by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
|
CVE Number
|
CVE Title
|
Remediation Due Date
|
|
CVE-2021-44228
|
Apache Log4j2 Remote Code Execution Vulnerability
|
12/24/2021
|
|
CVE-2021-44515
|
Zoho Corp. Desktop Central Authentication Bypass Vulnerability
|
12/24/2021
|
|
CVE-2021-44168
|
Fortinet FortiOS Arbitrary File Download Vulnerability
|
12/24/2021
|
|
CVE-2021-35394
|
Realtek Jungle SDK Remote Code Execution Vulnerability
|
12/24/2021
|
|
CVE-2020-8816
|
Pi-Hole AdminLTE Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2020-17463
|
Fuel CMS SQL Injection Vulnerability
|
6/10/2022
|
|
CVE-2019-7238
|
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
|
6/10/2022
|
|
CVE-2019-13272
|
Linux Kernel Improper Privilege Management Vulnerability
|
6/10/2022
|
|
CVE-2019-10758
|
MongoDB mongo-express Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2019-0193
|
Apache Solr DataImportHandler Code Injection Vulnerability
|
6/10/2022
|
|
CVE-2017-17562
|
Embedthis GoAhead Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2017-12149
|
Red Hat Jboss Application Server Remote Code Execution Vulnerability
|
6/10/2022
|
|
CVE-2010-1871
|
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
|
6/10/2022
|
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.
by Contributed | Dec 10, 2021 | Technology
This article is contributed. See the original author and article here.
The Azure PowerShell team is proud to announce a new major version of the Az PowerShell module. Following our release cadence, this is the second breaking change release for 2021. Because this release includes updates related to security and the switch to MS Graph, we recommend that you review the release notes before upgrading.
MS Graph support
Azure PowerShell offers a set of cmdlets allowing basic management of AzureAD resources (Applications, Service Principal, Users, and Groups). Through Az 6.x, those cmdlets were using the AzureAD Graph API. Starting with Az 7, those cmdlets are now using the Microsoft Graph API. Because the AzureAD Graph API has announced its retirement, we highly recommend that you consider upgrading to Az 7 at your earliest convenience.
The parameters required depend on the API definition and so does the object returned on the response of the API. Our north star in this effort has been to minimize the breaking changes exposed by the cmdlets. Because of the behavior differences between MS Graph API and AzureAD Graph API, some breaking changes could not be avoided. For example, the MS Graph API does not allow setting the password when creating a Service Principal. We removed this parameter from the new cmdlets.
In some cases, cmdlets of a service transparently execute Azure AD operations. For example, when creating an AKS cluster, a service principal will be created if it is not provided. Az.KeyVault, Az.AKS, Az.SQL have been updated and now use Microsoft Graph for those transparent operations. Az.HDInsights, Az.StorageSync, Az.Synapse and Authorization cmdlets in Az.Resources will be updated shortly, this will be transparent.
For your convenience, we have compiled the breaking changes in the article: AzureAD to Microsoft Graph migration changes in Azure PowerShell.
Should you face issues with the Graph cmdlets, please consult our troubleshooting guide or open an issue on GitHub.
Invoke-AzRestMethod supports data plane and MS Graph.
The purpose of the `Invoke-AzRestMethod` cmdlet is to offer a backup solution for when a native cmdlet does not exist for a given resource.
Our initial implementation of this cmdlet supported only management plane operations for Azure Resource Manager. With the support for MS Graph, we updated this cmdlet so it could also serve as a backup to manage MS Graph resources. From the module implementation, the MS Graph API is considered like a data plane API so we added support for MS Graph any Azure data plane.
For example, the following command will retrieve information about the current signed in user via the MS Graph API:
Invoke-AzRestMethod –Uri https://graph.microsoft.com/v1.0/me
Security improvement
When connecting with a service principal, we identified that the secret associated with a service principal or the certificate password would be exposed in a nested property of the object returned by `Connect-AzAccount`. We removed the properties named `ServicePrincipalSecret` and `CertificatePassword` from this object.
Since this property could be exposed in logs or debugging traces of scripts running in automation environments like ADO, we highly recommend that you consider upgrading to the most recent version of Az.Accounts or Az.
Improved support for cloud native services (AKS and ACI updates)
We are continuing our efforts to improve the support of container-based services. In this release, we focused on AKS and ACI.
`Invoke-AzAksRunCommand` has been added to run a shell command using kubectl or helm against an AKS cluster. The response is available as a property of the returned object. This cmdlet greatly simplifies the management of the resources in a cluster. Since the cmdlet also supports file attachment, it is possible to manage Kubernetes clusters and associated applications (for example via a helm chart) directly from PowerShell.
We have greatly improved networking support of AKS clusters. We’ve added support for the following parameters: ‘NetworkPolicy’, ‘PodCidr’, ‘ServiceCidr’, ‘DnsServiceIP’, ‘DockerBridgeCidr’, ‘NodePoolLabel’, ‘AksCustomHeader’, ‘EnableNodePublicIp’, and ‘NodePublicIPPrefixID’.
We also improved the manageability of nodes in an AKS cluster using Azure PowerShell. It is now possible to perform the following operations:
- Change the number of nodes in a node pool
- Upgrade cluster when node pool version does not match the cluster version
We made two additions to the ACI (Azure Container Instance) module:
- `Invoke-AzContainerInstanceCommand` now establishes a connection with the container and returns the output of the command that was executed within the container.
- `Restart-AzContainerGroup` has been added. If a container image has been updated, containers will run with the new version.
We will continue to improve the PowerShell experience with services running cloud native applications.
Additional resources
The Azure PowerShell team is listening to your feedback on the following channels:
- GitHub issues to report issues or feature requests. We triage issues several times a week and provide an initial answer as soon as we can.
- GitHub discussions to open discussions or share best practices.
- @AzurePosh on Twitter to engage informally with the team.
Thank you!
Damien,
on behalf of the Azure PowerShell team
by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
by Scott Muniz | Dec 10, 2021 | Security, Technology
This article is contributed. See the original author and article here.
CISA has released an Industrial Controls Systems Medical Advisory (ICSMA) detailing a vulnerability in multiple Hillrom Welch Allyn cardiology products. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages technicians and administrators to review ICSMA-21-343-01: Hillrom Welch Allyn Cardio Products for more information and apply the necessary mitigations.
by Contributed | Dec 9, 2021 | Technology
This article is contributed. See the original author and article here.
This is the next segment of our blog series highlighting Microsoft Learn Student Ambassadors who achieved the Gold milestone and have recently graduated from university. Each blog in the series features a different student and highlights their accomplishments, their experience with the Student Ambassadors community, and what they’re up to now.
Today we meet Bethany Jepchumba, who is from Kenya and recently graduated from Jomo Kenyatta University of Agriculture and Technology with a degree in Business Innovation Technology Management.
Responses have been edited for clarity and length.
When you joined the Student Ambassador community in September of 2019, did you have specific goals you wanted to reach, such as a particular skill or quality? What were they? Did you achieve them? How has the community impacted you in general?
Coming from a non-technical background, tech communities had a profound impact on my journey in tech. I wanted to spread the technology gospel to all and have more learners join in, so I joined the Student Ambassador community,
As a Student Ambassador, what was the biggest accomplishment that you’re the proudest of and why?
I managed a Data Science and Artificial Intelligence community in Kenya with a co-lead in 2020 where we conducted 10+ events created to skill up beginners. We had over 500 learners in three months during the COVID-19 pandemic.
Additionally, I was an organizer of the first Microsoft Student Summit Africa in 2020. The event was a collaboration between Student Ambassadors from Kenya and Nigeria and received a total of 3,000+ RSVPs. There were 3 different tracks: Artificial Intelligence, Power Platform, Web Development. My main role was leading the team in designing the conference, moderating sessions, and preparing the speakers. I also stepped in to do an Introduction to DevOps session without any prior preparation when our speaker could not join the call.
I also led a team of five to win a five-week Game of Learners hackathon that had 60 participants. Winners were awarded one-on-one mentorship sessions with different industry professionals, including one with Microsoft’s Donovan Brown. I also delivered a workshop to 100+ on Manipulating and Cleaning Data to the Microsoft Reactor Community.
What are you doing now that you’ve graduated?
My journey in the Student Ambassador community pushed me to empower the next generation of techies. Currently, I am a Program Coordinator Associate at Andela, a unicorn that matches global companies to remote talent in Africa. I enable the skilling of over 50,000 learners through partnerships with global companies such as Microsoft, Google, Salesforce, and Facebook.
If you could redo your time as a Student Ambassador, is there anything you would have done differently?
In the program, I did my best, and I gave my best. If I could go back, I would do more of what I was able to accomplish, and I’d collaborate and speak up more.
If you were to describe the community to a student who is interested in joining, what would you say about it to convince them to join?
There is a lot of swag, free azure credits, and certification vouchers for Student Ambassadors. You will get to make long-time friends and have access to Microsoft Cloud Advocates. The opportunities in the program are limitless, and you get to craft your own experience.
What advice would you give to new Student Ambassadors?
Collaborate. There is power in working together. If you have an idea for an event or engagement you want to organize, include others–the more the merrier. Make Microsoft Teams your friend, learn how to navigate it, and you will not miss any important collaborations. Lastly, ensure you have at least one Student Ambassador engagement per month. Whether it is publishing a blog, speaking at an event, hosting your own sessions, or doing a certification. Ensure that you constantly take advantage of the program and all it offers. Remember, all the efforts you put in the program will be rewarded in equal measure.
Do you have a motto in life, a guiding principle that drives you?
“Do what you love, love what you do, and with all your heart give yourself to it.”
– Roy T. Bennett
What is one random fact few people know about you?
One thing in my bucket list is to visit an upside-down house, either in South Africa or the UK. I still cannot believe they exist.
Good luck to you in the future, Bethany!
Readers, you can keep in touch with Bethany on LinkedIn, GitHub, Instagram, Twitter, or on her blog.
Recent Comments