Security News

Citrix has urged admins to "Immediately" apply a fix for CVE-2023-4966, a critical information disclosure bug that affects NetScaler ADC and NetScaler Gateway, admitting it has been exploited. Plus, there's a proof-of-concept exploit, dubbed Citrix Bleed, now on GitHub.

Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.NetScaler appliances must be configured as a Gateway or an AAA virtual server to be vulnerable to attacks.

US authorities have issued an urgent plea to network admins to patch the critical vulnerability in Atlassian Confluence Data Center and Server amid ongoing nation-state exploitation. "Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks."

CISA, FBI, and MS-ISAC warned network admins today to immediately patch their Atlassian Confluence servers against a maximum severity flaw actively exploited in attacks. On October 4, when it released security updates, Atlassian advised customers to upgrade their Confluence instances as soon as possible to one of the fixed versions as the bug was already exploited in the wild as a zero-day.

Childs described the early years of Patch Tuesday at Microsoft being kind of a party, complete with catered breakfast and music. "Certainly a lot of large financial institutions and I imagine a lot of other organizations were part of really bringing pressure to bear to Microsoft to release it as an instance, a single time so we can plan for it, take a more measured approach and reduce a lot of the chaos that was prior to Patch Tuesday being a thing," he tells The Register.

The Exchange Team asked admins to deploy a new and "Better" patch for a critical Microsoft Exchange Server vulnerability initially addressed in August. Tracked as CVE-2023-21709 and patched during August 2023 Patch Tuesday, the security flaw enables unauthenticated attackers to escalate privileges on unpatched Exchange servers in low-complexity attacks that don't require user interaction.

Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities. While forty-five remote code execution bugs were fixed, Microsoft only rated twelve vulnerabilities as 'Critical,' all of which are RCE flaws.

Start your patch engines - a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "Probably the worst curl security flaw in a long time." Curl 8.4.0 will hit at around 0600 UTC on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.

Curl and libcurl, a client-side URL transfer library, are developed by the curl project, with the help of contributors and sponsors. CVE-2023-38545, a high severity flaw that affects both the libcurl library and the curl tool, and.

The maintainers of the Curl library have released an advisory warning of two forthcoming security vulnerabilities that are expected to be addressed as part of updates released on October 11, 2023....