Security News

Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code. The vulnerability, tracked as CVE-2022-39947 and internally discovered by its product security team, impacts the following versions -.

The U.S. Cybersecurity and Infrastructure Security Agency has added two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. TIBCO JasperReports is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards.

Thousands of Citrix Application Delivery Controller and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. Citrix and the U.S. National Security Agency, earlier this month, warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.

The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet's attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.

The number of open source vulnerabilities that Mend identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open-source packages and the acceleration of vulnerabilities. The report's representative sampling through January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices.

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022.

The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation in the wild. "The Veeam Distribution Service allows unauthenticated users to access internal API functions," Veeam noted in an advisory published in March 2022.

Most startup CTOs have an excellent understanding of how to build highly functional SaaS businesses but need to gain more knowledge of how to secure the web application that underpins it. According to recent research from Verizon, web application attacks are involved in 26% of all breaches, and app security is a concern for of enterprises.

Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects. The Go-based tool, powered by the Open Source Vulnerabilities database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News.

Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open-source software dependencies used in their project. The scanner draws data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021, to offer relevant information about known security issues affecting open-source code.