CISA: Oracle Vulnerabilities From ‘Miracle Exploit’ Targeted in Attacks

September 19, 2024 at 11:06AM CISA added critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including two Oracle flaws (CVE-2022-21445 and CVE-2020-14644). These can be exploited for remote code execution and system takeover. The flaws impact Oracle Fusion Middleware’s JDeveloper and WebLogic Server, and are linked to reported attacks on major organizations’ systems. Key … Read more

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

August 14, 2024 at 02:03AM Microsoft shipped fixes for 90 security flaws, including 10 zero-days with active exploitation. Notable updates include addressing CVE-2024-38189, 38178, 38193, 38106, 38107, and 38213. Furthermore, CISA added the flaws to its Known Exploited Vulnerabilities catalog. The update from Microsoft also includes addressing CVE-2024-38200, 38199, 21302, and 38198. Other vendors have … Read more

BIND Updates Resolve High-Severity DoS Vulnerabilities

July 25, 2024 at 09:09AM ISC announced BIND security updates to address four high-severity vulnerabilities (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076) in the DNS software suite with a CVSS score of 7.5. These flaws could lead to server instability, performance degradation, CPU resource exhaustion, and unexpected termination of BIND’s component. The updates are available for BIND … Read more

SolarWinds Patches 11 Critical Flaws in Access Rights Manager Software

July 19, 2024 at 04:33AM SolarWinds has addressed critical security flaws in its Access Rights Manager (ARM) software, including 11 vulnerabilities and their severity ratings. These flaws could allow attackers to access sensitive information and execute code with elevated privileges. The vulnerabilities have been fixed in version 2024.3 after responsible disclosure by the Trend Micro … Read more

Dev rejects CVE severity, makes his GitHub repo read-only

June 30, 2024 at 10:43AM The ‘ip’ open-source project’s GitHub repository was archived by its developer, Fedor Indutny, due to dubious or bogus CVE reports being filed against it. The ‘node-ip’ GitHub repository was also made read-only, limiting interactions. Indutny disputed the severity of the CVE and raised concerns about the influx of unverified vulnerability … Read more

Dev makes his GitHub repo read-only after “dubious” CVE report

June 30, 2024 at 10:35AM The widely used ‘ip’ open-source project had its GitHub repository made “read-only” after developer Fedor Indutny received a dubious CVE report and experienced increased scrutiny due to a vulnerability in the ‘node-ip’ project, affecting JavaScript developers. This pattern of inflated CVE reports is causing frustration for developers and clouding the … Read more

Let’s kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

June 11, 2024 at 08:33PM Microsoft’s June Patch Tuesday addressed 49 CVE-tagged security flaws, including a critical bug in wireless networking and a publicly disclosed DNS vulnerability (CVE-2023-50868). It also included an RCE issue in Microsoft Message Queuing (CVE-2024-30080) and a Wi-Fi driver remote code execution hole (CVE-2024-30078). Adobe, SAP, PHP, Arm, Apple, Google, SolarWinds, … Read more

NIST Commits to Plan to Resume NVD Work

June 4, 2024 at 10:53AM NIST has faced a significant backlog in processing vulnerability reports, with only 26% being processed this year due to increasing workload and resource reductions. The agency has announced a plan to address the issue, including partnering with CISA and implementing process updates to enhance efficiency. Industry professionals express concerns and … Read more

NIST Commits to Vulnerability Plan, But Researchers’ Concerns Remain

June 4, 2024 at 09:04AM US National Institute of Standards and Technology is addressing the backlog in processing vulnerability reports. NIST’s plan involves a multipronged approach, working with public and private sectors, and updating technology to handle the increasing number of disclosed vulnerabilities. The backlog has been attributed to a combination of resource reductions and … Read more

NIST turns to IT consultants to clear National Vulnerability Database backlog

June 3, 2024 at 05:53PM NIST extended its contract with Analygence to address the growing backlog in its National Vulnerability Database. The backlog has been increasing since February, with 93% of vulnerabilities submitted remaining unanalyzed. NIST aims to clear the backlog and process current vulnerabilities by the end of the fiscal year. The agency is … Read more