InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Critical Vulnerability in VM2 Sandbox Found Affecting Spotify Portal Platform Backstage
Spotify Backstage, an open-source platform used to build developer portals and in use at a number of large companies, has been found vulnerable to a critical remote code execution vulnerability. Confirming that most vulnerabilities are found in indirect dependencies, the Backstage vulnerability is enabled by another vulnerability found in its JavaScript VM2 sandbox dependency.
-
OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched
Introduced in OpenSSL 3.0 in September 2021 and affecting all successive versions up to and including OpenSSL 3.0.6, the two recently patched vulnerabilities are caused by buffer overruns in X.509 certificate verification.
-
Azul Joins the Effort of Improving Supply Chain Security by Launching Vulnerability Detection SaaS
November, 2nd: Azul released a new security product that intends to offer a solution to the increased risk of enterprise software supply chain attacks, compounded by severe threats such as Log4Shell. Azul Vulnerability Detection is a new SaaS that continuously detects known security vulnerabilities in Java applications. In addition, they promise not to affect the application’s performance.
-
Two New Git Vulnerabilities Affecting Local Clones and Git Shell Patched
Two Git vulnerabilities affecting local clones and git shell interactive mode in version 2.38 and older have been recently patched.
-
Cloud Security Posture Management Now Available in Vulnerability Scanner Trivy
The open source vulnerability scanner Trivy has been recently extended to support cloud security posture management (CSPM) capabilities. While initially available only for AWS, Trivy will soon get support for other cloud providers, says Aqua Security.
-
Machine Learning Systems Vulnerable to Specific Attacks
The growing number of organizations creating and deploying machine learning solutions raises concerns as to their intrinsic security, argues the NCC Group in a recent whitepaper (Practical Attacks on Machine Learning Systems).
-
AWS Expands Amazon Detective for Kubernetes Workloads on Amazon EKS
Amazon Detective is a security service in AWS that allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Recently, AWS announced the expansion of Amazon Detective towards Kubernetes workloads on Amazon’s Elastic Kubernetes Service.
-
OpenSSL Releases Fix for High-Severity Vulnerability
OpenSSL 3.0.4, released less than a month ago, introduced a bug that enabled a remote code execution vulnerability on machines computing 2048 bit RSA keys on X86_64 CPUs. A fix is now available in OpenSSL 3.0.5.
-
Google Cloud Announces Advanced API Security through Apigee
Recently Google announced the public preview of Advanced API Security, a comprehensive set of API security capabilities built on Apigee, their API management platform. With the new capability, customers can detect security threats more efficiently.
-
Apple Introduces Lockdown Mode to Secure Its OSes against Cyberattacks
The new Lockdown Mode announced by Apple, available now in the latest betas of iOS 16, iPadOS 16, and macOS Ventura, aims to provide a further level of protection to users at risk of highly targeted Cyberattacks.
-
New PACMAN Vulnerability Affecting Apple Silicon CPUs
Uncovered by a team at MIT CSAIL, PACMAN is a new vulnerability affecting a defense mechanism available in Apple Silicon processors and known as pointer authentication code (PAC). While Apple downplayed the severity of this finding, the researchers hint at the fact that PACMAN brings an entire new class of attacks.
-
SynLapse: Orca Security Publishes Details for Critical Azure Synapse Vulnerability
In a recent article, Orca Security describes the technical details of SynLapse, a critical Synapse Analytics vulnerability in Azure that allowed attackers to bypass tenant separation. The issue has now been addressed, but the timing and the disclosure process have raised concerns in the community.
-
GitHub Extends Its Supply Chain Security to Rust
GitHub has brought Rust support to its supply chain security feature. Aimed to ensure your project and its dependencies are free of vulnerabilities, GitHub supply chain security includes a database of advisories, a dependency graph analyzer, and Dependabot alerts and security updates.
-
Augury is a Novel Microarchitectural Attack Affecting Apple Silicon
Researchers from the University of Illinois Urbana-Champaign, the University of Washington, and the Tel Aviv University have described an attack, dubbed Augury, that leaks data at rest on recent processors from Apple, including the A14 and the M1 family.
-
RDS and Aurora PostgreSQL Vulnerability Leads to AWS Deprecating Many Minor Versions
A researcher at the security company Lightspin recently explained how she obtained credentials to an internal AWS service using a PostgreSQL extension and exploiting a local file read vulnerability on RDS. AWS confirmed the issue and deprecated dozens of minor versions of Amazon Aurora and RDS for PostgreSQL.