Date: 13 December 2012
References: ESB-2013.0495
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0174
A number of vulnerabilities have been identified in Webmin
13 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Webmin
Operating System: Solaris
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2983 CVE-2012-2982 CVE-2012-2981
Member content until: Saturday, January 12 2013
Comment: This advisory references vulnerabilities in products which run on
platforms other than Solaris. It is recommended that administrators
running Webmin check for an updated version of the software for their
operating system.
OVERVIEW
A number of vulnerabilities have been identified in Webmin, a
third-party component of Solaris 10.
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"CVE-2012-2981 Improper Input Validation vulnerability" [1]
"CVE-2012-2982 Arbitrary code execution vulnerability" [1]
"CVE-2012-2983 Improper Authentication vulnerability" [1]
MITIGATION
The vendor recommends applying the appropriate patch to correct
these issues. [1]
REFERENCES
[1] Multiple vulnerabilities in Webmin
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_webmin
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUMkxw+4yVqjM2NGpAQIG7xAAh/A4sCJ877gLs7xyUIWoUeQ/FiYbjjrs
ikxLYORhpq82OUI2OK+6nSgLO1loNCG/BTpxrdjZ0ATiekgtLwf4jDymQSDCsb9W
f1P0P1HlYdu9B0M1RXOhjsgdbjr+DoqMVwojVxxY8wpeSwGB0iRYGLtd+Ho6nt91
saRDjBdQhoGyfRD98OfOE7UN3PqBRiM6s34WrPotOo+YQMaO9shSfmUDRgu6wrZ9
2zj2huE7TMEWanVfcRdZ4nAlXebL2JHAOsEzjN0Vul6q4L8bHYGuAcDTN18MTtAl
DqLesYdXzzKr11rj7Qjf06M+jqbg0U02CnM+zb/exPzJRg04EQLY4RsFI+yAIQpD
xcjfHmumhOz41Jlv4JsOpFMpFJRopmcPOL1CZGEaRFzJlggcg1ae2waGnEVhNJLb
3IcplQVHDFjAIa6KmDRtrbsIHY2YvVMQ24+XHxbPjHHgSG3DsO0/244agKMYJaSY
Gy9wr7wA/yj7xRFC9ZV9DkGVQ5tQLyOWsu2B6A82La/eItiYvTXJuSS1cocFQAeo
FrSjcG08jCDedKylYs3oEtgR/aJcJgkL8SzAcOZwMQmrIcbhRREKrzlMXhUNu3Nu
0cpGm58Ep6eDWSrOk5OiC2/m2Hm+dbOhpAZ6Im3LYdwt1koKeRKm0LAHjbk54USr
3pK+VWjl7/M=
=3KJ4
-----END PGP SIGNATURE-----
|