Security News

The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet's attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.

WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. While the issue was originally reported in early March 2022, the Apache Software Foundation released an updated version of the software on September 24, followed by issuing an advisory only last week on October 13.

A remote code execution flaw in the open-source Apache Commons Text library has some people worried that it could turn into the next Log4Shell. However, most cybersecurity researchers say it is...

A freshly fixed vulnerability in the Apache Commons Text library has been getting attention from security researchers these last few days, worrying it could lead to a repeat of the Log4Shell dumpster fire. The final verdict shows there's no need to panic: while the vulnerability is exploitable, "The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input," says Rapid7 AI researcher Erick Galinkin.

As you no doubt remember from Log4Shell, unnecessary "Features" in an Apache programming library called Log4J suddenly made all these scenarios possible on any server where an unpatched version of Log4J was installed. A user who pretended their name was $ , for example, would typically get logged by the Log4J code under the name of the server account doing the processing, if the app didn't take the precaution of checking for dangerous characters in the input data first.

Well, the bug CVE-2022-33980, which doesn't have a catchy name yet, is a very similar sort of blunder in the Apache Commons Configuration toolkit. The name's quite a mouthful: Apache Commons is another Apache project that provides numerous Java utilities that provide a wide range of handy programming toolkits.

Network-attached storage appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month. The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier -.

QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices. The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.

Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications - because the first patch, issued in 2020, didn't fully do the trick. The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system.

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied. Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.