to data theft , takeover , and cryptocurrency mining attacks . This is because hackers can exploit two vulnerabilities to gain admin rights or log in using invalid credentials on these servers . Both vulnerabilities were discoveredVulnerability-related.DiscoverVulnerabilityby security researchers from CyberArk , were privately reportedVulnerability-related.DiscoverVulnerabilityto the Jenkins team , and receivedVulnerability-related.PatchVulnerabilityfixes over the summer . But despite patches for both issues , there are still thousands of Jenkins servers availableVulnerability-related.PatchVulnerabilityonline . Jenkins is a web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results , and even automate the process of deploying new code to production servers . Jenkins is a popular component in many companies ' IT infrastructure and these servers are very popular with both freelancers and enterprises alike . Over the summer , CyberArk researchers discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability ( tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1999001 ) that allows an attacker to provide malformed login credentials that cause Jenkins servers to move their config.xml file from the Jenkins home directory to another location . If an attacker can cause the Jenkins server to crash and restart , or if he waits for the server to restart on its own , the Jenkins server then boots in a default configuration that features no security . In this weakened setup , anyone can register on the Jenkins server and gain administrator access . With an administrator role in hand , an attacker can access private corporate source code , or even make code modifications to plant backdoors in a company 's apps . This lone issue would have been quite bad on its own , but CyberArk researchers also discoveredVulnerability-related.DiscoverVulnerabilitya second Jenkins vulnerability -- CVE-2018-1999043 . This second bug , they saidVulnerability-related.DiscoverVulnerability, allowed an attacker to create ephemeral user records in the server 's memory , allowing an attacker a short period when they could authenticate using ghost usernames and credentials . Both vulnerabilities were fixedVulnerability-related.PatchVulnerability, the first in July and the second in August , but as we 've gotten accustomed to in the past few years of covering security flaws , not all server owners have bothered to install these security updates .
Adobe has patchedVulnerability-related.PatchVulnerabilitya number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressedVulnerability-related.PatchVulnerabilitybugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixedVulnerability-related.PatchVulnerabilityas much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled outVulnerability-related.PatchVulnerabilitythe last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs receivedVulnerability-related.PatchVulnerabilitypatches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also receivedVulnerability-related.PatchVulnerabilityfixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also releasedVulnerability-related.PatchVulnerabilityfixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patchedVulnerability-related.PatchVulnerabilityall 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updatingVulnerability-related.PatchVulnerabilitytheir systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not addressVulnerability-related.PatchVulnerabilityany security flaws in Flash Player . Nonetheless , lately , Adobe already patchedVulnerability-related.PatchVulnerabilitya critical Flash vulnerability already disclosedVulnerability-related.DiscoverVulnerabilityto the public .
Adobe has patchedVulnerability-related.PatchVulnerabilitya number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressedVulnerability-related.PatchVulnerabilitybugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixedVulnerability-related.PatchVulnerabilityas much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled outVulnerability-related.PatchVulnerabilitythe last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs receivedVulnerability-related.PatchVulnerabilitypatches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also receivedVulnerability-related.PatchVulnerabilityfixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also releasedVulnerability-related.PatchVulnerabilityfixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patchedVulnerability-related.PatchVulnerabilityall 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updatingVulnerability-related.PatchVulnerabilitytheir systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not addressVulnerability-related.PatchVulnerabilityany security flaws in Flash Player . Nonetheless , lately , Adobe already patchedVulnerability-related.PatchVulnerabilitya critical Flash vulnerability already disclosedVulnerability-related.DiscoverVulnerabilityto the public .
A vulnerability affectsVulnerability-related.DiscoverVulnerabilityall versions of the OpenSSH client released in the past two decades , ever since the application was released in 1999 . The security bug receivedVulnerability-related.PatchVulnerabilitya patch this week , but since the OpenSSH client is embedded in a multitude of software applications and hardware devices , it will take months , if not years , for the fix to trickle downVulnerability-related.PatchVulnerabilityto all affected systems . This particular bug was analyzedVulnerability-related.DiscoverVulnerabilitylast week by security researchers from Qualys who spottedVulnerability-related.DiscoverVulnerabilitya commit in OpenBSD 's OpenSSH source code for a bug report submittedVulnerability-related.DiscoverVulnerabilityby Darek Tytko from securitum.pl . After analyzing the commit , researchers realized that the code inadvertently fixedVulnerability-related.PatchVulnerabilitya security bug lying dormant in the OpenSSH client since its creation . This bug allows a remote attacker to guess the usernames registered on an OpenSSH server . Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment , billions of devices are affected . As researchers explain , the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request ( for example , via a truncated packet ) . A vulnerable OpenSSH server would react in two very different ways when this happens . If the username included in the malformed authentication request does not exist , the server responds with authentication failure reply . If the user does exist , the server closes the connection without a reply . This small behavioral detail allows an attacker to guess valid usernames registered on a SSH server . Knowing the exact username may not pose an immediate danger , but it exposes that username to brute-force or dictionary attacks that can also guess its password . Because of OpenSSH 's huge install base , the bug is ideal for both attacks on high-value targets , but also in mass-exploitation scenarios . The bug — tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-15473— has been patchedVulnerability-related.PatchVulnerabilityin the stable version of OpenSSH —1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch . Patches have also trickled downVulnerability-related.PatchVulnerabilityto Debian , and most likely other Linux distros .
