Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0152.2
Security Announcements
22 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Joomla!
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-14595
Member content until: Saturday, October 21 2017
Revision History: September 22 2017: Added missing page.
September 21 2017: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in Joomla! in versions
prior to 3.8.0. [1]
IMPACT
The vendor has provided the following information:
"[20170901] - Core - Information Disclosure
Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 3.7.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-August-4
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14595
Description
A logic bug in a SQL query could lead to the disclosure of article
intro texts when these articles are in the archived state.
[20170902] - Core - LDAP Information Disclosure
Project: Joomla!
SubProject: CMS
Severity: Medium
Versions: 1.5.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-July-27
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result
into a disclosure of username and password." [1]
MITIGATION
The vendor recommends updating to the latest version of Joomla! to
correct these issues. [1]
REFERENCES
[1] Security Announcements
https://developer.joomla.org/security-centre/710-20170901-core-information-disclosure.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWcSSaIx+lLeg9Ub1AQhW4A//dHwUSBCin4cQSK4LzrkwJBOyKsALsQjd
G7k/u+T7YmtAj9x+ma1AHL0YSZH4DFSAyX98FOZGt2bh8y+bKKC82KKrshkuOJGC
lbRMqln/IOHVKJou7DGksCymVbZHrt9gZ4PNzxMxyOa0jiBA9a7sVyWarAC1FM9H
EYOo53ZtM/Maff2xHxvan9C8h5WM63lte8EWD9sCu9mGKM8dCOeci09paDDZF16a
QisElm2ybdDEsARCkt2CJ8YBuvfA4OIQ4ry3HNOH6nHjaK+zrS8XVy+8EI9smRXD
akEU2nbeoFaIuSESLHOu/u6PsC4PY/sSdSK9wB/QaeevbVivOX2g266EniDdpAhn
vRoUWusfvadyQC9SIQ/vENYrZcajszk9G83K5lpWdyL8V3IKhKcXtYkNo84wcCIP
kpfqtnea8NSG6suTBaUEHzB740YzcpUd2rUm0w+cGisEUrkw9u7tGCAK1fRYH6wh
hdCbpA4P3gMuM7sw27J7tSrphq2sLdSTMUre5Kb7t7Da2IbrlsnTUw1Uy0Rx3Ftt
WGmck1P8PLm1YMilSs8PRtAtLveKHDqJ8Vxv4qPO+voeEyb3juJ8Iv5xxQlOeuHs
ryM8LLaCXjH2zlcw+2OUOtN6+1hTEm4cy8ZTqzVhUabhmnZYA2rVd4Vmg9wIQQqI
1fT0JJYqlKI=
=E876
-----END PGP SIGNATURE-----