After scrambling to patch Vulnerability-related.PatchVulnerability a critical vulnerability late last month , Drupal is at it again . The open source content management project has issued Vulnerability-related.PatchVulnerability an unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designated Vulnerability-related.DiscoverVulnerability , SA-CORE-2018-004 and assigned Vulnerability-related.DiscoverVulnerability CVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploited Vulnerability-related.DiscoverVulnerability to take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability at least Drupal 7.x and Drupal 8.x . And a similar issue has been found Vulnerability-related.DiscoverVulnerability in the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observed Vulnerability-related.DiscoverVulnerability that all software has security issues and critical security bugs are rare . While the March bug is being actively exploited Vulnerability-related.DiscoverVulnerability , the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgrade Vulnerability-related.PatchVulnerability to the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally get Vulnerability-related.PatchVulnerability security updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developed Vulnerability-related.PatchVulnerability here . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patching Vulnerability-related.PatchVulnerability Drupal core sites . ''

A critical vulnerability in open source automation tool Jenkins could allow permission checks to be bypassed through the use of specially-crafted URLs . Jenkins uses the Stapler web framework for HTTP request handling , which uses reflection to dispatch incoming web requests to controller code . This means that any public methods that start with get and include string and integer parameters are exposed to the web server . Because this is a common naming convention , this has led to multiple internal Jenkins methods being inadvertently exposed . The precise impact of this isn ’ t clear . The advisory notes that code execution could be a possible outcome – though on closer inspection , this seems to be a worst-case scenario . “ To clarify , the vulnerability we addressed Vulnerability-related.PatchVulnerability had nothing to do with arbitrary code execution , but was rather an issue discovered Vulnerability-related.DiscoverVulnerability by the Jenkins security team that allowed a small subset of existing Jenkins code to be invoked by a remote client , ” Daniel Beck , Jenkins security officer , told The Daily Swig in an email . “ While the known impact is pretty limited , we felt that the layer at which the vulnerability existed , and its potential warranted a higher score. ” These potential attacks include unauthenticated users being able to invalidate sessions when running with the built-in server , and users with overall/read permissions being able to create new user objects in memory . The advisory reads : “ Given the vast potential attack surface , we fully expect other attacks , that we are not currently aware of , to be possible on Jenkins releases that do not have this fix applied Vulnerability-related.PatchVulnerability . “ This is reflected in the high score we assigned Vulnerability-related.DiscoverVulnerability to this issue , rather than limiting the score to the impact through known issues. ” Beck added : “ Jenkins users should always keep their instances up to date . In this case , we released Vulnerability-related.PatchVulnerability updates for two LTS lines simultaneously for the first time , so admins could apply Vulnerability-related.PatchVulnerability the update without having to go through a major version jump . “ We strive to fix Vulnerability-related.PatchVulnerability all security vulnerabilities in Jenkins and plugins in a timely manner. ” Reflection is also used by Apache Struts , via the OGNL library . Struts has suffered Vulnerability-related.DiscoverVulnerability a number of serious security flaws in recent years . In 2017 , a vulnerability in the framework was exploited Vulnerability-related.DiscoverVulnerability to expose Attack.Databreach the details of up to 148 million Equifax customers . Another flaw , revealed Vulnerability-related.DiscoverVulnerability in August 2018 , could lead to remote code execution . These issues underline the dangers of using reflection with untrusted data , and application architects would do well to avoid this unsafe practice .

Researchers at Germany-based security firm Cure53 have conducted a 32-day audit of the Network Time Protocol ( NTP ) and the NTPsec project and discovered Vulnerability-related.DiscoverVulnerability more than a dozen vulnerabilities . Experts identified Vulnerability-related.DiscoverVulnerability a total of 16 security-related issues , including 8 weaknesses that only affect Vulnerability-related.DiscoverVulnerability NTP and two that only impact Vulnerability-related.DiscoverVulnerability NTPsec , which is meant to be a secure , hardened and improved implementation of NTP . Cure53 has published separate reports focusing on the NTP and NTPsec problems . The Network Time Foundation addressed Vulnerability-related.PatchVulnerability the flaws earlier this month with the release of ntp-4.2.8p10 . Cure53 has classified Vulnerability-related.DiscoverVulnerability one vulnerability as being critical . CVE-2017-6460 , which only affects Vulnerability-related.DiscoverVulnerability NTP , has been described Vulnerability-related.DiscoverVulnerability as a stack-based buffer overflow that can be triggered by a malicious server when a client requests the restriction list . The flaw can be exploited Vulnerability-related.DiscoverVulnerability to cause a crash and possibly to execute arbitrary code . The security holes rated Vulnerability-related.DiscoverVulnerability by Cure53 as high severity are CVE-2017-6463 and CVE-2017-6464 , both of which can be exploited Vulnerability-related.DiscoverVulnerability for DoS attacks . It ’ s worth noting that while some of the vulnerabilities have been classified Vulnerability-related.DiscoverVulnerability as critical and high severity by Cure53 , NTP developers have only assigned Vulnerability-related.DiscoverVulnerability medium , low and informational-level severity ratings to the discovered flaws . Ntp-4.2.8p10 patches Vulnerability-related.PatchVulnerability a total of 15 vulnerabilities and also includes just as many non-security fixes and improvements . Of the 15 security holes resolved Vulnerability-related.PatchVulnerability in the latest version , 14 were discovered Vulnerability-related.DiscoverVulnerability by Cure53 , which also noticed Vulnerability-related.DiscoverVulnerability that a flaw initially patched Vulnerability-related.PatchVulnerability in December 2014 was reintroduced Vulnerability-related.DiscoverVulnerability in November 2016 . One of the vulnerabilities fixed Vulnerability-related.PatchVulnerability in ntp-4.2.8p10 was reported Vulnerability-related.DiscoverVulnerability by researchers at Cisco Talos . Experts identified Vulnerability-related.DiscoverVulnerability a DoS vulnerability affecting Vulnerability-related.DiscoverVulnerability the origin timestamp check functionality

A security flaw affecting Vulnerability-related.DiscoverVulnerability LibreOffice and Apache OpenOffice has been fixed Vulnerability-related.PatchVulnerability in one of the two open-source office suites . The other still appears to be vulnerable Vulnerability-related.DiscoverVulnerability . Before attempting to guess which app has yet to be patched Vulnerability-related.PatchVulnerability , consider that Apache OpenOffice for years has struggled attract more contributors . And though the number of people adding code to the project has grown since last we checked , the project missed its recent January report to the Apache Foundation . The upshot is : security holes are n't being patched Vulnerability-related.PatchVulnerability , it seems . The issue , identified Vulnerability-related.DiscoverVulnerability by security researcher Alex Inführ , is that there 's a way to achieve remote code execution by triggering an event embedded in an ODT ( OpenDocument Text ) file . In a blog post on Friday , Inführ explains Vulnerability-related.DiscoverVulnerability how he found Vulnerability-related.DiscoverVulnerability a way to abuse the OpenDocument scripting framework by adding an onmouseover event to a link in an ODT file . The event , which fires when a user 's mouse pointer moves over the link , can traverse local directories and execute a local Python script . After trying various approaches to exploit the vulnerability , Inführ found Vulnerability-related.DiscoverVulnerability that he could rig the event to call a specific function within a Python file included with the Python interpreter that ships with LibreOffice . `` For the solution I looked into the Python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script , but it is possible to pass parameters as well , '' he said . The exploit was tested on Windows , and should work on Linux , too . Inführ says Vulnerability-related.DiscoverVulnerability he reported Vulnerability-related.DiscoverVulnerability the bug on October 18 and it was fixed Vulnerability-related.PatchVulnerability in LibreOffice by the end of the month . RedHat assigned Vulnerability-related.DiscoverVulnerability it CVE-2018-16858 in mid-November and gave Inführ a disclosure Vulnerability-related.DiscoverVulnerability date of January 31 , 2019 . When he published Vulnerability-related.DiscoverVulnerability on February 1 , in conjunction with the LibreOffice fix notification , OpenOffice still had not been patched Vulnerability-related.PatchVulnerability . Inführ says Vulnerability-related.DiscoverVulnerability he reconfirmed Vulnerability-related.DiscoverVulnerability that he could go ahead with disclosure Vulnerability-related.DiscoverVulnerability even though OpenOffice 4.16 has yet to be fixed Vulnerability-related.PatchVulnerability . His proof-of-concept exploit does n't work with OpenOffice out-of-the-box because the software does n't allow parameters to be passed in the same way as the unpatched version of LibreOffice did . However , he says Vulnerability-related.DiscoverVulnerability that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage . We 're imagining specifically targeted netizens being tricked Attack.Phishing into opening a ZIP file , unpacking an ODT and Python script , and then the ODT document attempting to execute the Python script when the victim rolls their mouse over a link , for instance . The Register tried to reach two OpenOffice contributors to find out what 's going on . We 've not heard back . According to Inführ , OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder .