βΌ CVE-2022-37023 βΌ
π Read
via "National Vulnerability Database".
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37022 βΌ
π Read
via "National Vulnerability Database".
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39046 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.π Read
via "National Vulnerability Database".
β JavaScript bugs aplenty in Node.js ecosystem β found automatically β
π Read
via "Naked Security".
How to get the better of bugs in all the possible packages in your supply chain?π Read
via "Naked Security".
Naked Security
JavaScript bugs aplenty in Node.js ecosystem β found automatically
How to get the better of bugs in all the possible packages in your supply chain?
β Chrome patches 24 security holes, enables βSanitizerβ safety system β
π Read
via "Naked Security".
24 existing bugs fixed. And, we hope, numerous potential future bugs prevented.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Student Loan Breach Exposes 2.5M Records β
π Read
via "Threat Post".
2.5 million people were affected, in a breach that could spell more trouble down the line.π Read
via "Threat Post".
Threat Post
Student Loan Breach Exposes 2.5M Records
2.5 million people were affected, in a breach that could spell more trouble down the line.
π΄ SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform π΄
π Read
via "Dark Reading".
Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.π Read
via "Dark Reading".
Dark Reading
SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform
Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.
π΄ The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks π΄
π Read
via "Dark Reading".
While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)π Read
via "Dark Reading".
Dark Reading
The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks
While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)
ποΈ Command injection vulnerability in GitHub Pages nets bug hunter $4k ποΈ
π Read
via "The Daily Swig".
Exploit involved duping developers into exposing repositories with social engineering techniquesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Command injection vulnerability in GitHub Pages nets bug hunter $4k
Exploit involved duping developers into exposing repositories with social engineering techniques
ποΈ Three-day hackathon uncovers hundreds of bugs in Yahoo search engine tool Vespa ποΈ
π Read
via "The Daily Swig".
Live event brings together bug bounty hunters from across the globeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Three-day hackathon uncovers hundreds of bugs in Yahoo search engine tool Vespa
Live event brings together bug bounty hunters from across the globe
βοΈ Final Thoughts on Ubiquiti βοΈ
π Read
via "Krebs on Security".
Last year, I posted a series of articles about a purported βbreachβ at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing β which includes providing falseβ¦ Read More Β»π Read
via "Krebs on Security".
π΄ TikTok for Android Bug Allows Single-Click Account Hijack π΄
π Read
via "Dark Reading".
A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.π Read
via "Dark Reading".
Dark Reading
TikTok for Android Bug Allows Single-Click Account Hijack
A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.
βΌ CVE-2022-36045 βΌ
π Read
via "National Vulnerability Database".
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. The vulnerability has been patched in version 2.x and 1.19.x. There is no known workaround, but the patch sets listed above will fully patch the vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36035 βΌ
π Read
via "National Vulnerability Database".
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.π Read
via "National Vulnerability Database".
π΄ (ISC)Β² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative π΄
π Read
via "Dark Reading".
(ISC)Β² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)Β² Certified in Cybersecurity" education and exams to 1 million people worldwide.π Read
via "Dark Reading".
Dark Reading
(ISC)Β² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative
(ISC)Β² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)Β² Certified in Cybersecurity" education and exams to 1 million people worldwide.
π΄ OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase π΄
π Read
via "Dark Reading".
OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.π Read
via "Dark Reading".
Dark Reading
OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase
OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.
π΄ James Webb Telescope Images Loaded With Malware Are Evading EDR π΄
π Read
via "Dark Reading".
New Golang cyberattacks use deep space images and a new obfuscator to target systems β undetected.π Read
via "Dark Reading".
Dark Reading
James Webb Telescope Images Loaded With Malware Are Evading EDR
New Golang cyberattacks use deep space images and a new obfuscator to target systems β undetected.
βΌ CVE-2022-1319 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1271 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35537 βΌ
π Read
via "National Vulnerability Database".
In gcc, a crafted input source file could cause g++ to crash during compilation when provided certain optimization flags. The problem resides in the ipcp_store_vr_results function in gcc/ipa-cp.c.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2520 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.π Read
via "National Vulnerability Database".