5th December, 2022
High Severity Vulnerability Discovered in Google Chrome
On Thursday 24th November, Google released software updates for its 8th zero-day vulnerability this year in the Chrome browser. The vulnerability, which is listed as 'High Severity', is tracked as CVE-2022-4135 and is triggered by a heap buffer overflow, which in turn allows remote attackers to potentially perform a sandbox / vm escape and execute arbitrary code. There aren't too many details at the moment, but it is suspected that this has been exploited in the wild. Its thoroughly recommended that users update to at least version 107.0.5304.121 to mitigate the issue. Users of other Chromium based browsers, for example: Microsoft Edge and Opera, are also advised to update as soon as a fix becomes available.
Oracle Fusion Middleware Critical Vulnerability Added to Actively Exploited List
On Monday 28th November, The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw with a CVSS rating of 9.8/10 relating to Oracle Access Manager, to its list of actively exploited vulnerabilities (Known Exploited Vulnerabilities Catalogue). The vulnerability, which allows for remote code execution, leads to unauthenticated access to the Oracle Access Manager via HTTP and can end up with the complete compromise of the Access Manager instances, which in turn can lead to attackers editing users and creating new users with all privileges, or execute code directly onto the victim system. Initially disclosed in January 2022, this vulnerability is tracked as CVE-2021-35587 and affects versions 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0.
French Energy Provider Fined €600,000 for Storing Users’ Passwords with Outdated Algorithm
The French energy provider ‘Électricité de France’ have been fined after being audited by the Commission nationale de l'informatique et des libertés (CNIL). They were found storing passwords for over 25,000 accounts using the MD5 algorithm. Although the passwords have been encrypted, the MD5 algorithm has been considered broken since 2008 due to collision attacks. Moreover, the energy provider had also not added any salt to the hashes associated with 2.4 million accounts. Salting is the technique of adding characters to the hash to make the hash harder to reverse and is a standard practice within cyber security. The energy provider was fined due to breaching GDPR regulations however the CNIL stated ‘The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches’.
New Critical Vulnerability Affecting Quarkus Java Framework