- Juniper Networks Releases Security Updates for Multiple Products
- Drupal Releases Security Update to Address Vulnerability in Private Taxonomy Terms
- Microsoft Releases January 2023 Security Updates
- Adobe Releases Security Updates for Multiple Products
- Fortinet Releases Security Updates for FortiADC
- LastPass Customer Data Stolen
_______________________________
Juniper Networks Releases Security Updates for Multiple Products
Situation:
Juniper Networks has released security updates to address vulnerabilities affecting multiple products.
Problem:
Multiple vulnerabilities have been discovered in Juniper Networks products that might lead to systems being compromised by attackers who exploit them.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need:
We encourage users and administrators to review Juniper Networks’ security advisories page and apply the necessary updates.
Additional Resources:
Juniper Networks Security Advisories Page:
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=%40sfcec_community_publish_date_formula__c%20descending&numberOfResults=50&f:ctype=[Security%20Advisories]
________________________________
Drupal Releases Security Update to Address Vulnerability in Private Taxonomy Terms
Situation:
Drupal has released a security update to address a vulnerability affecting private vocabulary modules for Drupal 8.x.
Problem:
The module doesn’t enforce permissions appropriately for the taxonomy overview page and overview form.
Implication:
An unauthorized user could exploit this vulnerability to bypass access permissions to create, modify, and delete private vocabulary terms.
Need:
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer own taxonomy” or “View private taxonomies.
We encourage users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-001 and apply the necessary update.
Additional Resources:
Drupal Releases Security Update to Address Vulnerability in Private Taxonomy Terms:
https://www.cisa.gov/uscert/ncas/current-activity/2023/01/12/drupal-releases-security-update-address-vulnerability-private
SA-CONTRIB-2023-001:
https://www.drupal.org/sa-contrib-2023-001
________________________________
Microsoft Releases January 2023 Security Updates
Situation:
Microsoft has released updates to address multiple vulnerabilities in Microsoft software.
Problem:
Microsoft provides security information as part of an ongoing effort to help manage security risks and help keep systems protected.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need:
We encourage users and administrators to review Microsoft’s January 2023 Security Update Guide and Deployment Information and apply the necessary updates.
Additional Resources:
Microsoft Releases January 2023 Security Updates:
https://www.cisa.gov/uscert/ncas/current-activity/2023/01/10/microsoft-releases-january-2023-security-updates
January 2023 Security Update Guide:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Jan
Deployment Information:
https://msrc.microsoft.com/update-guide/deployments
________________________________
Adobe Releases Security Updates for Multiple Products
Situation:
Adobe has released security updates to address multiple vulnerabilities in Adobe software.
Problem:
Older versions of adobe are susceptible to attacks like arbitrary code execution, application denial-of-service and memory leak.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need:
We encourage users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:
Adobe Acrobat and Reader APSB23-01
Adobe InDesign APSB23-07
Adobe InCopy APSB23-08
Adobe Dimension APSB23-10
Additional Resources:
Adobe Releases Security Updates for Multiple Products
https://www.cisa.gov/uscert/ncas/current-activity/2023/01/10/adobe-releases-security-updates-multiple-products
Adobe Acrobat and Reader:
https://helpx.adobe.com/security/products/acrobat/apsb23-01.html
Adobe InDesign:
https://helpx.adobe.com/security/products/indesign/apsb23-07.html
Adobe InCopy:
https://helpx.adobe.com/security/products/incopy/apsb23-08.html
Adobe Dimension:
https://helpx.adobe.com/security/products/dimension/apsb23-10.html
________________________________
Fortinet Releases Security Updates for FortiADC
Situation:
Fortinet has released a security advisory to address a vulnerability in multiple versions of FortiADC.
Problem:
This vulnerability was caused by an improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiADC.
Affected Products:
- FortiADC version 7.0.0 through 7.0.1
- FortiADC version 6.2.0 through 6.2.3
- FortiADC version 5.4.0 through 5.4.5
- FortiADC all versions 6.1
- FortiADC all versions 6.0
Implication:
This vulnerability may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.
Need:
We encourage users and administrators to review Fortinet security advisory FG-IR-22-061 and apply the recommended updates:
- Please upgrade to FortiADC 7.0.2 or above
- Please upgrade to FortiADC 6.2.4 or above
- Please upgrade to upcoming FortiADC 5.4.6 or above
Additional Resources:
FortiADC – command injection in web interface:
https://www.fortiguard.com/psirt/FG-IR-22-061
Fortinet Releases Security Updates for FortiADC:
https://www.cisa.gov/uscert/ncas/current-activity/2023/01/04/fortinet-releases-security-updates-fortiadc
________________________________
Situation:
LastPass has anounced that their Password Vault Data was Stolen in a Data Breach.
Problem:
Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.
Implication:
the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
Need:
We urge users to avoid reusing master passwords on other websites.
LastPass has also notified a small subset (less than 3%) of its business customers to recommend that they take certain actions based on their specific account configurations.
Additional Resources:
SecurityWeek: LastPass Says Source Code Stolen in Data Breach:
https://www.securityweek.com/lastpass-says-source-code-stolen-data-breach
SecurityWeek: GoTo, LastPass Notify Customers of New Data Breach:
https://www.securityweek.com/goto-lastpass-notify-customers-new-data-breach-related-previous-incident
SecurityWeek: LastPass Found No Code Injection Attempts From August Breach:
https://www.securityweek.com/lastpass-found-no-code-injection-attempts-following-august-data-breach
SecurityWeek: LastPass Says Password Vault Data Stolen in Data Breach:
https://www.securityweek.com/lastpass-says-password-vault-data-stolen-data-breach