InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Celebrity Vulnerabilities: Effective Response to Critical Production Threats
Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit.
-
Cross-Industry Report Identifies Top 10 Open-Source Software Risks
Promoted by Endor Labs and featuring contributions from over 20 industry experts, the new Endor Labs Station 9 report identifies the top operational and security risks in open-source software.
-
GitHub Enhances CodeQL, Extends Language Support, Available Queries, and More
After adding support for Ruby at GitHub Universe 2022, CodeQL introduced Kotlin support in beta. Additionally, support for other languages has been extended to include more recent versions. GitHub has also extended available queries to fully cover several industry-wide vulnerability directories, and improved the CodeQL ecosystem.
-
Sonatype BOM Doctor Evaluates and Helps Patch Java Software Bills of Materials
BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.
-
AWS Patches Undocumented APIs Bypassing CloudTrail Event Logging
AWS recently patched undocumented IAM APIs that bypassed CloudTrail logging. The vulnerability allowed a malicious user to perform reconnaissance activities on IAM without recording events in CloudTrail or being detected by Amazon GuardDuty.
-
Git 2.39.1 Fixes Two Critical Remote Code Execution Vulnerabilities
Two vulnerabilities affecting Git's commit log formatting and .gitattributes parsing in Git versions up to and including Git 2.39 have been recently patched. Both may lead to remote code execution, so users are required to upgrade immediately to Git 2.39.1.
-
Unskilled Cybercriminals May Be Leveraging ChatGPT to Create Malware
In a recent report, Israeli cybersecurity company Check Point warned that cybercriminals are already using ChatGPT to develop malicious programs on the Dark Web. According to Check Point, ChatGPT makes it possible for even unskilled threat actors to create functioning malware.
-
Google Releases Open-Source Vulnerability Scanning Tool
Google has released OSV-Scanner, an open-source front-end interface to the Open Source Vulnerability (OSV) database. The OSV database is a distributed, open-source database that stores vulnerability information in the OSV format. The OSV-Scanner assesses a project's dependencies against the OSV database showing all vulnerabilities relating to the project.
-
Critical Vulnerability in VM2 Sandbox Found Affecting Spotify Portal Platform Backstage
Spotify Backstage, an open-source platform used to build developer portals and in use at a number of large companies, has been found vulnerable to a critical remote code execution vulnerability. Confirming that most vulnerabilities are found in indirect dependencies, the Backstage vulnerability is enabled by another vulnerability found in its JavaScript VM2 sandbox dependency.
-
OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched
Introduced in OpenSSL 3.0 in September 2021 and affecting all successive versions up to and including OpenSSL 3.0.6, the two recently patched vulnerabilities are caused by buffer overruns in X.509 certificate verification.
-
Azul Joins the Effort of Improving Supply Chain Security by Launching Vulnerability Detection SaaS
November, 2nd: Azul released a new security product that intends to offer a solution to the increased risk of enterprise software supply chain attacks, compounded by severe threats such as Log4Shell. Azul Vulnerability Detection is a new SaaS that continuously detects known security vulnerabilities in Java applications. In addition, they promise not to affect the application’s performance.
-
Two New Git Vulnerabilities Affecting Local Clones and Git Shell Patched
Two Git vulnerabilities affecting local clones and git shell interactive mode in version 2.38 and older have been recently patched.
-
Cloud Security Posture Management Now Available in Vulnerability Scanner Trivy
The open source vulnerability scanner Trivy has been recently extended to support cloud security posture management (CSPM) capabilities. While initially available only for AWS, Trivy will soon get support for other cloud providers, says Aqua Security.
-
Machine Learning Systems Vulnerable to Specific Attacks
The growing number of organizations creating and deploying machine learning solutions raises concerns as to their intrinsic security, argues the NCC Group in a recent whitepaper (Practical Attacks on Machine Learning Systems).
-
AWS Expands Amazon Detective for Kubernetes Workloads on Amazon EKS
Amazon Detective is a security service in AWS that allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Recently, AWS announced the expansion of Amazon Detective towards Kubernetes workloads on Amazon’s Elastic Kubernetes Service.