Security News

USENIX, the not-for-profit advanced computing association, has decided to put an end to its beloved LISA sysadmin conferences, at least as a standalone event. In an online announcement, the LISA steering committee said that after 35 years of producing the "Best systems engineering content" the event "Will no longer be scheduled as a standalone conference."

Networking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information. The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498, affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0.

Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution on corporate networks or steal information. The networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications.

The bug listed here is what's known as a Universal Cross-site Scripting vulnerability, which means it's a way for attackers to access private browser data from website X while you are browsing on booby-trapped website Y. That's definitely not supposed to happen. Your browser is supposed to stop data such as cookies "Leaking" between websites, or else site Y could peek at data such as your login details for site X, and abuse that site-specific data to masquerade as you on site X and hijack your account.

Cisco on Wednesday released patches to address tens of vulnerabilities across its product portfolio, including critical flaws in SD-WAN software and the HyperFlex HX data platform. Two critical vulnerabilities were patched in the SD-WAN vManage software, alongside three high-severity issues.

VMware has released security updates to address a critical severity vulnerability in vRealize Business for Cloud that enables unauthenticated attackers to remotely execute malicious code on vulnerable servers. vRealize Business for Cloud is an automated cloud business management solution designed to provide IT teams with cloud planning, budgeting, and cost analysis tools.

Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe. Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.

Newly discovered critical vulnerabilities in the Exim mail transfer agent software allow unauthenticated remote attackers to execute arbitrary code and gain root privilege on mail servers with default or common configurations. All versions released before Exim 4.94.2 are vulnerable to attacks attempting to exploit the 21Nails vulnerabilities.

Ivanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors. Tracked as CVE-2021-22893, the flaw concerns "Multiple use after free" issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code and take control of the affected system.

Hewlett Packard Enterprise is urging customers to patch one of its premier edge application management tools that could allow an attacker to carry out a remote authentication bypass attack and infiltrate a customer's cloud infrastructure. Rated critical, with a CVSS score of 9.8, the bug impacts all versions of HPE's Edgeline Infrastructure Manager prior to version 1.21.