by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
|
CVE Number
|
CVE Title
|
Remediation Due Date
|
|
CVE-2021-44228
|
Apache Log4j2 Remote Code Execution Vulnerability
|
12/24/2021
|
|
CVE-2021-44515
|
Zoho Corp. Desktop Central Authentication Bypass Vulnerability
|
12/24/2021
|
|
CVE-2021-44168
|
Fortinet FortiOS Arbitrary File Download Vulnerability
|
12/24/2021
|
|
CVE-2021-35394
|
Realtek Jungle SDK Remote Code Execution Vulnerability
|
12/24/2021
|
|
CVE-2020-8816
|
Pi-Hole AdminLTE Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2020-17463
|
Fuel CMS SQL Injection Vulnerability
|
6/10/2022
|
|
CVE-2019-7238
|
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
|
6/10/2022
|
|
CVE-2019-13272
|
Linux Kernel Improper Privilege Management Vulnerability
|
6/10/2022
|
|
CVE-2019-10758
|
MongoDB mongo-express Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2019-0193
|
Apache Solr DataImportHandler Code Injection Vulnerability
|
6/10/2022
|
|
CVE-2017-17562
|
Embedthis GoAhead Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2017-12149
|
Red Hat Jboss Application Server Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2010-1871
|
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
|
6/10/2022
|
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.
by Contributed | Dec 10, 2021 | Technology
This article is contributed. See the original author and article here.
The Azure PowerShell team is proud to announce a new major version of the Az PowerShell module. Following our release cadence, this is the second breaking change release for 2021. Because this release includes updates related to security and the switch to MS Graph, we recommend that you review the release notes before upgrading.
MS Graph support
Azure PowerShell offers a set of cmdlets allowing basic management of AzureAD resources (Applications, Service Principal, Users, and Groups). Through Az 6.x, those cmdlets were using the AzureAD Graph API. Starting with Az 7, those cmdlets are now using the Microsoft Graph API. Because the AzureAD Graph API has announced its retirement, we highly recommend that you consider upgrading to Az 7 at your earliest convenience.
The parameters required depend on the API definition and so does the object returned on the response of the API. Our north star in this effort has been to minimize the breaking changes exposed by the cmdlets. Because of the behavior differences between MS Graph API and AzureAD Graph API, some breaking changes could not be avoided. For example, the MS Graph API does not allow setting the password when creating a Service Principal. We removed this parameter from the new cmdlets.
In some cases, cmdlets of a service transparently execute Azure AD operations. For example, when creating an AKS cluster, a service principal will be created if it is not provided. Az.KeyVault, Az.AKS, Az.SQL have been updated and now use Microsoft Graph for those transparent operations. Az.HDInsights, Az.StorageSync, Az.Synapse and Authorization cmdlets in Az.Resources will be updated shortly, this will be transparent.
For your convenience, we have compiled the breaking changes in the article: AzureAD to Microsoft Graph migration changes in Azure PowerShell.
Should you face issues with the Graph cmdlets, please consult our troubleshooting guide or open an issue on GitHub.
Invoke-AzRestMethod supports data plane and MS Graph.
The purpose of the `Invoke-AzRestMethod` cmdlet is to offer a backup solution for when a native cmdlet does not exist for a given resource.
Our initial implementation of this cmdlet supported only management plane operations for Azure Resource Manager. With the support for MS Graph, we updated this cmdlet so it could also serve as a backup to manage MS Graph resources. From the module implementation, the MS Graph API is considered like a data plane API so we added support for MS Graph any Azure data plane.
For example, the following command will retrieve information about the current signed in user via the MS Graph API:
Invoke-AzRestMethod –Uri https://graph.microsoft.com/v1.0/me
Security improvement
When connecting with a service principal, we identified that the secret associated with a service principal or the certificate password would be exposed in a nested property of the object returned by `Connect-AzAccount`. We removed the properties named `ServicePrincipalSecret` and `CertificatePassword` from this object.
