Security News

Network-attached storage appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month. The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier -.

QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices. The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.

Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications - because the first patch, issued in 2020, didn't fully do the trick. The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system.

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied. Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.

Researchers have shared details about a now-patched, high-severity security bug in the Apache Cassandra open-source NoSQL distributed database that's easy to exploit and, if left unpatched, could enable attackers to gain remote code execution. In a Tuesday writeup, JFrog security researcher Omer Kaspi said that on the upside, the only Cassandra systems that are vulnerable to the flaw are those with a particular, non-standard and, specifically, not recommended configuration.

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," Omer Kaspi, security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday.

Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server. CVE-2021-20038 is the most critical of the flaws, with a rating of 9.8 on the Common Vulnerability Scoring System.

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. Tracked as CVE-2021-44228 aka Log4shell, the original vulnerability affected version 2.14 and earlier of the 2.x branch of the Apache logging utility.

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of security vulnerabilities uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks."

The Apache Software Foundation on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2, 2.12.4, or 2.17.1.