A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discoveredVulnerability-related.DiscoverVulnerabilityby Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impactedVulnerability-related.DiscoverVulnerabilityby the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressedVulnerability-related.PatchVulnerabilityin the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affectedVulnerability-related.DiscoverVulnerabilityby CVE-2018-1002105 . Red Hat releasedVulnerability-related.PatchVulnerabilitypatches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users receivedVulnerability-related.PatchVulnerabilityservice updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to stealAttack.Databreachdata or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''
Oracle releasedVulnerability-related.PatchVulnerabilityits latest Critical Patch Update on July 18 , fixingVulnerability-related.PatchVulnerability334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patchedVulnerability-related.PatchVulnerabilityby Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressedVulnerability-related.PatchVulnerabilityin this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixedVulnerability-related.PatchVulnerabilityin the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patchedVulnerability-related.PatchVulnerabilityfor three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application receivedVulnerability-related.PatchVulnerabilitythe highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , gotVulnerability-related.PatchVulnerability44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patchedVulnerability-related.PatchVulnerabilityfor 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU providesVulnerability-related.PatchVulnerabilityeight security fixes , though organizations likely need to be cautious when applyingVulnerability-related.PatchVulnerabilitythe patches , as certain functionality has been removed . `` Several actions taken to fixVulnerability-related.PatchVulnerabilityJava SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who applyVulnerability-related.PatchVulnerabilitybinary patches should be extremely cautious and thoroughly test their applications before puttingVulnerability-related.PatchVulnerabilitypatches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update releasedVulnerability-related.PatchVulnerabilityon Jan 15 , which providedVulnerability-related.PatchVulnerabilitypatches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixingVulnerability-related.PatchVulnerabilitythe reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .
If you own a Google Pixel or Google Pixel XL , you ’ re probably wondering where your November security patch update is . Although most Google devices — including older Nexus devices — receivedVulnerability-related.PatchVulnerabilitythe patch at the beginning of the month as detailed below , the original Pixel lineup was left high and dry . Today , finally , the patch is here . You can wait for the OTA to hit your device , or you can use the links below to manually install . We ’ re not quite sure why this took so long , but hopefully , the December patch will be a bit more uniform . Right on schedule , Google has releasedVulnerability-related.PatchVulnerabilityAndroid ’ s October security patch . As it ’ s the first update to make its way to the Pixel 3 and Pixel 3 XL , it should include some bug fixes . Unfortunately , it won ’ t resolveVulnerability-related.PatchVulnerabilitythe memory issues just yet . The November patch itself includes fixes for 17 security vulnerabilities . The most severe bugs included an issue in the media framework and the ability for a remote attacker to execute arbitrary code through a crafted file . Fortunately , Google doesn ’ t believe that either of these were used to harm users . The November security patch includes several bug fixes and improvements specifically for Pixel devices . As Google notes , this update should help with notification stability on Pixel 2 and Pixel 3 handsets as well as improve picture-in-picture performance on the four handsets . Sadly , the November security patch will likely be the last update pushedVulnerability-related.PatchVulnerabilityto the Pixel C , Nexus 6P , and Nexus 5X . As Google only guarantees firmware upgrades for two years after a device is released and security patches for three , the search giant is no longer obligated to support the two phone or tablet . Of course , this doesn ’ t mean that your devices are no longer usable . Even if you no longer get official support from Google , there are large developer communities that build ROMs that bringsVulnerability-related.PatchVulnerabilitythe latest security patches and Android features to all of Google ’ s abandoned devices . If you don ’ t want to wait for the November security patch to make its way to your phone , you can download the latest factory image or OTA file from the links below . From there , you can either flash a fresh build to your phone or sideload the OTA update . The November security patch is also making its way to the Essential Phone . In addition to the resolved issues addressedVulnerability-related.PatchVulnerabilityabove , this update brings support for the company ’ s Audio Adapter HD module .