GitHub Patches Security Flaws in Core Node.js Dependencies
“These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions,” GitHub said in an advisory. A code npm dependency, tar is used to extract and…
HAProxy Vulnerability Leads to HTTP Request Smuggling
An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack. “Our analysis confirmed that the duplication is achieved by making use…
USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” USCYBERCOM tweeted Friday morning. “Please patch immediately if you haven’t already— this cannot wait until after the weekend.” On August 25, Atlassian issued patches to address the critical code execution vulnerability that carried a CVSS score of 9.8. Described by the software maker…
Cybersecurity awareness is one of the skills needed for a post-pandemic economy
“Digital collaboration” and “critical thinking” are among the modern skills workers need for the post-pandemic economy, according to a new report. Questionmark is calling on employers to measure strengths and weaknesses across the workforce. The report explores what workers need to thrive in a modern environment. Such is the scale of the shift required, that…
Quantum Security and AI: Building a Future Together
Quantum computing is still cutting-edge, but that doesn’t mean it can’t be improved. What is quantum computing? Is it the same as quantum cryptography, a central tenet of so-called quantum security? And where does artificial intelligence (AI) fit in? What Is Quantum Security? Often when you hear about quantum computing in terms of security, it’s…
Critical Vulnerability Exposed Azure Cosmos DBs for Months
A fully managed NoSQL database, Cosmos DB was launched in 2017, for use with web and mobile applications, but also supports modeling social interactions and integration with third-party services. Earlier this month, researchers with the cloud security firm Wiz discovered a vulnerability in the Azure cloud platform that could allow a remote attacker to take…
Java deserialization vulnerabilities explained and how to defend against them
The Java programming language offers a seamless and elegant way to store and retrieve data. However, without proper input validation and safeguards in place, your application can be vulnerable to unsafe deserialization vulnerabilities. In a best-case scenario, deserialization vulnerabilities may simply cause data corruption or application crashes, leading to a denial of service (DoS) condition….
Biden, Tech Leaders Eye ‘Concrete Steps’ to Boost Cybersecurity
President Joe Biden and key cabinet officials were to host the chief executives of Apple, Google, Amazon and Microsoft along with leaders from the finance and utilities sectors, a senior administration official said. The gathering comes after hacks and data breaches which have targeted a major US oil pipeline, a meatpacking company, and the Microsoft…
Patch now! Microsoft Exchange is being attacked via ProxyShell
Last Saturday the Cybersecurity and Infrastructure Security Agency issued an urgent warning that threat actors are actively exploiting three Microsoft Exchange vulnerabilities—CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine. This set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available…
High-Severity DoS Vulnerability Patched in BIND DNS Software
The flaw, tracked as CVE-2021-25218, affects BIND versions 9.16.19, 9.17.16, and 9.16.19-S1. Patches are included in versions 9.16.20, 9.17.17 and 9.16.20-S1. Workarounds are also available. It’s worth noting that while the existence of the vulnerability was made public on August 18, customers received a notification one week in advance. The vulnerability can be exploited remotely…
