Security News

VMware has addressed a critical remote code execution vulnerability in the vCenter Server virtual infrastructure management platform that may allow attackers to potentially take control of affected systems. "The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin," VMware explains in the advisory.

SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses. Drools is an engine that makes up the rules engine for SAP Commerce.

Microsoft has addressed important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates. Microsoft also released non-security Office updates last week addressing bugs that may lead to PowerPoint crashes and other issues affecting Windows Installer editions of Office 2016, Office 2013, and Office 2010 products.

Cisco is rolling out fixes for critical holes in its lineup of small-business VPN routers. The flaws exist in the web-based management interface of Cisco's small-business lineup of VPN routers.

This month Google engineers have fixed a severe remote code execution vulnerability in the Go language. The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.

Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root - paving the way for siphoning money from unsuspecting users. Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack - a discovery that earned him $18,000 from the Amazon bug-bounty program.

Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks solutions for business users. Three critical flaws were found in Cisco smart software manager satellite, which offers businesses real-time visibility and reporting of their Cisco licenses.

Microsoft has plugged 83 CVEs, including a Microsoft Defender zero-day. One of the latter - a zero-day RCE affecting Microsoft Defender antivirus - is being exploited in the wild, but Microsoft didn't reveal more about these attacks.

Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack. Impacted is Zend Framework version 3.0.0 and Laminas Project laminas-http before 2.14.2, with an estimated "Several million websites" using the framework and possibly impacted.

In September 2020, Cisco patched four Jabber vulnerabilities, but as it turns out, three of four have not been sufficiently mitigated. The incompleteness of the patches was discovered by Watchcom researchers - who discovered and disclosed the batch of vulnerabilities made public in September - after one of their clients requested they verify the effectiveness of Cisco's patches.