CVE-2014-7809
Es existiert eine Schwachstelle im IBM SAN Volume Controller und in IBM Storwize Produkten hinsichtlich des Zufallszahlengenerators, welche zur Informationsgewinnung ausgenutzt werden kann. Die Schwachstelle beruht darin, dass die erzeugten Token-Werte, welche das Absenden von Formulardaten absichern sollen, vorhersagbar sind. In der Folge kann ein entfernter, anonymer Angreifer diese Schwachstelle zum Beispiel über ein speziell gestaltetes Webformular ausnutzen, um mittels der vorausberechenbaren Tokens einen Cross-Site Request Forgery Angriff durchzuführen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Web-Browser zu öffnen.
EPSS 7.55% · 92.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | F5 BIG-IP Application Security Manager 12.0.0 | |
| Red Hat | Red Hat Enterprise Linux Server 7 | |
| Oracle | Oracle MySQL Enterprise Monitor <= 3.0.18 | |
| Oracle | Oracle MySQL <= 5.6.22 | |
| Oracle | Oracle MySQL <= 5.1.34 | |
| F5 | F5 BIG-IP Access Policy Manager 10.1.0 - 10.2.4 | |
| F5 | F5 BIG-IP Global Traffic Manager 11.0.0 - 11.6.0 | |
| F5 | F5 BIG-IP Access Policy Manager 11.0.0 - 11.6.0 | |
| F5 | F5 BIG-IP Access Policy Manager 12.0.0 | |
| SUSE | SUSE Linux | |
| F5 | F5 BIG-IP Analytics 11.0.0 - 11.6.0 | |
| MariaDB | MariaDB MariaDB < 10.0.18 | |
| F5 | F5 BIG-IP Local Traffic Manager 10.1.0 - 10.2.4 | |
| F5 | F5 BIG-IP Local Traffic Manager 12.0.0 | |
| F5 | F5 BIG-IP Edge Gateway 11.0.0 - 11.3.0 | |
| Oracle | Oracle MySQL <= 5.6.23 | |
| Oracle | Oracle MySQL <= 5.5.42 | |
| F5 | F5 BIG-IP Local Traffic Manager 11.0.0 - 11.6.0 | |
| IBM | IBM Storwize | |
| F5 | F5 BIG-IP Application Security Manager 10.1.0 - 10.2.4 |
…and 36 more
Timeline
- Dec 10, 2014 CVE Published
- Oct 9, 2018 CVE Updated
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 17, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Apr 1, 2023 EPSS Score
- May 24, 2023 EPSS Score
- Jul 15, 2023 EPSS Score
References
- https://wid.cert-bund.de/.well-known/csaf/white/2015/wid-sec-w-2023-2068.json advisory
- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2068 advisory
- https://my.f5.com/manage/s/article/K17115 advisory
- https://www.debian.org/security/2015/dsa-3229 advisory
- http://www.ubuntu.com/usn/usn-2575-1/ advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL advisory
- https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/ advisory
- https://www.suse.com/support/update/announcement/2015/suse-su-20150946-1.html advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00036.html advisory
- https://www.debian.org/security/2015/dsa-3311 advisory
- http://rhn.redhat.com/errata/RHSA-2015-1629.html advisory
- http://rhn.redhat.com/errata/RHSA-2015-1628.html advisory
- http://lists.centos.org/pipermail/centos-announce/2015-August/021331.html advisory
- https://rhn.redhat.com/errata/RHSA-2015-1647.html advisory
- https://rhn.redhat.com/errata/RHSA-2015-1665.html advisory
- http://lists.centos.org/pipermail/centos-announce/2015-August/021345.html advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698 advisory
- https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17115.html advisory
- https://www.debian.org/security/2016/dsa-3621 advisory
- https://www.suse.com/support/update/announcement/2016/suse-su-20162259-1.html advisory
…and 4 more