Since this property could be exposed in logs or debugging traces of scripts running in automation environments like ADO, we highly recommend that you consider upgrading to the most recent version of Az.Accounts or Az.
Improved support for cloud native services (AKS and ACI updates)
We are continuing our efforts to improve the support of container-based services. In this release, we focused on AKS and ACI.
`Invoke-AzAksRunCommand` has been added to run a shell command using kubectl or helm against an AKS cluster. The response is available as a property of the returned object. This cmdlet greatly simplifies the management of the resources in a cluster. Since the cmdlet also supports file attachment, it is possible to manage Kubernetes clusters and associated applications (for example via a helm chart) directly from PowerShell.
We have greatly improved networking support of AKS clusters. We’ve added support for the following parameters: ‘NetworkPolicy’, ‘PodCidr’, ‘ServiceCidr’, ‘DnsServiceIP’, ‘DockerBridgeCidr’, ‘NodePoolLabel’, ‘AksCustomHeader’, ‘EnableNodePublicIp’, and ‘NodePublicIPPrefixID’.
We also improved the manageability of nodes in an AKS cluster using Azure PowerShell. It is now possible to perform the following operations:
- Change the number of nodes in a node pool
- Upgrade cluster when node pool version does not match the cluster version
We made two additions to the ACI (Azure Container Instance) module:
- `Invoke-AzContainerInstanceCommand` now establishes a connection with the container and returns the output of the command that was executed within the container.
- `Restart-AzContainerGroup` has been added. If a container image has been updated, containers will run with the new version.
We will continue to improve the PowerShell experience with services running cloud native applications.
Additional resources
The Azure PowerShell team is listening to your feedback on the following channels:
- GitHub issues to report issues or feature requests. We triage issues several times a week and provide an initial answer as soon as we can.
- GitHub discussions to open discussions or share best practices.
- @AzurePosh on Twitter to engage informally with the team.
Thank you!
Damien,
on behalf of the Azure PowerShell team
by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
CISA has released an Industrial Controls Systems Medical Advisory (ICSMA) detailing a vulnerability in multiple Hillrom Welch Allyn cardiology products. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages technicians and administrators to review ICSMA-21-343-01: Hillrom Welch Allyn Cardio Products for more information and apply the necessary mitigations.
by Scott Muniz | Dec 9, 2021 | Security
This article was originally posted by the FTC. See the original article here.
Automakers are producing fewer new cars right now due to a computer chip shortage, and many people are looking at used cars instead. If you’re shopping for a used car and feeling rushed to buy a car before you can fully check it out — stop! Some used cars may have flood damage.
After a hurricane or flood, storm-damaged cars are sometimes cleaned up and taken out of state for sale. You may not know a car is damaged until you look at it closely. Here are some steps to take when you shop:
Check for signs and smells of flood damage. Is there mud or sand under the seats or dashboard? Is there rust around the doors? Is the carpet loose, stained, or mismatched? Do you smell mold or decay — or an odor of strong cleaning products — in the car or trunk?
Check for a history of flood damage. The National Insurance Crime Bureau’s (NCIB) free database will show if a car was flood-damaged, stolen but not recovered, or otherwise declared as salvaged — but only if the car was insured when it was damaged.
Get a vehicle history report. Start at vehiclehistory.gov to get free information about a vehicle’s title, most recent odometer reading, and condition. For a fee, you can get other reports with additional information, like accident and repair history. The FTC doesn’t endorse any specific services. Learn more at ftc.gov/usedcars.
Get help from an independent mechanic. A mechanic can inspect the car for water damage that can slowly destroy mechanical and electrical systems and cause rust and corrosion.
Report fraud. If you suspect a dealer is knowingly selling a storm-damaged car or a salvaged vehicle as a good-condition used car, contact the NICB. Also tell the FTC at ReportFraud.ftc.gov and your state attorney general.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments