%term

The New OpenSSL Vulnerabilities: How to Protect Your Business

Nov 3, 2022 By Edward Kost In UpGuard

The OpenSSL project has announced two security vulnerabilities tracked as CVE-2022-3602 and CVE-2022-3786. The good news is that these vulnerabilities are unlikely to facilitate remote code execution as originally anticipated, and only OpenSSL version 3.0.0 and later are impacted. The bad news, however, is that even though the remote control is unlikely, it’s still possible.

Read Post

UpGuard

Read more about The New OpenSSL Vulnerabilities: How to Protect Your Business

Pentesting as a Service for Web Applications

Nov 3, 2022 By Outpost 24 In Outpost 24

Penetration testing is an effective way to detect flaws in your application before they turn into a serious threat, helping you better understand the applications attack surface. But in the always-on economy there comes a problem - traditional pen testing delivery takes weeks to set up and the results are point in time, which leaves critical application vulnerabilities exposed longer than it should - given the average time for a threat actor to weaponize a new vulnerability is only 7 days.

View Video

Outpost 24

Read more about Pentesting as a Service for Web Applications

OpenSSL CVE-2022-3602 and CVE-2022-3786 (Spooky SSL): What They Are and How to Mitigate Risk

Nov 2, 2022 By Vedere Labs In Forescout

On November 1, OpenSSL v3.0.7 was released, patching two new high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. The new vulnerabilities have been dubbed by the community as “Spooky SSL,” although the name is not recognized by the OpenSSL team. CVE-2022-3602 was originally discovered by a researcher known as Polar Bear, while CVE-2022-3786 was found during the analysis of the first vulnerability by Viktor Dukhovni.

Read Post

Forescout

Read more about OpenSSL CVE-2022-3602 and CVE-2022-3786 (Spooky SSL): What They Are and How to Mitigate Risk

CVE-2022-3602 and CVE-2022-3786 - High-severity OpenSSL Vulnerabilities Finally Published

Nov 2, 2022 By Shachar Menashe In JFrog

On October 25th, The OpenSSL team announced that OpenSSL 3.0.7 will contain a fix for a critical severity vulnerability that affects OpenSSL 3.x. The full details about the vulnerability were held in an embargo until November 1st. Due to the rarity of an OpenSSL critical-severity issue and the overwhelming popularity of OpenSSL, social media was flooded with messages about this issue, expecting a “Log4Shell”-level event.

Read Post

JFrog

Read more about CVE-2022-3602 and CVE-2022-3786 - High-severity OpenSSL Vulnerabilities Finally Published

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Nov 2, 2022 By Snyk In Snyk

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

View Video

Snyk

Read more about Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

CVE-2022-3602 and CVE-2022-3786 - OpenSSL 3.0.X Critical Vulnerabilities

Nov 2, 2022 By Adrian Korn In Arctic Wolf

On October 25, 2022, the OpenSSL project announced the existence of a critical vulnerability in the OpenSSL library affecting OpenSSL versions 3.0.0 and above, as well as any application with an embedded, impacted OpenSSL library. This announcement did not include any details on what this vulnerability is or how it can be exploited. On November 1, 2022, a cryptographic library used for encrypting communications in a wide variety of applications on the internet.

Read Post

Arctic Wolf

Read more about CVE-2022-3602 and CVE-2022-3786 - OpenSSL 3.0.X Critical Vulnerabilities

Ruby on Rails Docker for local development environment

Nov 2, 2022 By Mikhail Tereschenko In Snyk

Hi there Ruby developers! If you’ve been looking for an effective way to establish a Ruby on Rails Docker setup for your local development environment, then this post is for you. It’s a continuation of our previous article on how to install Ruby in a macOS for local development. Ruby developers frequently need to account for a database when building a Ruby on Rails project, as well as other development environment prerequisites.

Read Post

Snyk

Read more about Ruby on Rails Docker for local development environment

Update: OpenSSL high severity vulnerabilities

Nov 2, 2022 By Vandana Verma In Snyk

OpenSSL has released two high severity vulnerabilities — CVE-2022-3602 and CVE-2022-3786 — related to buffer overrun. OpenSSL initially rated CVE-2022-3602 as critical, but upon further investigation, it was reduced to high severity.

Read Post

Snyk

Read more about Update: OpenSSL high severity vulnerabilities

Vulnerability vs. Threat vs. Risk vs... "Other"

Nov 2, 2022 By Shawn Taylor, Vice President, Threat Defense In Forescout

In cybersecurity, three key terms are vulnerability, threat and risk. Often they’re tossed around interchangeably, but they have a specific relationship to one another..

Read Post

Forescout

Read more about Vulnerability vs. Threat vs. Risk vs... "Other"

CVE-2022-36537 - Critical RCE Vulnerability & Supply Chain Risks in ConnectWise Recover and R1Soft Server Backup Manager

Nov 1, 2022 By Adrian Korn In Arctic Wolf

On October 28th, 2022, ConnectWise disclosed a critical remote code execution (RCE) vulnerability affecting ConnectWise Recover (version 2.9.7 and earlier) and R1Soft Server Backup Manager (version 6.16.3 and earlier). A threat actor could leverage an authentication bypass vulnerability in these products (CVE-2022-36537) to leak server private key files, software licenses, and system configuration files and ultimately achieve RCE as the system superuser.

Read Post