What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-11-27 09:26:51 | 8 sujets essentiels de cybersécurité à inclure dans votre programme de formation 8 Essential Cybersecurity Topics to Include in Your Training Program (lien direct) |
Your employees have a critical role to play as a first line of defense against cyberthreats. But to be effective, they need to know what those threats are-and stay apprised of how they\'re evolving. A comprehensive security awareness program is the key to helping your users grow their understanding of attackers\' methods and objectives so they can become more proactive defenders. That includes knowing what strategies malicious actors employ to manipulate people so they can use them to enable their campaigns. The importance of security awareness It\'s well worth taking the time to craft a meaningful and engaging security awareness program. By presenting the right mix of information to your users in a compelling way, you can empower them to help you improve your organization\'s security posture as well as create a more robust security culture overall. The cybersecurity topics that you include in your program should be relevant to your business and industry, of course. Companies face different cyberthreat challenges and regulatory compliance requirements related to data protection and data privacy. That said, there are several subjects that almost any modern business, regardless of its industry, will want to ensure its employees understand. We list eight of these cybersecurity topics below. They are the go-to approaches and tools that attackers around the world commonly use to compromise users and their accounts, disrupt normal business operations, steal money or data, and do other damage. Here\'s a high-level overview of these eight must-know cybersecurity topics: 1. Social engineering Social engineering is a collection of techniques malicious actors use to manipulate human psychology. Attackers rely on these strategies to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code and transferring funds. They do this by taking advantage of users\': Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong Trust, by posing as someone familiar to the user or a trusted brand or authority-such as the Internal Revenue Service (IRS), UPS, Amazon or Microsoft Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making Common social engineering tactics include phishing-which we cover in the next section-and these others: Social media reconnaissance. Attackers often turn to social media to gather information about users that they target with their campaigns. These efforts can include direct outreach to users. Vishing (voice phishing) and smishing (SMS/text phishing). Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from a trusted brand or authority. With smishing, attackers use text messages to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. Telephone-oriented attack delivery (TOAD). TOAD attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives who then direct the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware. Or they might direct them to a phishing site. Common sense can go a long way toward preventing a social engineering attack. Make sure to reiterate that if a message seems too good to be true, it\'s very likely a scam. And if something doesn\'t look or sound right, it probably isn\'t. 2. Phishing Phishing is an example of social engineering. Most phishing messages are sent by email. But some attackers deliver these messages through other methods, including smishing and vishing. Here are some typical strategies: Malicious links. When a user clicks on a | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | Uber Uber | ★★ |
 |
2023-11-06 19:59:00 | Aqua Security présente l'industrie d'abord de la vulnérabilité de Kubernetes Scanning avec Trivy Kbom Aqua Security Introduces Industry-First Kubernetes Vulnerability Scanning With Trivy KBOM (lien direct) |
Your employees have a critical role to play as a first line of defense against cyberthreats. But to be effective, they need to know what those threats are-and stay apprised of how they\'re evolving. A comprehensive security awareness program is the key to helping your users grow their understanding of attackers\' methods and objectives so they can become more proactive defenders. That includes knowing what strategies malicious actors employ to manipulate people so they can use them to enable their campaigns. The importance of security awareness It\'s well worth taking the time to craft a meaningful and engaging security awareness program. By presenting the right mix of information to your users in a compelling way, you can empower them to help you improve your organization\'s security posture as well as create a more robust security culture overall. The cybersecurity topics that you include in your program should be relevant to your business and industry, of course. Companies face different cyberthreat challenges and regulatory compliance requirements related to data protection and data privacy. That said, there are several subjects that almost any modern business, regardless of its industry, will want to ensure its employees understand. We list eight of these cybersecurity topics below. They are the go-to approaches and tools that attackers around the world commonly use to compromise users and their accounts, disrupt normal business operations, steal money or data, and do other damage. Here\'s a high-level overview of these eight must-know cybersecurity topics: 1. Social engineering Social engineering is a collection of techniques malicious actors use to manipulate human psychology. Attackers rely on these strategies to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code and transferring funds. They do this by taking advantage of users\': Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong Trust, by posing as someone familiar to the user or a trusted brand or authority-such as the Internal Revenue Service (IRS), UPS, Amazon or Microsoft Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making Common social engineering tactics include phishing-which we cover in the next section-and these others: Social media reconnaissance. Attackers often turn to social media to gather information about users that they target with their campaigns. These efforts can include direct outreach to users. Vishing (voice phishing) and smishing (SMS/text phishing). Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from a trusted brand or authority. With smishing, attackers use text messages to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. Telephone-oriented attack delivery (TOAD). TOAD attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives who then direct the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware. Or they might direct them to a phishing site. Common sense can go a long way toward preventing a social engineering attack. Make sure to reiterate that if a message seems too good to be true, it\'s very likely a scam. And if something doesn\'t look or sound right, it probably isn\'t. 2. Phishing Phishing is an example of social engineering. Most phishing messages are sent by email. But some attackers deliver these messages through other methods, including smishing and vishing. Here are some typical strategies: Malicious links. When a user clicks on a | Vulnerability | Uber | ★★ |
 |
2023-11-06 19:15:09 | CVE-2023-46254 (lien direct) | Capsule-Proxy est un proxy inverse du cadre multi-tension de capsule Kubernetes.Un bug dans le réflecteur de binding de rôle utilisé par «capsule-proxy» donne aux propriétaires de locataires de service.Le droit de répertorier les espaces de noms d'autres locataires soutenus par le même type de propriétaire et le même nom.Par exemple, considérez deux locataires «solaire» et «vent».Locataire «solaire», détenu par un service de service nommé «locataire-propriétaire» dans l'espace de noms «solaire».Locataire «Wind», appartenant à un service de service nommé «locataire-propriétaire» dans l'espace de noms «vent».Le propriétaire du locataire «solaire» pourrait énumérer les espaces de noms du locataire «vent» et vice-versa, bien que ce ne soit pas correct.Le bug introduit une vulnérabilité d'exfiltration car permet la liste des ressources d'espace de noms d'autres locataires, bien que dans certaines conditions spécifiques: 1. `capsule-proxy` s'exécute avec le` --disable-caching = false` (valeur par défaut: `false`) et 2. Les propriétaires de locataires sont ServiceAccount, avec le même nom de ressource, mais dans des espaces de noms différents.Cette vulnérabilité n'autorise aucune escalade de privilège sur les ressources spécialisées dans l'espace de noms de locataire, car le RBAC de Kubernetes applique cela.Ce problème a été résolu dans la version 0.4.5.Il est conseillé aux utilisateurs de mettre à niveau.Il n'y a pas de solution de contournement connu pour cette vulnérabilité.
capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants `solar` and `wind`. Tenant `solar`, owned by a ServiceAccount named `tenant-owner` in the Namespace `solar`. Tenant `wind`, owned by a ServiceAccount named `tenant-owner` in the Namespace `wind`. The Tenant owner `solar` would be able to list the namespaces of the Tenant `wind` and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. `capsule-proxy` runs with the `--disable-caching=false` (default value: `false`) and 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. This vulnerability doesn\'t allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this. This issue has been addressed in version 0.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Vulnerability | Uber | |
 |
2023-11-02 03:48:30 | Essentiels de sécurité des conteneurs: analyse de vulnérabilité et détection des changements expliqués Container Security Essentials: Vulnerability Scanning and Change Detection Explained (lien direct) |
Les conteneurs offrent une approche de déploiement et de gestion des applications rationalisées.Grâce à leur efficacité et à leur portabilité, des plateformes comme Docker et Kubernetes sont devenues des noms de ménages dans l'industrie de la technologie.Cependant, une conception fausse se cache dans l'ombre à mesure que les conteneurs gagnent en popularité - la croyance que le balayage de vulnérabilité actif devient redondant une fois les conteneurs mis en œuvre.Ce blog mettra en lumière ce mythe et explorera l'importance de la gestion de la vulnérabilité et de la détection des changements dans les environnements conteneurisés.Conteneurs: Les bases avant de plonger dans la sécurité des conteneurs, laissez \\ 's ...
Containers offer a streamlined application deployment and management approach. Thanks to their efficiency and portability, platforms like Docker and Kubernetes have become household names in the tech industry. However, a misconception lurks in the shadows as containers gain popularity - the belief that active vulnerability scanning becomes redundant once containers are implemented. This blog will shed light on this myth and explore the importance of vulnerability management and change detection in containerized environments. Containers: The Basics Before diving into container security, let\'s... |
Vulnerability | Uber | ★★ |
 |
2023-10-30 12:16:00 | Urgent: Nouveaux défauts de sécurité découverts dans le contrôleur nginx entrée pour Kubernetes Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes (lien direct) |
Trois défauts de sécurité à haute sévérité non corrigées ont été divulgués dans le contrôleur d'entrée de Nginx pour Kubernetes qui pourrait être armé par un acteur de menace pour voler des titres de compétences secrètes du cluster.
