Security News

Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes or potentially remote code execution. After its disclosure to the OpenSSL Project team, OpenSSL committer Viktor Dukhovni found "a second independently triggerable issue" - CVE-2022-3786.

The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service and remote code execution. It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

As the data scientist he is, he, of course, asked the data: how good is the open source community at finding vulnerabilities in a timely manner? Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers.

Traditional security operations teams are not equipped to proactively monitor web applications for vulnerabilities and ensure that standardized web application security practices are consistently followed. Outpost24's Pentesting-as-a-Service is a hybrid service that helps organizations continuously monitor their web applications for vulnerabilities.

Cisco has warned of active exploitation attempts targeting a pair of two-year-old security flaws in the Cisco AnyConnect Secure Mobility Client for Windows. Tracked as CVE-2020-3153 and CVE-2020-3433, the vulnerabilities could enable local authenticated attackers to perform DLL hijacking and copy arbitrary files to system directories with elevated privileges.

MyOpenVDP is a turnkey open-source solution allowing anyone to host their own vulnerability disclosure policy. Developed by YesWeHack, the web application is available on GitHub.

The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol, which enables remote access to event logs. While the former allows "Any domain user to remotely crash the Event Log application of any Windows machine," OverLog causes a DoS by "Filling the hard drive space of any Windows machine on the domain," Dolev Taler said in a report shared with The Hacker News.

Cisco has published a heads-up for admins of Cisco Identity Services Engine solutions, about two vulnerabilities that could be exploited to read and delete files on an affected device, and to execute arbitrary script or access sensitive information.Cisco Identity Services is a policy management and access control platform for devices on networks and is a crucial element of an organization's zero-trust architecture.

Microsoft on Friday disclosed it has made more improvements to the mitigation method offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server. To that end, the tech giant has revised the blocking rule in IIS Manager from ".