Security Alert

Overview

mgm security partners GmbH collects useful information about current threads and new attack vectors in softwares and technologies used by the software development teams at mgm.

This information is edited and commented to be of use for mgm employees and projects in order to maximize security in daily business.

Overall Risk Classification

HIGH → Immediate action is required, business processes or customer data is in danger.

MEDIUM → No immediate action is required, but the threat has to be analyzed individually in short-term.

LOW → Action is only required if chosen to by the persons responsible. test

INFO → No risk, purely informational content.

Our vision is to aid all mgm software projects with delivering secure software. Since the development of complex software generally depends upon a specific software stack and possibly many third-party dependencies, ensuring the absence of major security bugs in these dependencies is paramount for delivering secure software.

Consequently, our monitoring focus lies on application-level technology that is relevant for building and delivering software. This includes:

  • Important frameworks for application development (Spring, Apache Struts, Shiro, …)
  • Outstanding cross-level dependencies (e.g. OpenSSL)
  • Web Application Server (Tomcat, Nginx, …)

We do not explicitly monitor

  • IT infrastructure or operating system level technology, including databases
  • Client software (Flash, Browser, …)

Archive

  • Several Spring Vulnerabilities

    Pivotal has published several severe vulnerabilities related to Spring components. Your project may be affected if one of the following components is used: Spring Integration, Spring Web Services, Spring Batch.

  • SAP Hybris Commerce

    A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided.

  • Kubernetes

    This vulnerability opens the possibility to create a connection through the Kubernetes API server to a backend server. This connection can be used to send arbitrary requests to the backend server.

  • Malicious code in npm package event-stream 3.3.6

    The npm package event-stream (in version 3.3.6) contains a dependency to a malicious package named flatmap-stream.

  • PHP Vulnerabilities

    Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code.

  • Apache Struts Vulnerability

    Today, the Apache Software Foundation announced a critical remote code execution (RCE) vulnerability in Apache Struts. Whether this RCE attack can be performed depends on the configuration for namespaces. Affected are situations were namespace is not set or a wildcard is used.

  • Apache Tomcat Vulnerabilities

    Apache has published updates fixing two severe security issues in all active branches of Tomcat. One of these vulnerabilities may lead to user sessions being reused in a new connection, therefore disclosing information. The second vulnerability can be exploited if an overflow in the UTF-8 decoder happens. This will possibly result in an infinity loop and therefor in a Denial of Service.

  • Oracle Patch Day / Java Vulnerabilities

    Oracle has published an advisory and updates regarding many of its software products. The advisory also contains several severe vulnerabilities in the Java ecosystem, some of which allowing remote attackers to execute arbitrary code on Java systems.

  • Spring Vulnerabilities

    Pivotal has published two vulnerabilities of the Spring Framework. The first may inadvertently enable cross-domain requests via JSONP. The second vulnerability affects the HiddenHttpMethodFilter in Spring MVC.

  • Several Denial of Service Vulnerabilities in Node.js

    Node.js published security updates for all release lines. Depending on the configuration, Node.js applications may be susceptible to simple denial of service attacks.