βΌ CVE-2021-45046 βΌ
π Read
via "National Vulnerability Database".
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).π Read
via "National Vulnerability Database".
π΄ Microsoft Patches Zero-Day Spreading Emotet Malware π΄
π Read
via "Dark Reading".
The December rollout includes 67 security patches and addresses one zero-day and five more publicly known vulnerabilities.π Read
via "Dark Reading".
Dark Reading
Microsoft Patches Zero-Day Spreading Emotet Malware
The December rollout includes 67 security patches and addresses one zero-day and five more publicly known vulnerabilities.
β Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery β
π Read
via "Threat Post".
December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.π Read
via "Threat Post".
Threat Post
Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery
December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.
π΄ Ransomware Hits Virginia Legislative Agencies π΄
π Read
via "Dark Reading".
The attack forced a shutdown of computer systems and websites for Virginia legislative agencies and commissions, reports state.π Read
via "Dark Reading".
Dark Reading
Ransomware Hits Virginia Legislative Agencies
The attack forced a shutdown of computer systems and websites for Virginia legislative agencies and commissions, reports state.
π΄ Tool Overload & Attack Surface Expansion Plague SOCs π΄
π Read
via "Dark Reading".
Security professionals are burning out from handling too many tools and facing a growing number of threats, and more than 40% see lack of leadership as the main problem.π Read
via "Dark Reading".
Dark Reading
Tool Overload & Attack Surface Expansion Plague SOCs
Security professionals are burning out from handling too many tools and facing a growing number of threats, and more than 40% see lack of leadership as the main problem.
βοΈ Microsoft Patch Tuesday, December 2021 Edition βοΈ
π Read
via "Krebs on Security".
Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month's Patch Tuesday is being overshadowed by the "Log4Shell" 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.π Read
via "Krebs on Security".
Krebsonsecurity
Microsoft Patch Tuesday, December 2021 Edition
Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month's Patch Tuesday is being overshadowedβ¦
βΌ CVE-2021-44942 βΌ
π Read
via "National Vulnerability Database".
glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.π Read
via "National Vulnerability Database".
π΄ Propane Gas Distributor Hit With Ransomware π΄
π Read
via "Dark Reading".
North America-based Superior Plus "temporarily disabled" some of its systems in the wake of the attack.π Read
via "Dark Reading".
Dark Reading
Propane Gas Distributor Hit with Ransomware
North America-based Superior Plus "temporarily disabled" some of its systems in the wake of the attack.
β Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit β
π Read
via "Threat Post".
It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.π Read
via "Threat Post".
Threat Post
Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit
It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.
π¦Ώ How to install Qubes OS as a virtual machine π¦Ώ
π Read
via "Tech Republic".
Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.π Read
via "Tech Republic".
TechRepublic
How to install Qubes OS as a virtual machine
Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.
π΄ Attackers Target Log4J to Drop Ransomware, Web Shells, Backdoors π΄
π Read
via "Dark Reading".
Amid the increase in Log4J attack activity, at least one Iranian state-backed threat group is preparing to target the vulnerability, experts say.π Read
via "Dark Reading".
Dark Reading
Attackers Target Log4j to Drop Ransomware, Web Shells, Backdoors
Amid the increase in Log4j attack activity, at least one Iranian state-backed threat group is preparing to target the vulnerability, experts say.
π΄ Ground Labs Research Reveals 71% of American Consumers are Unaware of Data Protection Laws π΄
π Read
via "Dark Reading".
Google Survey of 1,000 U.S. consumers uncovers data privacy disconnect, a call to action for businesses.π Read
via "Dark Reading".
Dark Reading
Ground Labs Research Reveals 71% of American Consumers are Unaware of Data Protection Laws
Google Survey of 1,000 U.S. consumers uncovers data privacy disconnect, a call to action for businesses.
π΄ Tufin Introduces Security Policy Builder (SPB) App to Marketplace π΄
π Read
via "Dark Reading".
Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.π Read
via "Dark Reading".
Dark Reading
Tufin Introduces Security Policy Builder (SPB) App to Marketplace
Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.
β In 2022, Expect More Supply Chain Pain and Changing Security Roles β
π Read
via "Threat Post".
If 2021 was the Year of Supply Chain Pain, 2022 will be the Year of Supply Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key [β¦]π Read
via "Threat Post".
Threat Post
2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns
Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows β and rampant lateral movement by attackers, well outside IT's purview.
βΌ CVE-2021-43827 βΌ
π Read
via "National Vulnerability Database".
discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue.π Read
via "National Vulnerability Database".
π΄ Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust π΄
π Read
via "Dark Reading".
Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.π Read
via "Dark Reading".
Dark Reading
Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust
Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.
π¦Ώ Log4j vulnerability: Why your hot take on it is wrong π¦Ώ
π Read
via "Tech Republic".
Commentary: Those searching for a single cause for the Log4j vulnerability β whether it's open source is not secure, or open source is not sustainable β are getting it wrong. It's a complicated issue.π Read
via "Tech Republic".
TechRepublic
Log4j vulnerability: Why your hot take on it is wrong
Commentary: Those searching for a single cause for the Log4j vulnerability β whether it's open source is not secure, or open source is not sustainable β are getting it wrong. It's a complicated issue.
β Apacheβs Fix for Log4Shell Can Lead to DoS Attacks β
π Read
via "Threat Post".
Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apacheβs blanket of a quickly baked patch for Log4Shell also has holes.π Read
via "Threat Post".
Threat Post
Apacheβs Fix for Log4Shell Can Lead to DoS Attacks
Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apacheβs blanket of a quickly baked patch for Log4Shell also has holes.
π΄ Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices π΄
π Read
via "Dark Reading".
Kryptowireβs end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.π Read
via "Dark Reading".
Dark Reading
Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices
Kryptowireβs end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.
βΌ CVE-2021-4116 βΌ
π Read
via "National Vulnerability Database".
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-20330 βΌ
π Read
via "National Vulnerability Database".
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.π Read
via "National Vulnerability Database".