Les vulnérabilités sont les suivantes -
CVE-2022-4886 (score CVSS: 8.8) - La désinfection du chemin Ingress-Nginx peut être contournée pour obtenir les informations d'identification du contrôleur Ingress-Nginx
CVE-2023-5043 (
Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows - CVE-2022-4886 (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller CVE-2023-5043 ( |
Vulnerability Threat | Uber | ★★★ |
|
2023-10-27 08:15:31 | CVE-2023-46194 (lien direct) | Unauth.Vulnérabilité reflétée des scripts croisés (XSS) dans Eric Teubert Archivist & acirc; & euro; & ldquo;Plugin de modèles d'archives personnalisés | Vulnerability | Uber | |
 |
2023-10-26 10:00:00 | Ensuring robust security of a containerized environment (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In today’s rapidly evolving digital landscape, containerized microservices have become the lifeblood of application development and deployment. Resembling miniature virtual machines, these entities enable efficient code execution in any environment, be it an on-premises server, a public cloud, or even a laptop. This paradigm eliminates the criteria of platform compatibility and library dependency from the DevOps equation. As organizations embrace the benefits of scalability and flexibility offered by containerization, they must also take up the security challenges intrinsic to this software architecture approach. This article highlights key threats to container infrastructure, provides insights into relevant security strategies, and emphasizes the shared responsibility of safeguarding containerized applications within a company. Understanding the importance of containers for cloud-native applications Containers play a pivotal role in streamlining and accelerating the development process. Serving as the building blocks of cloud-native applications, they are deeply intertwined with four pillars of software engineering: the DevOps paradigm, CI/CD pipeline, microservice architecture, and frictionless integration with orchestration tools. Orchestration tools form the backbone of container ecosystems, providing vital functionalities such as load balancing, fault tolerance, centralized management, and seamless system scaling. Orchestration can be realized through diverse approaches, including cloud provider services, self-deployed Kubernetes clusters, container management systems tailored for developers, and container management systems prioritizing user-friendliness. The container threat landscape According to recent findings of Sysdig, a company specializing in cloud security, a whopping 87% of container images have high-impact or critical vulnerabilities. While 85% of these flaws have a fix available, they can’t be exploited because the hosting containers aren’t in use. That said, many organizations run into difficulties prioritizing the patches. Rather than harden the protections of the 15% of entities exposed at runtime, security teams waste their time and resources on loopholes that pose no risk. One way or another, addressing these vulnerabilities requires the fortification of the underlying infrastructure. Apart from configuring orchestration systems properly, it’s crucial to establish a well-thought-out set of access permissions for Docker nodes or Kubernetes. Additionally, the security of containers hinges on the integrity of the images used for their construction. Guarding containers throughout the product life cycle A container\'s journey encompasses three principal stages. The initial phase involves constructing the container and subjecting it to comprehensive functional and load tests. Subsequently, the container is stored in the image registry, awaiting its moment of execution. The third stage, container runtime, occurs when the container is launched and operates as intended. Early identification of vulnerabilities is vital, and this is where the shift-left security principle plays a role. It encourages an intensified focus on security from the nascent stages of the product life cycle, encompassing the design and requirements gathering phases. By incorporating automated security checks within the CI/CD pipeline, developers can detect security issues early and minimize the chance of security gap | Tool Vulnerability Threat Cloud | Uber | ★★★ |
 |
2023-10-19 11:08:36 | L'ancien Uber Ciso faisant appel de sa conviction Former Uber CISO Appealing His Conviction (lien direct) |
Joe Sullivan, PDG d'Uber & # 8217; lors de leur violation de données 2016, est attrayant Sa conviction.
Les procureurs ont inculpé Sullivan, qu'Uber a embauché comme CISO après la violation de 2014, de retenir des informations sur l'incident de 2016 de la FTC, alors même que ses enquêteurs examinaient les pratiques de sécurité et de confidentialité des données de l'entreprise.Le gouvernement a fait valoir que Sullivan aurait dû informer la FTC de l'incident de 2016, mais a plutôt fait tout son possible pour leur cacher.
Les procureurs ont également accusé Sullivan d'avoir tenté de cacher la violation elle-même en payant 100 000 $ pour acheter le silence des deux pirates derrière le compromis.Sullivan avait caractérisé le paiement comme une prime de bogue similaire à celle que d'autres sociétés font régulièrement aux chercheurs qui leur rapportent des vulnérabilités et d'autres problèmes de sécurité.Ses avocats ont souligné que Sullivan avait effectué le paiement avec la pleine connaissance et la bénédiction de Travis Kalanick, PDG d'Uber à l'époque, et d'autres membres de l'équipe juridique du géant du géant du conducteur ...
Joe Sullivan, Uber’s CEO during their 2016 data breach, is appealing his conviction. Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company’s data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them. Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber’s CEO at the time, and other members of the ride-sharing giant’s legal team... |
Vulnerability | Uber | ★★ |
 |
2023-10-10 17:37:33 | GCP-2023-030 (lien direct) | Publié: 2023-10-10 Description | Vulnerability | Uber | |
|
2023-09-27 21:15:09 | CVE-2023-40026 (lien direct) | ARGO CD est un cadre de déploiement continu déclaratif pour Kubernetes.Dans les versions CD ARGO avant 2.3 (à partir du moins dans V0.1.0, mais probablement dans n'importe quelle version utilisant Helm avant 2.3), l'utilisation d'un fichier de casque spécifiquement conçu pourrait référencer les graphiques de barre externes gérés par le même Repo-Server pour les valeurs de fuite,ou les fichiers du graphique de la barre référencée.Cela était possible car les chemins de barre étaient prévisibles.La vulnérabilité a fonctionné en ajoutant un graphique de barre qui a référencé les ressources de casque à partir de chemins prévisibles.Étant donné que les chemins des graphiques de barre étaient prévisibles et disponibles sur une instance de Repo-Server, il a été possible de référencer puis de rendre les valeurs et les ressources des autres graphiques de barre existants indépendamment des autorisations.Bien que généralement, les secrets ne sont pas stockés dans ces fichiers, il a néanmoins été possible de référencer des valeurs de ces graphiques.Ce problème a été résolu dans ARGO CD 2.3 et les versions ultérieures en randomisant les chemins de barre.L'utilisateur \\ est toujours à l'aide d'ARGO CD 2.3 ou ci-dessous il est conseillé de mettre à jour une version prise en charge.Si cela n'est pas possible, la désactivation du rendu du graphique de la barre ou l'utilisation d'un serveur de réapprovisionnement supplémentaire pour chaque graphique de barre empêcherait une éventuelle exploitation.
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User\'s still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation. |
Vulnerability | Uber | |
|
2023-09-13 19:35:00 | Alerte: les nouvelles vulnérabilités de Kubernetes permettent aux attaques distantes des points de terminaison Windows Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints (lien direct) |
Trois défauts de sécurité à haute sévérité interdépendants découverts dans Kubernetes pourraient être exploités pour réaliser une exécution de code distante avec des privilèges élevés sur les points de terminaison Windows dans un cluster.
Les problèmes, suivis sous forme de CVE-2023-3676, CVE-2023-3893 et CVE-2023-3955, portent des scores CVSS de 8,8 et ont un impact sur tous les environnements Kubernetes avec des nœuds Windows.Des correctifs pour les vulnérabilités ont été publiés en août
Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released on August |
Vulnerability | Uber | ★★★ |
|
2023-09-12 22:15:08 | CVE-2023-41423 (lien direct) | La vulnérabilité de script du site croisé dans le plugin WP Githuber MD V.1.16.2 permet à un attaquant distant d'exécuter du code arbitraire via une charge utile fabriquée à la nouvelle fonction de l'article.
Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 allows a remote attacker to execute arbitrary code via a crafted payload to the new article function. |
Vulnerability | Uber | |
|
2023-09-12 17:15:08 | CVE-2023-29332 (lien direct) | Microsoft Azure Kubernetes Service Élévation des privilèges Vulnérabilité
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Vulnerability | Uber | |
|
2023-09-07 23:15:10 | CVE-2023-40584 (lien direct) | ARGO CD est un déploiement continu déclaratif pour Kubernetes.Toutes les versions d'Argocd à partir de v2.4 ont un bogue où le composant Repo-Server Argocd est vulnérable à un vecteur d'attaque de déni de service.Plus précisément, ledit composant extrait un fichier TAR.gz contrôlé par l'utilisateur sans valider la taille de ses fichiers intérieurs.En conséquence, un utilisateur malveillant et peu privilégié peut envoyer un fichier tar.gz malveillant qui exploite cette vulnérabilité au serveur de réapprovisionnement, nuisant ainsi à la fonctionnalité et à la disponibilité du système \\.De plus, le serveur Repo est sensible à une autre vulnérabilité en raison du fait qu'il ne vérifie pas les autorisations de fichiers extraites avant de tenter de les supprimer.Par conséquent, un attaquant peut élaborer une archive tar.gz malveillante d'une manière qui empêche la suppression de ses fichiers intérieurs lorsque le processus de génération manifeste est terminé.Un patch pour cette vulnérabilité a été publié dans les versions 2.6.15, 2.7.14 et 2.8.3.Il est conseillé aux utilisateurs de mettre à niveau.La seule façon de résoudre complètement le problème est de mettre à niveau, mais les utilisateurs incapables de mettre à niveau doivent configurer la RBAC (contrôle d'accès basé sur les rôles) et fournir un accès à la configuration des applications uniquement à un nombre limité d'administrateurs.Ces administrateurs doivent utiliser des graphiques de barre de confiance et vérifiés.
Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system\'s functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. A patch for this vulnerability has been released in versions 2.6.15, 2.7.14, and 2.8.3. Users are advised to upgrade. The only way to completely resolve the issue is to upgrade, however users unable to upgrade should configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts. |
Vulnerability | Uber | |
|
2023-09-06 17:35:09 | GCP-2023-026 (lien direct) | Publié: 2023-09-06 Description Description Gravité notes Trois vulnérabilités (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) ont été découvertes à Kubernetes où un utilisateur qui peut créer des gods sur les nœuds Windows peutêtre en mesure de dégénérer pour les privilèges d'administration sur ces nœuds.Ces vulnérabilités affectent les versions Windows de Kubelet et le proxy Kubernetes CSI. Pour les instructions et plus de détails, consultez les bulletins suivants: Bulletin de sécurité gke clusters anthos sur le bulletin de sécurité VMware grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité en métal nu High CVE-2023-3676 , CVE-2023-3955 , cve-2023-3893 Published: 2023-09-06Description Description Severity Notes Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2023-3676, CVE-2023-3955, CVE-2023-3893 | Vulnerability | Uber | ★★ |
|
2023-08-23 20:15:08 | CVE-2023-40025 (lien direct) | ARGO CD est un outil de livraison continu Gitops déclaratif pour Kubernetes.Toutes les versions du CD ARGO à partir de la version 2.6.0 ont un bogue où les sessions d'ouverture du terminal Web n'expirent pas.Ce bogue permet aux utilisateurs d'envoyer des messages WebSocket même si le jeton a déjà expiré.Le scénario le plus simple est lorsqu'un utilisateur ouvre la vue terminale et la laisse ouverte pendant une période prolongée.Cela permet à l'utilisateur d'afficher des informations sensibles même lorsqu'elle aurait déjà dû être déconnectée.Un patch pour cette vulnérabilité a été publié dans les versions CD ARGO suivantes: 2.6.14, 2.7.12 et 2.8.1.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1. |
Tool Vulnerability | Uber | |
|
2023-08-15 10:00:00 | Pourquoi la sécurité de l'API est-elle la prochaine grande chose en cybersécurité? Why is API security the next big thing in Cybersecurity? (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. APIs, formally known as application programming interfaces, occupy a significant position in modern software development. They revolutionized how web applications work by facilitating applications, containers, and microservices to exchange data and information smoothly. Developers can link APIs with multiple software or other internal systems that help businesses to interact with their clients and make informed decisions. Despite the countless benefits, hackers can exploit vulnerabilities within the APIs to gain unauthorized access to sensitive data resulting in data breaches, financial losses, and reputational damage. Therefore, businesses need to understand the API security threat landscape and look out for the best ways to mitigate them. The urgent need to enhance API security APIs enable data exchanges among applications and systems and help in the seamless execution of complex tasks. But as the average number of APIs rises, organizations often overlook their vulnerabilities, making them a prime target of hackers. The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months. Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually. Why does API security still pose a threat in 2023? Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams. As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data. API sprawl | Malware Tool Vulnerability Threat Cloud | Uber | ★★★ |
 |
2023-07-27 17:05:00 | Les vulnérabilités pourraient exposer les utilisateurs d'Ubuntu à des attaques d'escalade privilégiées Vulnerabilities could expose Ubuntu users to privilege escalation attacks (lien direct) |
Les chercheurs ont ont découvert deux vulnérabilités dans le système d'exploitation Linux, Ubuntu avec le potentiel d'accorder des attaquants a augmenté les privilèges.Les deux bogues ont un impact sur les surlayfs, un système de fichiers Linux largement installé utilisé pour la conteneurisation sur les serveurs cloud avec des technologies comme Docker et Kubernetes.Après avoir été informé des vulnérabilités par les chercheurs avec la société de sécurité du cloud Wiz
Researchers have discovered two vulnerabilities in the Linux operating system Ubuntu with the potential to grant attackers escalated privileges. The two bugs impact OverlayFS, a widely installed Linux filesystem used for containerization on cloud servers with technologies like Docker and Kubernetes. After being notified of the vulnerabilities by researchers with the cloud security firm Wiz |
Vulnerability Cloud | Uber | ★★ |
|
2023-07-10 17:15:09 | CVE-2023-36375 (lien direct) | La vulnérabilité des scripts du site croisé dans le système de gestion de l'auberge V2.1 permet à un attaquant d'exécuter du code arbitraire via une charge utile fabriquée au nom du gardien, à la relation tuteur, à l'adresse complémentaire, à la ville, à l'adresse permanente et aux paramètres de la ville dans le livre Hostel & amp;Page Détails de la salle.
Cross Site Scripting vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the Guardian name, Guardian relation, complimentary address, city, permanent address, and city parameters in the Book Hostel & Room Details page. |
Vulnerability | Uber | |
|
2023-07-10 16:15:53 | CVE-2023-36376 (lien direct) | La vulnérabilité des scripts croisés (XSS) dans le système de gestion de l'auberge V.2.1 permet aux attaquants d'exécuter des scripts Web arbitraires ou HTML via une charge utile fabriquée injectée dans la section Ajouter le cours.
Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the add course section. |
Vulnerability | Uber | |
|
2023-06-27 14:55:00 | (Déjà vu) GCP-2023-018 (lien direct) | Publié: 2023-06-27 Description | Vulnerability | Uber | ★★ |
|
2023-06-26 18:49:48 | GCP-2023-017 (lien direct) | Publié: 2023-06-26 Description | Vulnerability | Uber | ★★ |
 |
2023-06-22 12:05:42 | Google Cloud attribue 313 337 $ en 2022 Prix VRP Google Cloud Awards $313,337 in 2022 VRP Prizes (lien direct) |
Anthony Weems, Information Security Engineer2022 was a successful year for Google\'s Vulnerability Reward Programs (VRPs), with over 2,900 security issues identified and fixed, and over $12 million in bounty rewards awarded to researchers. A significant amount of these vulnerability reports helped improve the security of Google Cloud products, which in turn helps improve security for our users, customers, and the Internet at large.We first announced the Google Cloud VRP Prize in 2019 to encourage security researchers to focus on the security of Google Cloud and to incentivize sharing knowledge on Cloud vulnerability research with the world. This year, we were excited to see an increase in collaboration between researchers, which often led to more detailed and complex vulnerability reports. After careful evaluation of the submissions, today we are excited to announce the winners of the 2022 Google Cloud VRP Prize.2022 Google Cloud VRP Prize Winners1st Prize - $133,337: Yuval Avrahami for the report and write-up Privilege escalations in GKE Autopilot. Yuval\'s excellent write-up describes several attack paths that would allow an attacker with permission to create pods in an Autopilot cluster to escalate privileges and compromise the underlying node VMs. While thes | Vulnerability Cloud | Uber | ★★ |
|
2023-06-15 20:15:09 | CVE-2023-34242 (lien direct) | CILIUM est une solution de réseautage, d'observabilité et de sécurité avec une voie de données basée sur EBPF.Avant la version 1.13.4, lorsque l'API de la passerelle est activée dans CILIUM, l'absence de contrôle sur l'espace de noms dans lequel une référence est créée pourrait entraîner le cil de gagner involontairement la visibilité des secrets (y compris des certificats) et des services à travers les espaces de noms.Un attaquant sur un cluster affecté peut tirer parti de ce problème pour utiliser des secrets de cluster qui ne devraient pas être visibles pour eux, ou communiquer avec les services auxquels ils ne devraient pas avoir accès.La fonctionnalité de l'API de passerelle est désactivée par défaut.Cette vulnérabilité est fixée dans la libération de cilium 1.13.4.En tant que solution de contournement, restreignez la création de ressources «ReferenceGrant» aux utilisateurs d'administration en utilisant Kubernetes RBAC.
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be visible to them, or communicate with services that they should not have access to. Gateway API functionality is disabled by default. This vulnerability is fixed in Cilium release 1.13.4. As a workaround, restrict the creation of `ReferenceGrant` resources to admin users by using Kubernetes RBAC. |
Vulnerability | Uber | |
|
2023-06-14 11:59:49 | Apprentissage de KCTF VRP \\'s 42 Linux Neule exploite les soumissions Learnings from kCTF VRP\\'s 42 Linux kernel exploits submissions (lien direct) |
Tamás Koczka, Security EngineerIn 2020, we integrated kCTF into Google\'s Vulnerability Rewards Program (VRP) to support researchers evaluating the security of Google Kubernetes Engine (GKE) and the underlying Linux kernel. As the Linux kernel is a key component not just for Google, but for the Internet, we started heavily investing in this area. We extended the VRP\'s scope and maximum reward in 2021 (to $50k), then again in February 2022 (to $91k), and finally in August 2022 (to $133k). In 2022, we also summarized our learnings to date in our cookbook, and introduced our experimental mitigations for the most common exploitation techniques.In this post, we\'d like to share our learnings and statistics about the latest Linux kernel exploit submissions, how effective our | Vulnerability | Uber | ★★ |
 |
2023-06-13 13:00:00 | CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks (lien direct) |
CyberheistNews Vol 13 #24 | June 13th, 2023
[The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks
The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section.
They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill.
"The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top."
A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear.
BEC Attacks Have Nearly Doubled
It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor.
Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category.
Financially Motivated External Attackers Double Down on Social Engineering
Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection.
However, unlike the times we live in, this section isn\'t all doom and |
Spam Malware Vulnerability Threat Patching | Uber APT 37 ChatGPT ChatGPT APT 43 | ★★ |
|
2023-06-01 13:15:10 | CVE-2023-22647 (lien direct) | Une vulnérabilité de gestion des privilèges inappropriée dans SUSE Rancher a permis aux utilisateurs standard de tirer parti de leurs autorisations existantes pour manipuler les secrets de Kubernetes dans le local cluster, entraînant le secret du secret, mais leur niveau de lecture Les autorisations au secret étant préservées.Quand cette opération était suivi par d'autres commandes spécialement conçues, cela pourrait entraîner L'utilisateur a accès à des jetons appartenant à des comptes de service dans le cluster local. Ce problème affecte Rancher: de> = 2,6.0 avant = 2,7.0 avant = 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. | Vulnerability | Uber | |
|
2023-05-22 15:15:09 | CVE-2023-25448 (lien direct) | Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin | Vulnerability | Uber | |
|
2023-05-04 08:15:22 | CVE-2023-22651 (lien direct) | La vulnérabilité de gestion des privilèges inappropriée dans SUSE Rancher permet une escalade des privilèges.Un échec dans la logique de mise à jour du webhook de l'admission de Rancher \\ peut conduire à
La mauvaise configuration du webhook.Ce composant applique la validation
Règles et vérifications de sécurité avant l'admission des ressources
CLUSTER KUBERNETES.
