Hat Enterprise Linux Server - AUS 7.7 x86_64 24-02-2020 8 CVE- 2020-8597
Red Hat Red Hat Enterprise Linux 6,7,8 ppp could be made to crash or run programs if it received specially crafted network traffic.
This flaw only affects pppd servers and clients when EAP
negotiation is used. pppd will refuse to do EAP negotiation unless it has an appropriate secret to use. The secret has to
be added to /etc/ppp/chap-secrets. EAP can use CHAP or SRP
as the underlying flavour of authentication, Red Hat packages
are not compiled with SRP code.
24-02-2020 9
CVE- 2019-14379
IBM IBM Spectrum Protect Plus 10.1.0-10.1.5
There are multiple security vulnerabilities in FasterXML Jackson-databind that affect IBM
Spectrum Protect Plus.
Fixes are available please see below reference link. https://www.ibm.com/support/p ages/node/3176397 24-02-2020 10 CVE- 2019-17531
IBM IBM Spectrum Protect Plus 10.1.0-10.1.5
There are multiple security vulnerabilities in FasterXML Jackson-databind that affect IBM
Spectrum Protect Plus.
Fixes are available please see below reference link. https://www.ibm.com/support/p
ages/node/3176397
Disclaimer: The information in this document is subject to change without notice and should not be construed as a commitment by Sattrix Information Security Pvt. Ltd. Sattrix provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Sattrix or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Sattrix or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Sattrix, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners
© Copyright 2019 Sattrix. All rights reserved.
Limitation of Liability: IN NO EVENT SHALL SATTRIX, SATTRIX AFFILIATES, OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, LICENSORS AND THIRD PARTY PARTNERS, BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER, EVEN IF SATTRIX HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, WHETHER IN AN ACTION UNDER CONTRACT, TORT, OR ANY OTHER THEORY ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIALS. Because some jurisdictions do not allow limitations on how long an implied warranty lasts, or the exclusion or limitation of liability for consequential or incidental damages, some of the above limitations may not apply to you.