Security Notices

Apache CVE-2017-9798

Sep 25, 2017

This notice is informational only and does not affect ANY of PaperClip's services.

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

National Institute of Standards and Technology - NATIONAL VULNERABILITY DATABASE

PaperClip Support

Apache Struts Vulnerability (CVE-2017-9805)

Sep 13, 2017

This notice is informational only and does not affect ANY of PaperClip's services.

On September 6, 2017, the Apache Foundation released information on three seperate vulnerabilities affecting Apache Struts. One of the vulnerabilities (CVE-2017-9805) takes advantage of a weakness in the Struts REST plugin.

Successful exploitation would allow a remote attacker to execute arbitrary code and potentially take control of the system. The following applications/systems are affected by this vulnerability as listed in the Apache Security Bulletin S2-052 description:

  • Apache Struts 2.1.2 - Struts 2.3.34
  • Apache Struts 2.5 - Struts 2.5.12

Further details regarding this vulnerability can be found on Apache's website:

Apache Struts Security Bulletin – Critical:

Apache Struts Vulnerability CVE-2017-9805:

PaperClip Support

Sep 24, 2014
PaperClip Support

A vulnerability referred to as Shellshock allows exploitation of the Bash Shell. The vulnerability allows remote attackers to execute arbitrary code by passing strings of code as environment variables. Bash shell is used on UNIX, Linux, BSD, and Mac OS X computers.

PaperClip has reviewed its inventory of Linux appliances and determined that at no time were they vulnerable. Bash Shells were not available and customary ports needed were disabled at the firewalls.

PaperClip working with our appliance vendors has already updated IPS/IDS signatures which will block any outside attempts to discover BASH Shells.

If you have any questions regarding this matter, please email us at This email address is being protected from spambots. You need JavaScript enabled to view it..

PaperClip Support

Apr 30, 2014
PaperClip Support

Official Reference: CVE-2014-1776
More Information: Microsoft Security Advisory 2963983
Update Issued May 1, 2014: Microsoft Security Bulletin MS14-021 - Critical

Researchers at FireEye Research Labs have identified an Internet Explorer (IE) zero-day exploit that has been used in targeted attacks. This vulnerability will affect IE6 through IE 11 but targeted attacks have been specifically targeting IE 9, 10, and 11.

The vulnerability is a remote code execution vulnerability and exists in the way Internet Explorer accesses Flash objects in memory. In a web-based attack the attacker would host a web site that contains a webpage used to exploit the vulnerability the attacker would dupe victims into visiting the attack page by clicking links contained in an email or instant message.

Back to top