Le problème affecte uniquement les utilisateurs qui passent de 2.6.x ou 2.7.x à 2.7.2.Les utilisateurs qui ont effectué une nouvelle installation de 2.7.2 (et qui n'ont pas suivi un chemin de mise à niveau) ne sont pas affectés.
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher\'s admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. |
Vulnerability | Uber | |
|
2023-04-25 12:15:09 | CVE-2023-25490 (lien direct) | Auth.(Admin +) Vulnérabilité des scripts inter-sites stockés (XSS) dans Eric Teubert Archivist & acirc; & euro; & ldquo;Plugin de modèles d'archives personnalisés | Vulnerability | Uber | |
|
2023-03-17 22:15:11 | CVE-2023-27595 (lien direct) | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds. | Vulnerability | Uber | |
|
2023-03-16 17:15:09 | CVE-2023-28110 (lien direct) | Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. | Vulnerability | Uber | |
|
2023-03-09 21:15:11 | CVE-2023-27483 (lien direct) | crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the `Paved` type's `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic. In the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index, the index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value. If callers are not validating paths' indexes on their own, which most probably are not going to do, given that the input is parsed directly in the SetValue method, this could allow users to consume arbitrary amounts of memory. Applications that do not use the `Paved` type's `SetValue` method are not affected. This issue has been addressed in versions 0.16.1 and 0.19.2. Users are advised to upgrade. Users unable to upgrade can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate. | Vulnerability | Uber | |
|
2023-02-28 19:15:16 | CVE-2023-1065 (lien direct) | This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case). | Vulnerability | Uber | |
|
2023-02-16 18:15:11 | CVE-2023-23947 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields. | Tool Vulnerability | Uber | |
|
2023-02-08 21:15:10 | CVE-2023-25163 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | Spam Tool Vulnerability | Uber | |
|
2023-01-26 21:18:13 | CVE-2023-22736 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug. | Tool Vulnerability | Uber | |
|
2023-01-26 21:18:12 | CVE-2023-22482 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds. | Tool Vulnerability | Uber | |
|
2023-01-14 01:15:15 | CVE-2023-22480 (lien direct) | KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4. | Vulnerability | Uber | |
|
2023-01-13 06:15:11 | CVE-2022-3841 (lien direct) | RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests. | Vulnerability | Uber | |
|
2023-01-09 14:15:09 | CVE-2022-23509 (lien direct) | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. | Vulnerability | Uber | |
|
2023-01-09 13:15:10 | CVE-2022-23508 (lien direct) | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorized access, therefore allowing local users (and processes) on the same machine to see and alter the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster, without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster. There are no known workarounds for this issue, please upgrade. This vulnerability has been fixed by commits 75268c4 and 966823b. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. ### Workarounds There is no workaround for this vulnerability. ### References Disclosed by Paulo Gomes, Senior Software Engineer, Weaveworks. ### For more information If you have any questions or comments about this advisory: - Open an issue in [Weave GitOps repository](https://github.com/weaveworks/weave-gitops) - Email us at [support@weave.works](mailto:support@weave.works) | Vulnerability | Uber | |
|
2022-12-23 23:15:08 | CVE-2022-47633 (lien direct) | An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases. | Vulnerability | Uber | |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-012 (lien direct) | Published: 2022-04-07 Updated: 2022-11-22Description Description Severity Notes 2022-11-22 Update: For GKE clusters in both modes, Standard and Autopilot, workloads using GKE Sandbox are unaffected. A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects the following products: GKE node pool versions 1.22 and later that use Container-Optimized OS images (Container-Optimized OS 93 and later) Anthos clusters on VMware v1.10 for Container-Optimized OS images Anthos clusters on AWS v1.21 and Anthos clusters on AWS (previous generation) v1.19, v1.20, v1.21, which use Ubuntu Managed clusters of Anthos on Azure v1.21 which use Ubuntu For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-0847 | Vulnerability | Uber | ★★★ |
|
2022-12-21 17:12:56 | GCP-2022-013 (lien direct) | Published: 2022-04-11 Updated: 2022-04-22Description Description Severity Notes A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin Medium CVE-2022-23648 | Vulnerability | Uber | ★★★ |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-017 (lien direct) | Published: 2022-06-29 Updated: 2022-11-22Description Description Severity Notes 2022-11-22 Update: Workloads using GKE Sandbox are not affected by these vulnerabilities. 2022-07-21 Update: additional information on Anthos clusters on VMware. A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. Only clusters that run Container-Optimized OS are affected. GKE Ubuntu versions use either version 5.4 or 5.15 of the kernel and are not affected. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-1786 | Vulnerability | Uber | ★★★ |
|
2022-12-21 17:12:56 | (Déjà vu) GCP-2022-021 (lien direct) | Published: 2022-10-27Updated: 2022-12-15Description Description Severity Notes 2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number. 2022-11-22 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-3176 | Vulnerability Guideline | Uber | ★★★ |
|
