CVE-2019-12323

The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS.
Source: NIST
CVE-2019-12323

CVE-2019-11648

An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information.
Source: NIST
CVE-2019-11648

CVE-2019-11647

A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack.
Source: NIST
CVE-2019-11647

CVE-2019-12871

An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to a Use-After-Free and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation, the attacker needs to exchange the original file with the manipulated one on the application programming workstation.
Source: NIST
CVE-2019-12871

CVE-2019-12938

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via the webmail/logs/sendmail URI.
Source: NIST
CVE-2019-12938

Never Trust, Always Verify: Demystifying Zero Trust to Secure Your Networks

The point of Zero Trust is not to make networks, clouds, or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether.
Source: DarkReading
Never Trust, Always Verify: Demystifying Zero Trust to Secure Your Networks

CVE-2019-12928 (qemu)

The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
Source: NIST
CVE-2019-12928 (qemu)

CVE-2019-12929 (qemu)

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
Source: NIST
CVE-2019-12929 (qemu)

US Adds AMD Joint Venture to Entity List

US Adds AMD Joint Venture to Entity List

The US Department of Commerce has added five more Chinese organizations onto the same Entity List as Huawei over national security fears, including an AMD joint venture.



The department’s Bureau of Industry and Security (BIS) said the changes to the list, which will prevent US firms from doing business or selling components to them, will take effect from today.



That will be a headache especially for AMD, which set up a JV with Tianjin Haiguang Advanced Technology Investment Company (THATIC), aka Higon, back in 2016 to sell its x86 chips in China.



Two other companies on the list — Sugon and the Wuxi Jiangnan Institute of Computing Technology — build exascale supercomputers which the US government believes have military purposes. The latter is owned by the 56th Research Institute of the General Staff of the PLA, with a mission “to support China’s military modernization,” according to the US government.



“Under § 744.11(b) (Criteria for revising the Entity List) of the EAR, entities for which there is reasonable cause to believe, based on specific and articulable facts, have been involved, are involved, or pose a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States, and those acting on behalf of such persons, may be added to the Entity List,” the notice said.



Sugon is said to be the majority owner of Higon, while the two remaining entities on the list are: Chengdu Haiguang Integrated Circuit (aka, Hygon and Chengdu Haiguang Jincheng Dianlu Sheji) and Chengdu Haiguang Microelectronics Technology (aka HMC and Chengdu Haiguang Wei Dianzi Jishu).



The new organizations join Huawei and ZTE on the list, which can be seen in the wider context of the Trump administration’s ramping up of pressure on the Chinese government over trade and national security.



Last week, the US Consumer Technology Association (CTA) complained that Trump’s much-derided tariffs would hit US consumers hardest, rather than the Chinese firms the US President wants to punish.



It claimed the average smartphone imported from China would increase in price by $70 (22%) if another proposed tariff of 25% on $300bn of Chinese goods is introduced.



“Tariffs are taxes, paid by American consumers —and these new tariffs would be a burden on American families just as they start back-to-school shopping,” said Gary Shapiro, CEO of the CTA.



“US consumers, not China, pay the price for tariffs — what more proof does the White House need? It’s time for this administration to put American small businesses, workers and families first and make a deal with China.”



Source: Infosecurity
US Adds AMD Joint Venture to Entity List

シマンテック、電子メールセキュリティ部門のリーダーに再び選出

多くの第三者評価機関がシマンテックを電子メールセキュリティ部門のリーダーに選出
Source: Symantec
シマンテック、電子メールセキュリティ部門のリーダーに再び選出