π΄ Tufin Introduces Security Policy Builder (SPB) App to Marketplace π΄
π Read
via "Dark Reading".
Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.π Read
via "Dark Reading".
Dark Reading
Tufin Introduces Security Policy Builder (SPB) App to Marketplace
Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.
β In 2022, Expect More Supply Chain Pain and Changing Security Roles β
π Read
via "Threat Post".
If 2021 was the Year of Supply Chain Pain, 2022 will be the Year of Supply Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key [β¦]π Read
via "Threat Post".
Threat Post
2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns
Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows β and rampant lateral movement by attackers, well outside IT's purview.
βΌ CVE-2021-43827 βΌ
π Read
via "National Vulnerability Database".
discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue.π Read
via "National Vulnerability Database".
π΄ Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust π΄
π Read
via "Dark Reading".
Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.π Read
via "Dark Reading".
Dark Reading
Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust
Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.
π¦Ώ Log4j vulnerability: Why your hot take on it is wrong π¦Ώ
π Read
via "Tech Republic".
Commentary: Those searching for a single cause for the Log4j vulnerability β whether it's open source is not secure, or open source is not sustainable β are getting it wrong. It's a complicated issue.π Read
via "Tech Republic".
TechRepublic
Log4j vulnerability: Why your hot take on it is wrong
Commentary: Those searching for a single cause for the Log4j vulnerability β whether it's open source is not secure, or open source is not sustainable β are getting it wrong. It's a complicated issue.
β Apacheβs Fix for Log4Shell Can Lead to DoS Attacks β
π Read
via "Threat Post".
Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apacheβs blanket of a quickly baked patch for Log4Shell also has holes.π Read
via "Threat Post".
Threat Post
Apacheβs Fix for Log4Shell Can Lead to DoS Attacks
Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apacheβs blanket of a quickly baked patch for Log4Shell also has holes.
π΄ Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices π΄
π Read
via "Dark Reading".
Kryptowireβs end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.π Read
via "Dark Reading".
Dark Reading
Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices
Kryptowireβs end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.
βΌ CVE-2021-4116 βΌ
π Read
via "National Vulnerability Database".
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-20330 βΌ
π Read
via "National Vulnerability Database".
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.π Read
via "National Vulnerability Database".
π΄ Why Cloud Storage Isn't Immune to Ransomware π΄
π Read
via "Dark Reading".
Cloud security is a shared responsibility. which sometimes leads to security gaps and complexity in risk management.π Read
via "Dark Reading".
Dark Reading
Why Cloud Storage Isn't Immune to Ransomware
Cloud security is a shared responsibility. which sometimes leads to security gaps and complexity in risk management.
π OpenSSL Toolkit 1.1.1m π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 1.1.1m β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ποΈ US government launches βHack the DHSβ bug bounty program ποΈ
π Read
via "The Daily Swig".
Initiative will also invite selected security researchers to a live hacking eventπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
US government launches βHack the DHSβ bug bounty program
Initiative will also invite selected security researchers to a live hacking event
π΄ Why We Need "Developer-First" Application Security π΄
π Read
via "Dark Reading".
The way to improve the security of the modern software development life cycle and reduce the number of application-based breaches is to re-center app security around the needs of developers.π Read
via "Dark Reading".
Dark Reading
Why We Need "Developer-First" Application Security
The way to improve the security of the modern software development life cycle and reduce the number of application-based breaches is to re-center app security around the needs of developers.
ποΈ Log4j: Security pros call for urgent patch implementation as in-the-wild exploitation continues ποΈ
π Read
via "The Daily Swig".
Initial, βincompleteβ patch created path to denial-of-service attacksπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Log4j: Security pros call for urgent patch implementation as in-the-wild exploitation continues
Initial, βincompleteβ patch created path to denial-of-service attacks
π¦Ώ Kodachi is the operating system for those who value privacy but don't want to learn Linux π¦Ώ
π Read
via "Tech Republic".
For anyone looking to gain an extra layer of privacy on a desktop or laptop, Kodachi Linux might be the perfect option. Jack Wallen highlights this live Linux distribution.π Read
via "Tech Republic".
TechRepublic
Kodachi is the operating system for those who value privacy but donβt want to learn Linux
For anyone looking to gain an extra layer of privacy on a desktop or laptop, Kodachi Linux might be the perfect option. Jack Wallen highlights this live Linux distribution.
π¦Ώ Just in time for Christmas, Kronos payroll and HR cloud software goes offline due to ransomware π¦Ώ
π Read
via "Tech Republic".
The attack has led to an outage expected to last weeks, leaving companies scrambling to make payroll with the holidays right around the corner.π Read
via "Tech Republic".
TechRepublic
Just in time for Christmas, Kronos payroll and HR cloud software goes offline due to ransomware
The attack has led to an outage expected to last weeks, leaving companies scrambling to make payroll with the holidays right around the corner.
π Log4j Recognizer π
π Read
via "Packet Storm Security".
This utility looks for log4j in the currently running JVM. It is useful for systems that allow plugins to introduce their own jars. Therefore, you can find if someone is using log4j with a dangerous version.π Read
via "Packet Storm Security".
Packetstormsecurity
Log4j Recognizer β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2021-43237 βΌ
π Read
via "National Vulnerability Database".
Windows Setup Elevation of Privilege Vulnerabilityπ Read
via "National Vulnerability Database".
βΌ CVE-2021-43893 βΌ
π Read
via "National Vulnerability Database".
Windows Encrypting File System (EFS) Elevation of Privilege Vulnerabilityπ Read
via "National Vulnerability Database".
βΌ CVE-2021-43227 βΌ
π Read
via "National Vulnerability Database".
Storage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43235.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43877 βΌ
π Read
via "National Vulnerability Database".
ASP.NET Core and Visual Studio Elevation of Privilege Vulnerabilityπ Read
via "National Vulnerability Database".