Security News

Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently...

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked...

The good news for the rest of you is that December Patch Tuesday is usually light regarding CVEs reported. Exploitable across the internet, the vulnerability is ideal for a phishing exploit as it only requires the user to click on a malicious URL. A fix was included in the November Patch Tuesday updates and the CVE was reported as Known Exploited, but now it is Publicly Disclosed as well.

Atlassian has released security updates for four critical vulnerabilities in its various offerings that could be exploited to execute arbitrary code. CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution.

A security vulnerability previously added to CISA's Known Exploited Vulnerability catalog, which was recognized by CVE Numbering Authorities, and included in reputable threat reports is now being formally rejected by infosec organizations. CISA removed CVE-2022-28958 from its KEV on December 1, two days after the National Vulnerability Database revoked its "Vulnerability" status following a months-long review.

The U.S. Department of Health and Human Services warned hospitals this week to patch the critical 'Citrix Bleed' Netscaler vulnerability actively exploited in attacks. "The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health sector. This alert contains information on attack detection and mitigation of the vulnerability," HC3 warned.

Apple has issued emergency fixes to plug security flaws in iPhones, iPads, and Macs that may already be under attack. iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

Hackers are exploiting a critical ownCloud vulnerability tracked as CVE-2023-49103 that exposes admin passwords, mail server credentials, and license keys in containerized deployments. Of the three flaws, CVE-2023-49103 received a maximum CVSS severity score of 10.0 as it allows a remote threat actor to execute phpinfo() through the ownCloud 'graphapi' app, which reveals the server's environment variables, including credentials stored within them.

Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions. CISA also added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog today, including it in its list of "Frequent attack vectors for malicious cyber actors" and posing "Significant risks to the federal enterprise."

A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.