CVE-2016-0050
published 2016-02-10CVE-2016-0050: Network Policy Server (NPS) in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 misparses username queries, which allows remote…
PriorityP336medium5.3CVSS 3.0
AVNACLPRNUINSUCNINAL
EPSS
20.66%
97.2th percentile
Network Policy Server (NPS) in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 misparses username queries, which allows remote attackers to cause a denial of service (RADIUS authentication outage) via crafted requests, aka "Network Policy Server RADIUS Implementation Denial of Service Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin resp
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
## Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Inter
Bugzilla
CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)
bugzilla·2016-01-15·CVSS 5.8
CVE-2016-0475 [MEDIUM] CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)
CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)
It was discovered that the password-based encryption (PBE) implementation in the Libraries component of OpenJDK specified incorrect key length. This could lead to generation of keys that were weaker than expected in certain cases.
Discussion:
Public now via Oracle Critical Patch Update - January 2016. Fixed in Oracle Java SE 8u71.
External References:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA
---
OpenJDK 8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5ea62bb625b6
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:0050 https://rhn.redhat.com/errata/RHSA-2016-0050.html
---
This issue has been add
2016-02-10
Published