Oracle is advising customers to update Vulnerability-related.PatchVulnerability their database software following the discovery Vulnerability-related.DiscoverVulnerability and disclosure Vulnerability-related.DiscoverVulnerability of a critical remote code execution vulnerability . The flaw , dubbed CVE-2018-3110 was given a CVSS base score of 9.9 ( out of 10 ) and Oracle warns Vulnerability-related.DiscoverVulnerability that successful exploit of the bug `` can result in complete compromise of the Oracle Database and shell access to the underlying server . '' `` Due to the nature of this vulnerability , Oracle strongly recommends that customers take action without delay , '' Oracle says . Vulnerable versions of Database Server include 11.2.0.4 , 12.1.0.2 , 12.2.0.1 , and 18 . Admins are advised to install Oracle 's update as soon as possible . No credit was given for discovery or reporting . The flaw itself is found Vulnerability-related.DiscoverVulnerability in the JavaVM component of Oracle Database Server and is not considered a remote code exploit flaw , as it requires the attacker have a connection to the server via Oracle Net , the protocol Oracle servers use to connect with client applications . Other than that , however , there is little else required for a successful attack that gives complete control over the host server . The Oracle patch will only pile on to what is going to be a busy week for IT departments and administrators . In addition to this fix Vulnerability-related.PatchVulnerability , Microsoft is releasing Vulnerability-related.PatchVulnerability its monthly Patch Tuesday security update for Windows , Office , and Internet Explorer/Edge today , and Adobe has posted Vulnerability-related.PatchVulnerability fixes for security holes in Flash Player , Acrobat/Reader , Creative Cloud , and Experience manager . Our advice is to keep a pot of coffee handy and reserve a table at the pub for when this is all over with .

Cisco patches Vulnerability-related.PatchVulnerability a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that 's open by default . Cisco has released Vulnerability-related.PatchVulnerability patches for 34 vulnerabilities mostly affecting Vulnerability-related.DiscoverVulnerability its IOS and IOS XE networking software , including three critical remote code execution security bugs . Perhaps the most serious issue Cisco has released Vulnerability-related.PatchVulnerability a patch for is critical bug CVE-2018-0171 affecting Vulnerability-related.DiscoverVulnerability Smart Install , a Cisco client for quickly deploying new switches for Cisco IOS Software and Cisco IOS XE Software . A remote unauthenticated attacker can exploit a flaw in the client to reload an affected device and cause a denial of service or execute arbitrary code . Embedi , the security firm that found Vulnerability-related.DiscoverVulnerability the flaw , initially believed it could only be exploited Vulnerability-related.DiscoverVulnerability within an enterprise 's network . However , it found Vulnerability-related.DiscoverVulnerability millions of affected devices exposed on the internet . `` Because in a securely configured network , Smart Install technology participants should not be accessible through the internet . But scanning the internet has shown that this is not true , '' wrote Embedi . `` During a short scan of the internet , we detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open . '' Smart Install is supported by a broad range of Cisco routers and switches . The high number of devices with an open port is probably because the Smart Install client 's port TCP 4786 is open by default . This situation is overlooked by network admins , Embedi said . The company has also published Vulnerability-related.DiscoverVulnerability proof-of-concept exploit code , so it probably will be urgent for admins to patch Vulnerability-related.PatchVulnerability . An attacker can exploit the bug by sending Attack.Phishing a crafted Smart Install message to these devices on TCP port 4786 , according to Cisco . Embedi discovered Vulnerability-related.DiscoverVulnerability the flaw last year , landing it an award at the GeekPwn conference in Hong Kong last May , and reported Vulnerability-related.DiscoverVulnerability it to Cisco in September . Cisco 's internal testing also turned up Vulnerability-related.DiscoverVulnerability a critical issue in its IOS XE software , CVE-2018-0150 , due to an undocumented user account that has a default username and password . Cisco warns Vulnerability-related.DiscoverVulnerability that an attacker could use this account to remotely connect to a device running the software . Cisco engineers also found Vulnerability-related.DiscoverVulnerability CVE-2018-0151 , a remote code execution bug in the QoS subsystem of IOS and IOS XE . `` The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device . An attacker could exploit this vulnerability by sending malicious packets to an affected device , '' writes Cisco . All three bugs were given a CVSS score of 9.8 out of 10 .

