Security News

Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console
2022-01-11 23:56

Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. The issue, tracked as CVE-2021-42392, is the " first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading," JFrog researchers Andrey Polkovnychenko and Shachar Menashe said.

Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days
2022-01-11 21:54

Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update - nine of them rated critical - including six that are listed as publicly known zero-days.The fixes cover a swath of the computing giant's portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge, Exchange Server, Microsoft Office and Office Components, SharePoint Server,.

Microsoft fixes wormable RCE in Windows Server and Windows (CVE-2022-21907)
2022-01-11 20:16

The first Patch Tuesday of 2022 is upon us, and Microsoft has delivered patches for 96 CVE-numbered vulnerabilities, including a wormable RCE flaw in Windows Server. Among the publicly known flaws are a "Critical" RCE in curl and "Important" RCE in libarchive open source libraries, which have now been "Fixed" in Windows 10, 11 and Server with the inclusion of the most recent versions of the libraries.

Millions of Routers Exposed to RCE by USB Kernel Bug
2022-01-11 12:00

Millions of popular end-user routers are at risk of remote code execution due to a high-severity flaw in the KCodes NetUSB kernel module. The module enables connection to USB devices over IP, enabling remote devices to interact with USB devices connected to a router as if they were directly plugged into your computer via USB. For example, the module enables users to access printers, speakers or webcams as though they were plugged directly into a computer via USB: access that's enabled by a computer driver that communicates with the router through the kernel module.

KCodes NetUSB bug exposes millions of routers to RCE attacks
2022-01-11 12:00

A high-severity remote code execution flaw tracked as CVE-2021-45388 has been discovered in the KCodes NetUSB kernel module, used by millions of router devices from various vendors. NetUSB is a kernel module connectivity solution developed by KCodes, allowing remote devices in a network to interact with the USB devices directly plugged into a router.

URL Parsing Bugs Allow DoS, RCE, Spoofing & More
2022-01-10 17:55

Eight different security vulnerabilities arising from inconsistencies among 16 different URL parsing libraries could allow denial-of-service conditions, information leaks and remote code execution in various web applications, researchers are warning. Multiple Parsers in Use: Whether by design or an oversight, developers sometimes use more than one URL parsing library in projects.

Log4J-Related RCE Flaw in H2 Database Earns Critical Rating
2022-01-07 15:12

Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems. JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS
2021-12-22 17:59

Don't duck at the latest mention of Apache: Two critical bugs in its HTTP web server - HTTPD - need to be patched pronto, lest they lead to attackers triggering denial of service or bypassing your security policies. Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.

Log4j RCE latest: In case you hadn't noticed, this is Really Very Bad, exploited in the wild, needs urgent patching
2021-12-13 23:07

Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly - for now - on turning infected devices into cryptocurrency-mining botnet drones. Apache Log4j is a logging utility written in Java that is used all over the world in many software packages and online systems.

Critical RCE 0day in Apache Log4j library exploited in the wild (CVE-2021-44228)
2021-12-10 17:32

A critical zero-day vulnerability in Apache Log4j, a widely used Java logging library, is being leveraged by attackers in the wild - for now primarily to deliver coin miners.Reported to the Apache Software Foundation by Chen Zhaojun of Alibaba Cloud Security Team, the bug has now apparently been fixed in Log4j v2.15.0, just as a PoC has popped up on GitHub and there are reports that attackers are already attempting to compromise vulnerable applications/servers.