GitHub Patches Security Flaws in Core Node.js Dependencies
“These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions,” GitHub said in an advisory. A code npm dependency, tar is used to extract and…
HAProxy Vulnerability Leads to HTTP Request Smuggling
An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack. “Our analysis confirmed that the duplication is achieved by making use…
USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” USCYBERCOM tweeted Friday morning. “Please patch immediately if you haven’t already— this cannot wait until after the weekend.” On August 25, Atlassian issued patches to address the critical code execution vulnerability that carried a CVSS score of 9.8. Described by the software maker…
Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft
The missing mitigation was flagged by Microsoft in a post mortem of last month’s zero-day attack that hit businesses using the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP products. Microsoft originally shipped the mitigation — called ASLR (Address Space Layout Randomization) in Windows Vista back in 2006 as part of a larger plan…
Critical Vulnerability Exposed Azure Cosmos DBs for Months
A fully managed NoSQL database, Cosmos DB was launched in 2017, for use with web and mobile applications, but also supports modeling social interactions and integration with third-party services. Earlier this month, researchers with the cloud security firm Wiz discovered a vulnerability in the Azure cloud platform that could allow a remote attacker to take…
Java deserialization vulnerabilities explained and how to defend against them
The Java programming language offers a seamless and elegant way to store and retrieve data. However, without proper input validation and safeguards in place, your application can be vulnerable to unsafe deserialization vulnerabilities. In a best-case scenario, deserialization vulnerabilities may simply cause data corruption or application crashes, leading to a denial of service (DoS) condition….
Biden, Tech Leaders Eye ‘Concrete Steps’ to Boost Cybersecurity
President Joe Biden and key cabinet officials were to host the chief executives of Apple, Google, Amazon and Microsoft along with leaders from the finance and utilities sectors, a senior administration official said. The gathering comes after hacks and data breaches which have targeted a major US oil pipeline, a meatpacking company, and the Microsoft…
High-Severity DoS Vulnerability Patched in BIND DNS Software
The flaw, tracked as CVE-2021-25218, affects BIND versions 9.16.19, 9.17.16, and 9.16.19-S1. Patches are included in versions 9.16.20, 9.17.17 and 9.16.20-S1. Workarounds are also available. It’s worth noting that while the existence of the vulnerability was made public on August 18, customers received a notification one week in advance. The vulnerability can be exploited remotely…
Third-Party Patches Available for More PetitPotam Attack Vectors
Disclosed in late July, PetitPotam is a remote code execution vulnerability (CVE-2021-36942) that abuses the Encrypting File System Remote (MS-EFSRPC) protocol. An attacker exploiting the bug could get a targeted server to connect to an attacker-controlled server and perform NTLM authentication. The attacker could then use other exploits to take complete control of a Windows…
BadAlloc Flaw Impacts Many Systems Running BlackBerry’s QNX Embedded OS
Publicly disclosed in April, BadAlloc is a collection of 25 vulnerabilities impacting many Internet of Things (IoT) and operational technology (OT) devices. The flaws can allow malicious attackers to gain control of highly sensitive systems. The issue affects C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs), and could…
