Security News

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published. "We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.

Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.

A new research has uncovered multiple critical reverse RDP vulnerabilities in Apache Guacamole, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. The reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions.

Remote code execution and information disclosure vulnerabilities addressed in Apache Guacamole can be highly useful to threat actors targeting enterprises, Check Point security researchers warn. An open-source remote desktop gateway, Apache Guacamole is an HTML5 web application that can be used on a broad range of devices, straight from the web browser.

The Apache Project's popular Guacamole open-source remote desktop software contained vulns allowing remote attackers to steal login creds and hijack targeted machines, researchers have said. The Apache Foundation has issued patches for Guacamole following Check Point's research, which resulted in two CVEs.

Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol, researchers have warned. "Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization," explained Eyal Itkin, researcher from Check Point, in a posting on Thursday.

DataStax announced the general availability of DataStax Astra, a database-as-a-service for Apache Cassandra applications, simplifying cloud-native Cassandra application development. On Google Cloud, Astra deploys and manages enterprise clusters powered by Cassandra directly on top of Google Cloud's Platform infrastructure, so that data sits in the same Google Cloud global infrastructure as applications.

Confluent, the event streaming platform pioneer, announced the launch of elastic scaling for Apache Kafka. "Elasticity is a fundamental property of cloud data systems and our first step in Project Metamorphosis is bringing elastic scaling to Kafka and it's ecosystem in Confluent Cloud," said Jay Kreps, co-founder and CEO, Confluent.

DataStax released code for an Apache Cassandra Kubernetes operator to help enterprises and users succeed with scale-out, cloud-native data. This Kubernetes Operator for Apache Cassandra, cass-operator, is now available and ready for use by the community as we work together on a common operator.

A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept exploit making an appearance on GitHub. The Apache Tomcat open-source web server supports various JavaScript-based technologies, including the Apache JServ Protocol interface, which is where the vulnerability resides.