Security News
Atlassian is prompting its enterprise customers to patch a critical vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products. The vulnerability tracked as CVE-2020-36239 can give remote attackers arbitrary code execution abilities, due to a missing authentication flaw in Jira's implementation of Ehcache, an open-source component.
Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that's remotely exploitable without authentication.
Cybersecurity researchers on Wednesday disclosed multiple security vulnerabilities impacting CODESYS automation software and the WAGO programmable logic controller platform that could be remotely exploited to take control of a company's cloud operational technology infrastructure. The flaws can be turned "Into innovative attacks that could put threat actors in position to remotely control a company's cloud OT implementation, and threaten any industrial process managed from the cloud," the New York-headquartered industrial security company Claroty said in a report shared with The Hacker News, adding they "Can be used to target a cloud-based management console from a compromised field device, or take over a company's cloud and attack PLCs and other devices to disrupt operations."
Juniper Networks has shipped security patches to cover numerous vulnerabilities across its product portfolio, including a series of critical bugs in third-party software used in the company's products. The most important of the vulnerabilities is CVE-2021-0276, a stack-based buffer overflow in Juniper Networks SBR Carrier with EAP. An attacker could exploit it by sending specific packets to cause a denial of service condition or to execute code remotely, Juniper warned in an advisory.
Cisco's Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting a router monitoring application made by Taiwan-based industrial and IoT solutions provider Advantech. The affected tool is R-SeeNet, which is designed to help network administrators monitor their Advantech routers.
According to Keeper Security's Workplace Password Malpractice Report, many remote workers aren't following best practices for password security. In February 2021, Keeper surveyed 1,000 employees in the U.S. about their work-related password habits - and discovered that a lot of remote workers are letting password security go by the wayside.
Telecom providers, including wireless carriers, are at risk of disruption of network service if the bug in SBR Carrier is exploited. A critical remote code-execution vulnerability in Juniper Networks' Steel-Belted Radius Carrier Edition lays open wireless carrier and fixed operator networks to tampering.
Hackers have started targeting a critical WooCommerce vulnerability only days after patches started rolling out, patchstack says. WooCommerce is a popular open-source eCommerce plugin for WordPress, with more than 5 million installations to date, making it an attractive target for cybercriminals.
Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS potentially impacting 12.7% of all websites on the internet. CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries stored publicly on GitHub, making it the second-largest JavaScript CDN. The vulnerability exploits comprised publishing packages to Cloudflare's CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution.
A critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been under attack as a zero-day bug, researchers have disclosed. The exploitation prompted WooCommerce to release an emergency patch for the issue late on Wednesday.