Security News

F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution. The issue is rooted in the iControl Simple Object Access...

The U.S. Cybersecurity and Infrastructure Security Agency on February 2 added two security flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587, a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.

Critical vulnerabilities discovered in OpenEMR can be chained to gain code execution on a server running a vulnerable version of the popular open-source electronic health record system. Discovered, privately reported and now publicly documented by researcher Dennis Brinkrolf, the vulnerabilities have been promptly patched by the OpenEMR maintainers at the end of November 2022.

SynSaber recently released its second Industrial Control Systems (ICS) Vulnerabilities & CVEs Report. In this Help Net Security video, Ronnie Fabela, CTO at SynSaber, talks about the key findings:...

How to tackle the cybersecurity skills shortage in the EUIn this Help Net Security Dritan Saliovski, Director - Nordic Head of Cyber M&A, Transaction Advisory Services at Aon, offers some pointers, as well as advice to organizations on how to attract and retain the best cybersecurity talent. ENISA gives out toolbox for creating security awareness programsThe European Union Agency for Cybersecurity has made available Awareness Raising in a Box, a "Do it yourself" toolbox to help organizations in their quest to create and implement a custom security awareness raising program.

The Internet Systems Consortium has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain 9 Domain Name System software suite that could lead to a denial-of-service condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity and Infrastructure Security Agency said in an advisory released Friday.

VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight that could expose users to remote code execution attacks. Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway.

Vulnerability analysis results in Orange Cyberdefenses' Security Navigator show that some vulnerabilities first discovered in 1999 are still found in networks today. The chart below suggests that even Critical Vulnerabilities are taking around 6 months on average to resolve, but that is encouragingly at least 36% faster than the time for low-severity issues.

An EMA survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. "Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from 'awareness' of AppSec to 'in-depth knowledge' and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers," Baker continued.