Vulnerability

CVE-2022-21449 "Psychic Signatures": Analyzing the New Java Crypto Vulnerability

Apr 21, 2022 By Brian Moussalli, JFrog Security Research Team In JFrog

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or “Psychic Signatures”. This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15.

Read Post

JFrog

Read more about CVE-2022-21449 "Psychic Signatures": Analyzing the New Java Crypto Vulnerability

Reducing vulnerability noise with Sysdig

Apr 20, 2022 By Sysdig In Sysdig

Reduce vulnerability noise by up to 95%, and focus on what matters with Sysdig. If you feel overloaded with vulnerabilities from container images, then you’re not alone! It's common for DevOps teams to spend hours scrolling through hundreds of vulnerabilities even when just a small fraction poses a real risk. So how do you focus on the vulnerabilities that really matter? Sysdig Secure automatically prioritizes the vulnerabilities that are tied to packages exposed at runtime. Filtering thousands of overwhelming alerts down to only the critical ones that you should spend your time on!

View Video

Sysdig

Read more about Reducing vulnerability noise with Sysdig

Coffee Talk with SURGe: 2022-APR-19 MS-RPC Vulnerability, Lazarus, Pipedream

Apr 20, 2022 By Splunk In Splunk

This week Audra Streetman, Ryan Kovar, and Mick Baccio from Splunk discussed the latest security news, including the MS-RPC vulnerability CVE 2022 26809, a CISA alert about the North Korean state-sponsored Lazarus Group, and Sunday's 60 Minutes episode on the threat of Russian cyberattacks targeting U.S. critical infrastructure. Mick and Ryan also competed in a 60 second charity challenge to explain why Americans should be concerned about the potential for a Russian cyberattack targeting U.S. critical infrastructure.

View Video

Splunk

Read more about Coffee Talk with SURGe: 2022-APR-19 MS-RPC Vulnerability, Lazarus, Pipedream

Wolves or Sheep: How Xray Avoids False Positives in Vulnerabilities Scans

Apr 20, 2022 By Paul Garden In JFrog

You probably know the story of “the boy who cried ‘Wolf!’” In the ancient fable, villagers tire of a shepherd’s false alarms, and stop paying attention to them. That’s a lesson for software security teams, not just schoolchildren. Raising concerns about threats that turn out to be flimsy or false erodes the trust that binds your department, and even the faith your customers have in you.

Read Post

JFrog

Read more about Wolves or Sheep: How Xray Avoids False Positives in Vulnerabilities Scans

CrowdStrike Falcon Spotlight Fuses Endpoint Data with CISA's Known Exploited Vulnerabilities Catalog

Apr 20, 2022 By Andrew Harris In CrowdStrike

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has been quite busy this year. It recently issued a “Shields Up” advisory, highlighting that “Russia’s invasion of Ukraine could impact organizations both within and beyond the region,” including the threat of malicious activity against U.S. interests and companies.

Read Post

CrowdStrike

Read more about CrowdStrike Falcon Spotlight Fuses Endpoint Data with CISA's Known Exploited Vulnerabilities Catalog

Just Because You Don't Use Log4j or Spring Beans Doesn't Mean Your Application is Unaffected

Apr 20, 2022 By Hope Goslin In Veracode

By now, you’re probably all aware of the recent Log4j and Spring Framework vulnerabilities. As a recap, the Log4j vulnerability – made public on December 10, 2021 – was the result of an exploitable logging feature that, if successfully exploited, could allow attackers to perform an RCE (Remote Code Execution) and compromise the affected server.

Read Post

Veracode

Read more about Just Because You Don't Use Log4j or Spring Beans Doesn't Mean Your Application is Unaffected

Modernizing SAST rules maintenance to catch vulnerabilities faster

Apr 19, 2022 By Frank Fischer In Snyk

Snyk Code separates itself from the majority of static code analysis tools by generating and maintaining rule sets for its users — helping them combat common and newly discovered threats. A recent Hub article described a new Javascript vulnerability called prototype pollution, which allows attackers to modify, or “pollute”, a Javascript object prototype and execute a variety of malicious actions.

Read Post

Snyk

Read more about Modernizing SAST rules maintenance to catch vulnerabilities faster

The 4 most effective steps to mitigate account theft

Apr 19, 2022 By Alexandre Cagnoni In WatchGuard

The migration of assets to the Cloud has been the common denominator in company business strategies over the last two years, coupled with the rising number of incidents involving the theft of sensitive information and user passwords on Cloud platforms. According to the Verizon Data Breach Report 2021, in 2020 29,207 real-time security incidents were detected, out of which 5,258 were confirmed data breaches.

Read Post

WatchGuard

Read more about The 4 most effective steps to mitigate account theft

CyRC Vulnerability Analysis: CVE-2022-1271 in gzip, but it's not as bad as it sounds

Apr 19, 2022 By Jonathan Knudsen In Synopsys

CVE-2022-1271 is a new vulnerability affecting gzip, a widely used open source component for archiving, compressing, and decompressing files. CVE-2022-1271, also tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0958, is a bug in gzip, a file format and software application used for archiving, compressing, and decompressing files.

Read Post

Synopsys

Read more about CyRC Vulnerability Analysis: CVE-2022-1271 in gzip, but it's not as bad as it sounds

CVE-2022-1271 - Improper Input Validation in Gzip | Synopsys

Apr 19, 2022 By Synopsys In Synopsys

Synopsys's Blackduck Open Source KnowledgeBase has identified a new vulnerability, CVE-2022-1271. Watch the video to understand whether your application uses gzip command and the remediation efforts.

View Video