Apple is reportedly aware Vulnerability-related.DiscoverVulnerability of and is in the middle of fixing Vulnerability-related.PatchVulnerability a pair of vulnerabilities that exist in iTunes and the App Store . If exploited Vulnerability-related.DiscoverVulnerability , researchers claim Vulnerability-related.DiscoverVulnerability an attacker could inject malicious script into the application side of the vulnerable module or function . Vulnerability Lab ’ s Benjamin Kunz Mejri disclosed Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday , explaining Vulnerability-related.DiscoverVulnerability the issues can be jointly exploited Vulnerability-related.DiscoverVulnerability via iTunes and the App Store ’ s iOS “ Notify ” function . Apple implemented the function in September , in the weeks leading up to the release of the game Super Mario Run . The function takes information from the device , such iCloud credentials or devicename values , to alert users when a soon-to-launch application debuts . Mejri , the firm ’ s founder , claims Vulnerability-related.DiscoverVulnerability the Notify functionality can be exploited Vulnerability-related.DiscoverVulnerability via a persistent input validation vulnerability and mail encoding web vulnerability . An attacker could substitute the name variable–the vulnerable firstname parameter–with a script launching a payload . Mejri said the issue stems from how Apple sends notifications from its @ new-itunes.com web server ; which doesn ’ t properly validate the iCloud name or devicename parameter . Instead of displaying introductory text , it can be rigged to execute malicious payloads . “ The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability on restricted accessible iOS devices to the main account holder inbox , ” Mejri wrote in his disclosure Vulnerability-related.DiscoverVulnerability Monday , “ The issue could be used as well to continue to calendar spam activities ” . Mejri told Vulnerability-related.DiscoverVulnerability Threatpost Tuesday that while the issue isn ’ t highly exploitable , it “ definitely has a nice impact ” . Exploiting the persistent input validation flaw would be easier , because it only requires an Apple account and “ low or medium user interaction , ” according to the researcher . Ultimately , if stitched together , he warns Vulnerability-related.DiscoverVulnerability , the bugs could result in session hijacking , persistent phishing attacks , and persistent redirect to external sources . Mejri said Vulnerability-related.DiscoverVulnerability he contacted Vulnerability-related.DiscoverVulnerability Apple ’ s Product Security Team about the issues on Dec. 15 and acknowledged Vulnerability-related.DiscoverVulnerability that the vulnerability should be able to be resolved on the server-side without performing any required end-user interaction or updates . He said a temporary patch has been implemented Vulnerability-related.PatchVulnerability and believes a full fix is expected Vulnerability-related.PatchVulnerability later this month . It ’ s unclear exactly when this month Apple will push that fix Vulnerability-related.PatchVulnerability , however ; it last updated iTunes in December , fixing Vulnerability-related.PatchVulnerability 23 WebKit vulnerabilities in the software . Apple did not return multiple requests for comment regarding Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday and Tuesday . A month after first communicating the issues to Apple , Vulnerability Lab elected to publish a proof of concept around the issues to see if they had any legs . “ We decided to release the information until somebody uses the issue to exploit via iTunes , ” Kunz Mejri told Threatpost Tuesday . The vulnerability is similar to one disclosed Vulnerability-related.DiscoverVulnerability by Vulnerability Lab and patched Vulnerability-related.PatchVulnerability by Apple in iTunes and the App Store a year and a half ago . Before it was fixed Vulnerability-related.PatchVulnerability , like this week ’ s issue , an attacker could have remotely injected script into invoices , something that could have lead to hijacking , phishing , and redirect .

Warning Vulnerability-related.DiscoverVulnerability the device is susceptible to denial of service attacks , Cisco Systems on Wednesday released Vulnerability-related.PatchVulnerability a patch for its NetFlow Generation Appliance . The flaw traces back to the hardware ’ s Stream Control Transmission Protocol ( SCTP ) used by the appliance , according to a Cisco Security Advisory posted Vulnerability-related.DiscoverVulnerability Wednesday . Cisco warns Vulnerability-related.DiscoverVulnerability the vulnerability , “ could allow an unauthenticated , remote attacker to cause the device to hang or unexpectedly reload , causing a denial of service ( DoS ) condition ” . The bug ( CVE-2017-3826 ) is due to incomplete validation of SCTP packets being monitored on the NGA data ports , Cisco wrote . It impacts Vulnerability-related.DiscoverVulnerability Cisco NetFlow Generation Appliances NGA 3140 , NGA 3240 and NGA 3340 . NetFlow Generation Appliances are located within enterprise data centers and designed to monitor Gigabit Ethernet high-throughput networks . An attacker exploiting the vulnerability , “ could exploit this vulnerability by sending malformed SCTP packets on a network that is monitored by an NGA data port . SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability . An exploit could allow the attacker to cause the appliance to become unresponsive or reload , causing a DoS condition , ” Cisco said . While there are no workarounds to fix Vulnerability-related.PatchVulnerability the vulnerability , Cisco is urging users to apply an update that fixes Vulnerability-related.PatchVulnerability the bug , Cisco NetFlow Generation Appliance Software release Vulnerability-related.PatchVulnerability 1.1 ( 1a ) . The company added that the fix does not apply Vulnerability-related.PatchVulnerability to NGA 3140 because that platform was sunsetted January 11 , 2014 . Last month , Cisco patched Vulnerability-related.PatchVulnerability an authentication bypass vulnerability in its Cisco Prime Home hardware . In January , Cisco patched Vulnerability-related.PatchVulnerability a flaw rated critical found in Vulnerability-related.DiscoverVulnerability is WebEx Chrome Plugin , used by tens of millions for web conferencing in business environments , that exposed computers to remote code execution . Cisco Systems released Vulnerability-related.PatchVulnerability a patch Monday to fix Vulnerability-related.PatchVulnerability a critical security vulnerability , with a CVSS rating of 10 , in its Secure Sockets Layer VPN solution called Adaptive Security Appliance