Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The big news this week is that a new CRITICAL OpenSSL vulnerability will be announced on November 1st, 2022. Critical-severity OpenSSL vulnerabilities don’t come along every day – the last was CVE-2016-6309, which ended up only affecting a single version of the software. The more famous vulnerability, known as Heartbleed, came out in 2014. Will this be more like Heartbleed or the vulnerability in 2016? We will soon find out.

OpenSSL.org has announced that an updated version of its OpenSSL software package (version 3.0.7) will be released on November 1, 2022. This update contains a fix for a yet-to-be-disclosed security issue with a severity rating of “critical” that affects OpenSSL versions above 3.0.0 and below the patched version of 3.0.7, as well as applications with an affected OpenSSL library embedded.

OpenSSL is the most popular implementation of the TLS protocol (Transport Layer Security) which is essentially the de-facto security protocol of the internet today. The OpenSSL team announced critical security updates of versions above version 3.0 (OpenSSL 3.0 was released on September 7, 2021). The myriad of projects and software depending on OpenSSL must update and release a new version to enable end users to start patching their systems.

Fuzzing is a software security testing technique that automatically provides invalid and random input to an application to expose bugs. The goal of fuzzing is to stress the application to cause unexpected behavior, crashes, or resource leaks. It allows us, as developers, to understand the behavior and vulnerability of applications more comprehensively. We use fuzzing tools, referred to as fuzzers, to perform this kind of testing.

At 12 years old, Go is a relatively new programming language–but it’s a popular one when it comes to cloud-native computing. CockroachDB, Docker, Kubernetes, and AdGuardHome (byAdGuard) are all built on Go, and the Go GitHub repository has over 105,000 stars, putting it in third place as a GitHub star leader.

Read also: Apple fixes yet another iOS zero-day, Iranian atomic energy agency hit by hackers, and more.

On Tuesday, October 25th 2022, VMware disclosed a critical remote code execution vulnerability (CVE-2021-39144, CVSS 9.8) in VMware Cloud Foundation NSX-V versions 3.x and older. A threat actor could perform remote code execution in the context of ‘root’ on the appliance due to an unauthenticated endpoint that leverages XStream for input serialization.

Testing code is the first step to making it secure. One of the best ways to do this is to use unit tests, ensuring that each of the smaller functions within an app behave as they should — especially when the app receives edge-case or invalid inputs, or inputs that are potentially harmful.

CrowdStrike has identified a new cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.