Security News
An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.
The Apache Software Foundation has released a security update for Struts 2, to address what is described as a "Possible remote code execution" flaw related to the OGNL technology. Tracked as CVE-2020-17530, the newly addressed bug resides in "Forced OGNL evaluation, when evaluated on raw user input in tag attributes," according to an Apache advisory.
A threat group tracked as Stantinko was observed using a new version of a Linux proxy Trojan that poses as Apache servers to remain undetected. Previously, the Stantinko group was mainly known for the targeting of Windows systems, but recent attacks show that they are also focusing on evolving their Linux malware, with a new proxy Trojan that masquerades as httpd, the Apache Hypertext Transfer Protocol Server found on many Linux servers.
Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the execution of arbitrary code and, in specific scenarios, even could allow attackers to cause a crash and denial of service. The first of the three issues involve a possible remote code execution vulnerability due to a buffer overflow with the "Mod uwsgi" module, potentially allowing an adversary to view, change, or delete sensitive data depending on the privileges associated with an application running on the server.
Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the execution of arbitrary code and, in specific scenarios, even could allow attackers to cause a crash and denial of service. The first of the three issues involve a possible remote code execution vulnerability due to a buffer overflow with the "Mod uwsgi" module, potentially allowing an adversary to view, change, or delete sensitive data depending on the privileges associated with an application running on the server.
Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published. "We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.
Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.
A new research has uncovered multiple critical reverse RDP vulnerabilities in Apache Guacamole, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. The reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions.
Remote code execution and information disclosure vulnerabilities addressed in Apache Guacamole can be highly useful to threat actors targeting enterprises, Check Point security researchers warn. An open-source remote desktop gateway, Apache Guacamole is an HTML5 web application that can be used on a broad range of devices, straight from the web browser.
The Apache Project's popular Guacamole open-source remote desktop software contained vulns allowing remote attackers to steal login creds and hijack targeted machines, researchers have said. The Apache Foundation has issued patches for Guacamole following Check Point's research, which resulted in two CVEs.