2022-10-20 13:01:02 | Announcing GUAC, a great pairing with SLSA (and SBOM)! (lien direct) | Posted by Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team Supply chain security is at the fore of the industry's collective consciousness. We've recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity. It is against this background that Google is seeking contributors to a new open source project called GUAC (pronounced like the dip). GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata. True to Google's mission to organize and make the world's information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding. Thanks to community collaboration in groups such as OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations increasingly have ready access to: Software Bills of Materials (SBOMs) (with SPDX-SBOM-Generator, Syft, kubernetes bom tool) signed attestations about how software was built (e.g. SLSA with SLSA3 Github Actions Builder, Google Cloud Build) vulnerability databases that aggregate information across ecosystems and make vulnerabilities more discoverable and actionable (e.g. OSV.dev, Global Security Database (GSD)). These data are useful on their own, but it's difficult to combine and synthesize the information for a more comprehensive view. The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization's software assets. To help address this issue we've teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. We're excited to share the project's proof of concept, which lets you query a small dataset of software metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards. What is GUAC Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database-normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance. Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: | Tool Vulnerability | Uber | |
|
2022-10-13 10:00:00 | The biggest concerns within the US Financial Sector in 2022 (lien direct) | This blog was written by an independent guest blogger. The value of digital payment transactions is growing as the world's payment environment moves more and more away from cash. Over the past few years, BFSI (Banking, Financial Service, and Insurance) firms have continued to be a top target for hackers. In fact, the Sixth Annual Bank Survey found that more than 70% of fintech companies named information security as their top issue. According to VMware's Modern Bank Heists study, since the COVID-19 epidemic, there have been 238% more cyberattacks on companies in the financial sector. Artificial intelligence (AI) and self-learning malware are making cyberattacks more sophisticated. While ransomware assaults are the most profitable for cybercriminals, phishing attacks prey on unsuspecting and defenseless consumers. Thus, it should come as no surprise that 39% of financial industry executives think that the overall network security threat to BFSI sector companies has increased significantly. Financial and banking firms in the US must put cybersecurity first above all else given the volume of sensitive data that the BFSI sector must manage. Leading analytics company GlobalData predicts that rising demand for cybersecurity would cause worldwide security revenues in the retail banking industry to climb from $7.9 billion in 2019 to $9.8 billion in 2024. What are the biggest concerns facing the financial sector in the United States for 2022? Reimbursing cyber scams As banks are under pressure to compensate their scammed consumers, rising cybercrime rates translate to rising costs for the industry. More than half (58%) of those who conduct their banking online encounter scams via email or SMS at least once per week, and 23% report having fallen victim to a cyberattack. Banks currently reimburse authorized push payment (APP) fraud at an average rate of 46%. Although many banking institutions are refusing reimbursements for online fraud, this is due to change soon, or else the situation will backfire. For example, measures supported by the UK government will require banks to reimburse everyone. This is only one illustration of the fact that if banks are to secure their consumers and their business line in 2022, they must prioritize cybersecurity more highly. To exchange efficient strategies, banks will need to collaborate with governments and industry organizations. The public must continue to get education on preventative measures, but ultimately it is the banks' responsibility to establish security models that will give them and their clients the greatest level of safety. Maintain compliance with strict privacy regulations The use of social engineering and account takeover fraud will increase over the next years. Financial institutions must not only conduct comprehensive data checks beyond document verification at account opening to fight this but also keep track of customer identities throughout the customer lifecycle. Banks must decide how to manage sensitive personal data like biometrics as | Ransomware Malware Vulnerability Threat Guideline | Uber | |
 |
2022-10-11 14:11:23 | Microsoft Patch Tuesday for October 2022 - Snort rules and prominent vulnerabilities (lien direct) |  By Jon Munshaw and Vanja Svajcer.Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company's hardware and software line, including seven critical issues in Windows' point-to-point tunneling protocol. October's security update features 11 critical vulnerabilities, with the remainder being “important.” One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month's Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited. An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server. CVE-2022-37968, an elevation of privilege vulnerability in Azure Arc Connect, has the highest severity score out of all the vulnerabilities Microsoft fixed this month - a maximum 10 out of 10. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, could allow an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. CVE-2022-37976 and CVE-2022-37979 are also critical elevation of privilege vulnerabilities in Windows Active Directory and Hyper-V, respectively. The Windows' point-to-point tunneling protocol, which is a network protocol used to create VPN tunnels between public networks, contains eight vulnerabilities that Microsoft disclosed Tuesday, seven of which are rated “critical” severity: CVE-2022-22035CVE-2022-24504 CVE-2022-30198 CVE-2022-33634 CVE-2022-38000 CVE-2022-38047 CVE-2022-41081 CVE-2022-38000 is the most serious among the group wit |
Vulnerability | Uber |
To see everything:
Our RSS (filtrered)
