CISOs preach the need to get security fundamentals right, yet many still struggle to build a rock-solid vulnerability management program.
They can be stymied by the volume of vulnerabilities that need attention, or the pace required to address them, or the resources required to be effective.
Consider, for instance, the challenges that security teams had in addressing the Log4j vulnerabilities. A recent survey from (ISC)², a nonprofit association of certified cybersecurity professionals, found that 52% of respondents spent weeks or more than a month remediating Log4j.
CVE-2022-24302: Creation of new private key files using ~paramiko.pkey.PKey subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using os.open and os.fdopen to ensure new files are opened with the correct mode immediately (we’ve left the subsequent explicit ‘chmod’ in place to minimize any possible disruption).
Video game company Ubisoft, maker of hit titles like Assassin’s Creed and Just Dance says that it has “experienced a cyber security incident” – and as a consequence is changing its employees’ passwords.
CVE-2022-24302: Creation of new private key files using ~paramiko.pkey.PKey subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using os.open and os.fdopen to ensure new files are opened with the correct mode immediately (we’ve left the subsequent explicit ‘chmod’ in place to minimize any possible disruption, though it may get removed in future backwards-incompatible updates).
