InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Log4Shell Defenses: Java Agents in Conversation with Contrast Security’s Arshan Dabirsiaghi
Due to the critical nature of the systems and to the severe and critical nature of the log4shell vulnerability, an alternative approach to fixing it was required. Java Agents played a crucial role in this defense strategy. InfoQ reached out to Arshan Dabirsianghi, chief scientist and founder of Contrast Security, for a better understanding of their approach.
-
Twelve-Year Old Linux Distros Vulnerability PwnKit Enables Local Privilege Escalation
A recently disclosed vulnerability affecting the PolKit component has been present on several Linux distributions for over 12 years. The vulnerability is easily exploited, says Bharat Jogi, director of the Qualys research team, who discovered it, and allows any unprivileged user to gain full root privileges on a vulnerable host.
-
Cloudflare Report Highlights Staggering Increase in DDoS Attacks in Q4 2021
In keeping with its custom of releasing a quarterly trends report on DDoS attacks, Cloudflare has just published its new findings for Q4 2021, which show a 95% increase in L3/4 DDoS attacks and record-breaking levels of Ransom DDoS attacks.
-
AWS Re-Launches Amazon Inspector with New Architecture and Features
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It was first launched in 2015, and during the recent re:Invent 2021, AWS re-launched it with brand new architecture and a host of new features such as container-based workloads, integration with Amazon Event Bridge, and Security Hub.
-
Google's Network-Based Threat Detection Service Cloud IDS is Now Generally Available
Recently, Google announced the general availability of its Cloud IDS for network-based threat detection. This core network security offering helps detect network-based threats and helps organizations meet compliance standards that call for an intrusion detection system.
-
Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit
On December 9th, it was made public on Twitter that a zero-day exploit had been discovered in log4j, a popular Java logging library. All the library’s versions between 2.0 and 2.14.1 included are affected. Log4j 2.15.0 has been released, which no longer has this vulnerability. As the POC published on GitHub points out, when log4j logs an attacker-controlled string value it can result in an RCE.
-
Static Analyzer Rudra Found over 200 Memory Safety Issues in Rust Crates
Developed at the Georgia Institute of Technology, Rudra is a static analyzer able to report potential memory safety bugs in Rust programs. Rudra has been used to scan the entire Rust package registry and identified 264 new memory safety bugs.
-
Facebook Mariana Trench Helps Developers to Find Vulnerabilities in Android and Java Apps
Recently open-sourced by Facebook, Mariana Trench (MT) aims to help developers identify and prevent security and privacy bugs in Android and Java applications.
-
Travis CI Vulnerability Potentially Leaked Customer Secrets
Popular continuous integration and delivery service Travis CI disclosed a vulnerability that potentially leaked secure environment variables, including signing keys, access credentials, and API tokens. The flaw was quickly fixed on September 10, but the developer community found Travis CI handling of this issue insufficient.
-
Is CVE the Solution for Cloud Vulnerabilities?
At the recent Black Hat USA 2021, security experts from cloud infrastructure company Wiz argued that a CVE database for cloud vulnerabilities is needed, starting a debate in the cloud and cybersecurity communities.
-
GitLab Open-Sources Package Hunter, Falco-Based Tool to Detect Malicious Code
GitLab has released a new open-source tool, Package Hunter, aimed to detect malicious code by running your project dependencies inside a sandbox. Package Hunter leverages Falco to detect unexpected application behaviour at runtime.
-
Infrastructure Vulnerability Scanner Checkov Adds Context Aware Assessments
Bridgecrew has announced the first 2.x version of Checkov. Checkov is an open-source scanner for infrastructure as code (IaC). The 2.0 release includes a re-architected backend that is now graph-based allowing for better processing of multi-resource queries. There has also been an increase in coverage with the addition of nearly 250 new policies.
-
Two Hidden Instructions Discovered in Intel CPUs Enable Microcode Modification
Security researchers Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy discovered two undocumented x86 instructions that can be used to modify the CPU microcode. The instructions can only be executed when the CPU runs in debug mode, which makes them not easily exploitable, though.
-
Linux Foundation Sigstore Aims to Be the Let's Encrypt of Code Signing
Backed by the Linux Foundation, Sigstore aims to provide a non-profit service to foster the adoption of cryptographic signing by open source projects to make the software supply chain more secure.
-
Analyzing Git Clone Vulnerability
A new Git version, 2.30.2, fixes a security vulnerability in Git large file storage (LFS) and other clean/smudge filters affecting Git 2.15 and newer. An analysis.