InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
New PACMAN Vulnerability Affecting Apple Silicon CPUs
Uncovered by a team at MIT CSAIL, PACMAN is a new vulnerability affecting a defense mechanism available in Apple Silicon processors and known as pointer authentication code (PAC). While Apple downplayed the severity of this finding, the researchers hint at the fact that PACMAN brings an entire new class of attacks.
-
SynLapse: Orca Security Publishes Details for Critical Azure Synapse Vulnerability
In a recent article, Orca Security describes the technical details of SynLapse, a critical Synapse Analytics vulnerability in Azure that allowed attackers to bypass tenant separation. The issue has now been addressed, but the timing and the disclosure process have raised concerns in the community.
-
GitHub Extends Its Supply Chain Security to Rust
GitHub has brought Rust support to its supply chain security feature. Aimed to ensure your project and its dependencies are free of vulnerabilities, GitHub supply chain security includes a database of advisories, a dependency graph analyzer, and Dependabot alerts and security updates.
-
Augury is a Novel Microarchitectural Attack Affecting Apple Silicon
Researchers from the University of Illinois Urbana-Champaign, the University of Washington, and the Tel Aviv University have described an attack, dubbed Augury, that leaks data at rest on recent processors from Apple, including the A14 and the M1 family.
-
RDS and Aurora PostgreSQL Vulnerability Leads to AWS Deprecating Many Minor Versions
A researcher at the security company Lightspin recently explained how she obtained credentials to an internal AWS service using a PostgreSQL extension and exploiting a local file read vulnerability on RDS. AWS confirmed the issue and deprecated dozens of minor versions of Amazon Aurora and RDS for PostgreSQL.
-
Crypto Miners Exploiting VMware Vulnerability in the Wild
A critical vulnerability affecting VMware Workspace ONE Access and VMware Identity Manager allows malicious actors to remotely execute arbitrary code triggering a server-side template injection. According to VMware the vulnerability is actively exploited.
-
Hardware Mitigation on Intel, Arm, and AMD CPUs Shown Ineffective against Spectre v2
Security researchers from Vrije Universiteit Amsterdam showed the hardware mitigations to Spectre v2 attacks implemented in both Intel and Arm processors have fundamental flaws that make them vulnerable to branch history injection.
-
New Vulnerability in CRI-O Container Runtime Allows Attackers Host Access
A new vulnerability in the CRI-O container runtime used by many Kubernetes installations allows a malicious user to gain root access to the host. The vulnerability was discovered by researchers from CrowdStrike and fixed soon after by the CRI-O project.
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
How GitHub Uses Machine Learning to Extend Vulnerability Code Scanning
Applying machine learning techniques to its rule-based security code scanning capabilities, GitHub hopes to be able to extend them to less common vulnerability patterns by automatically inferring new rules from the existing ones.
-
Report Finds 75% of Cloud Runtimes Contain High or Critical Vulnerabilities
Sysdig’s latest cloud-native and security-usage report finds that shipping containers with vulnerabilities has become standard practice - with the report finding that 75% of containers have high severity vulnerabilities which could have been patched. The report stresses that many organisations find this to be an acceptable risk, in order to move and release quickly.
-
Log4Shell Defenses: Java Agents in Conversation with Contrast Security’s Arshan Dabirsiaghi
Due to the critical nature of the systems and to the severe and critical nature of the log4shell vulnerability, an alternative approach to fixing it was required. Java Agents played a crucial role in this defense strategy. InfoQ reached out to Arshan Dabirsianghi, chief scientist and founder of Contrast Security, for a better understanding of their approach.
-
Twelve-Year Old Linux Distros Vulnerability PwnKit Enables Local Privilege Escalation
A recently disclosed vulnerability affecting the PolKit component has been present on several Linux distributions for over 12 years. The vulnerability is easily exploited, says Bharat Jogi, director of the Qualys research team, who discovered it, and allows any unprivileged user to gain full root privileges on a vulnerable host.
-
Cloudflare Report Highlights Staggering Increase in DDoS Attacks in Q4 2021
In keeping with its custom of releasing a quarterly trends report on DDoS attacks, Cloudflare has just published its new findings for Q4 2021, which show a 95% increase in L3/4 DDoS attacks and record-breaking levels of Ransom DDoS attacks.
-
AWS Re-Launches Amazon Inspector with New Architecture and Features
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It was first launched in 2015, and during the recent re:Invent 2021, AWS re-launched it with brand new architecture and a host of new features such as container-based workloads, integration with Amazon Event Bridge, and Security Hub.