Security News

Threat actors are constantly targeting new vulnerabilities in SAP applications within days after the availability of security patches, according to a joint report issued by SAP and Onapsis. Used within more than 400,000 organizations for resource planning, management of product lifecycle, human capital, and supply chain, and for various other purposes, SAP's applications represent an attractive target for adversaries.

Before we talk about what can be done, how do we change this, fix this, how vulnerable are we? With security being left out of the equation oftentimes when it comes to software, where are we seeing that we are vulnerable? Sixty percent of the vulnerabilities we find were never fixed.

Most vulnerabilities are never patched, leaving users susceptible to cyberattacks.

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks.

Vulnerabilities Citrix patched in Hypervisor this week could allow for code executed in a virtual machine to cause denial of service on the host. Tracked as CVE-2021-28038 and CVE-2021-28688, the newly addressed vulnerabilities could be abused to cause the host to crash or become unresponsive.

Recent Linux kernel updates include patches for a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks. Symantec reported on Monday that Piotr Krysiuk, a member of its Threat Hunter team, has identified two new vulnerabilities in the Linux kernel that can be exploited to bypass mitigations for the Spectre vulnerabilities.

A cybersecurity researcher who specializes in industrial control systems has identified three types of critical vulnerabilities in products made by human-machine interface manufacturer Weintek. The vulnerabilities can be exploited by a remote, unauthenticated attacker for code execution with root privileges, to remotely access sensitive information and conduct actions on behalf of an admin, and to execute malicious JavaScript code via a stored XSS flaw.

The maintainers of OpenSSL have released a fix for two high-severity security flaws in its software that could be exploited to carry out denial-of-service attacks and bypass certificate verification. While CVE-2021-3449 affects all OpenSSL 1.1.1 versions, CVE-2021-3450 impacts OpenSSL versions 1.1.1h and newer.

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products. CVE-2021-3450: An improper Certificate Authority certificate validation vulnerability which impacts both the server and client instances.

The OpenSSL Project on Thursday announced the release of version 1.1.1k, which patches two high-severity vulnerabilities, including one related to verifying a certificate chain and one that can lead to a server crash. "Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates," the OpenSSL Project explained in its advisory.