Security News

Open-source Kubernetes tool Argo CD has a high-severity path traversal flaw: Patch now
2022-02-04 15:22

A zero-day vulnerability in open-source Kubernetes development tool Argo lets malicious people steal passwords from git-crypt and other sensitive information by simply uploading a crafted Helm chart. The vuln, tracked as CVE-2022-24438, exists in Argo CD, a widely used open-source continuous delivery tool for Kubernetes.

February 2022 Patch Tuesday forecast: A rough start for 2022
2022-02-04 07:25

January 2022 Patch Tuesday was a rough one for Microsoft - and us. In the week following Patch Tuesday, Microsoft was forced to pull and subsequently re-issue several updates for Windows Server 2012, 2019, and 2022, as well as Windows 10 and 11.

JumpCloud joins the patch management crowd, starting with Windows and Mac updates
2022-02-03 19:07

Cloud directory specialist JumpCloud is moving into the crowded patch management market with an extension to its platform to automate patch updates. Companies such as Apple or Microsoft already have varying levels of patch management tools in their armoury.

Patch now: A newly discovered critical Linux vulnerability probably affects your systems
2022-01-27 15:51

Dubbed PwnKit, it's been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges. Heads up, Linux users: A newly discovered vulnerability in pretty much every major distro allows any unprivileged user to gain root access to their target, and it's been hiding in plain sight for 12 years.

Apple Releases iOS and macOS Updates to Patch Actively Exploited 0-Day Vulnerability
2022-01-26 22:32

Tracked as CVE-2022-22587, the vulnerability relates to a memory corruption issue in the IOMobileFrameBuffer component that could be abused by a malicious application to execute arbitrary code with kernel privileges. The iPhone maker said it's "Aware of a report that this issue may have been actively exploited," adding it addressed the issue with improved input validation.

VMware: Patch Horizon servers against ongoing Log4j attacks!
2022-01-25 21:19

VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks. Microsoft also warned two weeks ago of a Chinese-speaking threat actor tracked as DEV-0401 who deploys Night Sky ransomware on Internet-exposed VMware Horizon servers using Log4Shell exploits.

CWP bugs allow code execution as root on Linux servers, patch now
2022-01-24 19:34

Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers. CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.

Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software
2022-01-21 22:28

Cisco Systems has rolled out fixes for a critical security flaw affecting Redundancy Configuration Manager for Cisco StarOS Software that could be weaponized by an unauthenticated, remote attacker to execute arbitrary code and take over vulnerable machines. "An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled," Cisco said in an advisory.

'Now' would be the right time to patch Ubuntu container hosts and ditch 21.04 thanks to heap buffer overflow bug
2022-01-20 14:38

The CVE-2022-0185 vulnerability in Ubuntu is severe enough that Red Hat is also advising immediate patching. It affects RHEL as well as Ubuntu 20.04, 21.04 and 21.10 - and presumably other distros, too.

Microsoft patches the patch that broke VPNs, Hyper-V, and left servers in boot loops
2022-01-18 11:34

Microsoft has patched the patch that broke chunks of Windows and emitted fixes for a Patch Tuesday cock-up that left servers rebooting and VPNs disconnected. On the receiving end of the company's attention were Windows desktop and Windows Server installs left a little broken following Microsoft's latest demonstration of its legendary quality control.