Fixing vulnerabilities can be hard—especially so for cloud-native applications. Let’s take a deeper look at why this is, and how mitigating controls can help secure your cloud-native applications.

On Wednesday, May 18, 2022, VMware published an advisory (VMSA-2022-0014) to address multiple vulnerabilities, including CVE-2022-22972, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability was assigned a CVSSv3 score of 9.8, making it a critical vulnerability.

Scanning your packages for security vulnerabilities and license violations should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this may seem like a hassle, but with JFrog CLI it’s easy!

Ransomware continues to be a prevalent threat to almost every modern industry after a sudden renaissance at the beginning of the COVID-19 pandemic as threat actors sought to capitalize on overwhelmed organizations and their suddenly vulnerable employees. It poses a particular danger to companies that hold sensitive data and house valuable assets, or those that could impact countless other industries and organizations should their critical operations be taken offline.

To stay ahead of malicious attacks, developers and security teams must have a way to identify, prioritize, fix, and monitor vulnerabilities, a process known as vulnerability remediation. When it comes to detection, organizations can use a variety of application security testing (AST) tools to identify vulnerabilities in software applications and other systems.

CVE-2022-26809 was patched in Microsoft’s previous Patch Tuesday (April 12) and it’s a doozy: remote code execution on affected versions of DCE/RPC hosts. The vulnerability attracted a lot of attention in the security community, both because of its severity but also because it appears to be really hard to trigger.

On Thursday, May 12, 2022, Zyxel released a patch advisory for an unauthenticated remote code execution (RCE) vulnerability in their line of Firewall products tracked as CVE-2022-30525. The exploitation of this vulnerability can allow a threat actor to modify specific files and execute code remotely on a vulnerable appliance. Proof of Concept (PoC) exploit code for this vulnerability has been made publicly available via multiple sources.

Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings in text files. It’s those subtle corner cases that have a strong tendency of being overlooked by programmers.

On Tuesday, May 10, 2022, security researcher Oliver Lyak published a PoC exploit for CVE- 2022-26923, a privilege escalation vulnerability impacting Active Directory Domain Services with a CVSS score of 8.8 and high severity. The vulnerability allows a threat actor who has already compromised a user account to elevate privileges to Domain Admin, if Active Directory Certificates Services is running on the domain. Microsoft patched the vulnerability in May’s Patch Tuesday release.

Security is a critical, if somewhat overwhelming, task for any organization. As products grow and teams expand, the challenge of maintaining a security posture at scale increases as well. This is where automation comes in. The ability to automate security tasks offers obvious benefits such as increased speed, while also driving deeper shifts in a company’s culture and processes.