Security News

Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. "This patch was created as a result of the issue we disclosed in the Security Advisories published last week related to GoAnywhere MFTaaS. We urgently advise all GoAnywhere MFT customers to apply this patch," Fortra says.

We and our store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning.

The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server.Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1.

Australian software maker Atlassian has released patches for CVE-2023-22501, a critical authentication vulnerability in Jira Service Management Server and Data Center, and is urging users to upgrade quickly. "Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround," they advised.

IT departments continue to face immense pressure to get vulnerability and patch management right as threat actors use new and old methods to exploit network endpoints. Are we ready for what's next? As vulnerabilities continue to increase, what strategies should security professionals use to gain visibility into these threats, prioritize them, and manage the ongoing risk to endpoints? What will the vulnerability landscape look like in 2023, and what new challenges will security and IT teams face?

Security researchers with Horizon3's Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances. Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.

Microsoft is urging organizations to protect their Exchange servers from cyberattacks by keeping them updated and hardened, since online criminals are still going after valuable data in the email system. Enterprises need to make sure to install the latest Cumulative Updates and Security Updates on the Exchange servers - and occasionally on Exchange Management Tools workstations - and to run manual tasks like enabling Extended Protection and certificate signing of PowerShell serialization payloads, according to the vendor's Exchange Team.

Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update to have them always ready to deploy an emergency security update. "To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU and the latest SU," The Exchange Team said.

On Monday, Apple released iOS 12.5.7 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in the security update.

Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching - among other things - a type confusion flaw in the WebKit component that could be exploited for remote code execution on older iPhones and iPads running iOS v12. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the company said.