Security News

Apple last week patched two actively exploited vulnerabilities in macOS Monterey yet has left users of older supported versions of its desktop operating system unprotected. In a blog post on Tuesday, security biz Intego said fixes applied to address CVE-2022-22675 and CVE-2022-22674 in macOS Monterey were not backported to macOS Big Sur or macOS Catalina.

Fortinet's partnership with AWS ensures your workloads and applications on AWS are protected by best-in-class security solutions. With simplified security management, full visibility across environments, and broad, comprehensive protection, gain the ultimate flexibility and control you need to build in the cloud.

The U.S. Cybersecurity and Infrastructure Security Agency on Monday added the recently disclosed remote code execution vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on "Evidence of active exploitation." The critical severity flaw, assigned the identifier CVE-2022-22965 and dubbed "Spring4Shell", impacts Spring model-view-controller and Spring WebFlux applications running on Java Development Kit 9 and later.

The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system. Tracked as CVE-2022-22965, the high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions.

Rocket Software released a report, based on a survey of over 500 U.S. IT professionals in firms using mainframes focused on their priorities, challenges and plans for leveraging their mainframes going forward, which illustrates just how critical the mainframe continues to be for businesses today. Modernizing the mainframe plays a critical role in helping businesses overcome some of their most pressing challenges, including protecting their investments in technology, closing the skills gap and integrating new technology for a unified IT environment.

DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. "A hardcoded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in an advisory published on March 31.

GitLab on Thursday issued security updates for three versions of GitLab Community Edition and Enterprise Edition software that address, among other flaws, a critical hard-coded password bug. "A hard-coded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in its advisory.

GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. The bug affects both GitLab Community Edition and Enterprise Edition.

Two new security vulnerabilities have been disclosed in Rockwell Automation's programmable logic controllers and engineering workstation software that could be exploited by an attacker to inject malicious code on affected systems and stealthily modify automation processes. CVE-2022-1161 - A remotely exploitable flaw that allows a malicious actor to write user-readable "Textual" program code to a separate memory location from the executed compiled code.

Around a third of respondents stated that between 50-75 percent of their apps are cloud native, yet 20 percent have no cloud native security strategy in place. Paul Calatayud, CISO at Aqua Security said, "As more and more applications are built and run in the cloud, it's no surprise that we're seeing threat actors shift their focus to target cloud native environments. This demands a new approach to security. Many organizations in the UK are beginning to understand that cloud native security is not just a 'nice to have', but there is a clear need for more education in the UK and beyond."