OpenSSH’s newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected, …
How did we get here? On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity …
The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the …
A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson …
A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or “Psychic Signatures”. This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15. This vulnerability allows an attacker to potentially intercept communication …
A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in …
On March 29th, the cyberkendra security blog posted a sensational post about a Log4Shell-equivalent remote code execution (RCE) zero-day vulnerability in Spring Framework, but without any solid details about the vulnerability itself. The security vulnerability was nicknamed “SpringShell” (or “Spring4Shell”) , due to its alleged significance likening the infamous “Log4Shell.” A day later, on March …
A few days ago it was reported that the new Apache version 2.4.53 contains fixes for several bugs which exposed the users of the well known HTTP server to attacks: CVE-2022-22719 relates to a bug in the mod_lua modules which may lead to Denial of Service after reading from a random memory Area, CVE-2022-22720 exposes …
A few days ago, security researcher Max Kellermann published a vulnerability named DirtyPipe which was designated as CVE-2022-0847. This vulnerability affects the Linux kernel and if exploited, can allow a local attacker to gain root privileges. The vulnerability gained extensive media follow-up, since it affects all Linux-based systems with a 5.8 or later kernel, without …
Recently, a critical out-of-bounds vulnerability, assigned to CVE-2021-44142, was disclosed in Samba versions prior to 4.13.17. The Samba vulnerability carries a critical CVSS of 9.9 and allows attackers to remotely execute code on machines running a Samba server with a vulnerable configuration. The vulnerability was disclosed as part of the Pwn2Own Austin competition where researchers …
