FEDORA-2023-3370eab930
Packages in this update:
java-11-openjdk-11.0.19.0.7-1.fc38
Update description:
updated to java april security update
java-11-openjdk-11.0.19.0.7-1.fc38
updated to java april security update
It’s no secret that humans are the biggest vulnerability to any corporate network. Whether it’s an inability to properly manage password complexity across multiple systems, poor social media habits, or even a lack of awareness with things like email links, online shopping, or app and software usage.
A major problem for businesses, particularly in a post-COVID world with so many people working remotely, is the fact that these security challenges employees face extend very easily to their personal devices, while your visibility and control as corporate IT does not. This potential weakness has precedent as a recent compromise of LastPass was attributed to the compromised home computer belonging to a devops engineer. The trick of course is finding a way to help employees protect themselves as a means to better protect corporate resources while maintaining a budget and avoiding invasions of privacy.
Memory corruption in Automotive due to Improper Restriction of Operations within the Bounds of a Memory Buffer while exporting a shared key.
A vulnerability classified as problematic was found in BestWebSoft Job Board Plugin 1.0.0 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.0.1 is able to address this issue. The name of the patch is dbb71deee071422ce3e663fbcdce3ad24886f940. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227764.
A vulnerability, which was classified as problematic, has been found in Mail Subscribe List Plugin up to 2.0.10 on WordPress. This issue affects some unknown processing of the file index.php. The manipulation of the argument sml_name/sml_email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.1 is able to address this issue. The name of the patch is 484970ef8285cae51d2de3bd4e4684d33c956c28. It is recommended to upgrade the affected component. The identifier VDB-227765 was assigned to this vulnerability.
An untrusted search path vulnerability was discovered in Node.js, which
could result in unexpected searching or loading ICU data when running
with elevated privileges.
FortiGuard Labs has recently observed a detection spike in DVR Authentication Bypass Vulnerability (CVE-2018-9995). This indicates that attackers tried to exploit the vulnerability potentially resulting in attackers gaining unauthorized access to vulnerable DVR devices.Why is this Significant?This is significant because FortiGuard Labs has recently observed increased exploit attempts for unpatched TBK DVR4104 and DVR4216 Digital Video Recorder (DVR) devices as well as rebranded devices. Proof-of-Concept (PoC) code is readily available, and the vulnerability is trivial to exploit.What is CVE-2018-9995?CVE-2018-9995 is an authentication bypass vulnerability that affects DVR4104 and DVR4216 manufactured by TBK and their rebranded devices. The vulnerability is due to an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.CVE-2018-9995 has a CVSS basic score of 9.8 and is rated critical by NIST.Has the Vendor Released an Advisory for CVE-2018-9995?FortiGuard Labs is not aware of a vendor advisory.Has the Vendor Released a Patch for CVE-2018-9995?FortiGuard Labs is not aware of a vendor patch for CVE-2018-9995.What is the Status of Protection?FortiGuard Labs has the following IPS signature in place for CVE-2018-9995:DVR.Cookie.Authentication.BypassAny Suggested Mitigation?Configure DVR’s management interface to be accessible only from trusted IPs.
FortiGuard Labs has recently observed a spike in our detection for the Ruckus Wireless Admin RCE vulnerability (CVE-2023-25717). Ruckus Wireless Admin version 10.4 and earlier are vulnerable affecting multiple Ruckus wireless Access Point (AP) devices. Successful exploitation could result in total compromise of the vulnerable devices.Why is this Significant?This is significant because Fortinet telemetry indicates the Ruckus Wireless Admin RCE Vulnerability (CVE-2023-25717) is being exploited in the wild, potentially resulting in attackers taking control of the vulnerable Ruckus wireless AP devices. Also, Proof-of-Concept (PoC) code is publicly available. As such, a patch should be applied as soon as possible.What is CVE-2023-25717?CVE-2023-25717 is a Remote Code Execution vulnerability that affects Ruckus Wireless Admin version 10.4 and earlier. The advisory published by Ruckus lists multiple wireless Access Point (AP) devices that are susceptible to the vulnerability. Successful exploitation could result in total compromise of the vulnerable devices.The vulnerability is due to improper handling of a crafted HTTP request. A remote authenticated attacker could exploit the vulnerability by sending crafted HTTP requests to the target server. Successful exploitation could result in total compromise of the affected devices. The vulnerability has a CVSS base score of 9.8.Has the Vendor Released an Advisory for CVE-2023-25717?Yes. Please refer to the Appendix for a link to “Security Bulletin 20230208”.Has the Vendor Released a Patch for CVE-2023-25717?Yes, a vendor patch is available.Which Ruckus Devices are Vulnerable to CVE-2023-25717?The list of affected devices is available in the vendor advisory. Please refer to the Appendix for a link to “Security Bulletin 20230208”.What is the Status of the Protection?FortiGuard Labs released the following IPS signature in version 23.531 for CVE-2023-25717:Ruckus.Wireless.Admin.Remote.Code.Execution (default action is set to “pass”)