Announcements

SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (6) updates to the previously released patch day security notes. This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP 3D Visual Enterprise License Manager, SAP BusinessObjects Intelligence Platform, SAP AS NetWeaver JAVA, SAP IBP […]

Cisco has disclosed a vulnerability in the web-based management interface of Cisco SPA112 2-Port phone adapters. The addressed vulnerability could allow the remote attacker to execute arbitrary code on the affected device with full privileges by upgrading the affected device to a crafted version of the firmware. The addressed vulnerability: Cisco SPA112 2-Port Phone Adapters

VMware has released a security update to fix multiple vulnerabilities across  VMwareWorkstation Pro / Player and VMware Fusion. The addressed vulnerabilities could allow the local attacker to gain access, gain root privilege, or obtain sensitive information from the affected products. Sample of the addressed vulnerabilities: 1. VMware Workstation and Fusion Buffer Overflow (CVE-2023-20869): CVSS: 9.3

Cisco released security updates to address several vulnerabilities affecting multiple Cisco products. The addressed vulnerabilities could allow the remote attacker to bypass security restrictions, escalate privileges, gain access, or cause a denial of service attack on the affected systems. Samples of the addressed vulnerabilities: 1. Cisco Modeling Labs External Authentication Bypass Vulnerability (CVE-2023-20154): CVSS: 9.1

VMware has released a security update to fix multiple vulnerabilities across VMware Aria Operations for Logs (formerly vRealize Log Insight). The addressed vulnerabilities could allow the remote attacker to gain access to the affected appliances via log deserialization and command injection vulnerabilities. 1. VMware Aria Operations for Logs Deserialization Vulnerability (CVE-2023- 20864): CVSS: 9.8 Attack

Oracle released its critical patch updates for April 2 023, containing (433) new security patches for multiple affected products. The remote attacker could exploit some of these vulnerabilities to take control of the affected system. This critical patch update provides security updates to fix several vulnerabilities that may be remotely exploitable without authentication in a

Fortinet has released security updates to address several vulnerabilities in multiple products. The addressed vulnerabilities could allow the attacker to execute arbitrary code, escalate privileges, bypass security restrictions, obtain information, cause crosssite scripting, and gain access to the affected products. Sample of the addressed vulnerabilities: 1. FortiPresence – Unpassworded Remotely Accessible Redis & MongoDB (CVE-2022-41331):

SAP has released security updates to address several vulnerabilities affecting multiple products. This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP Diagnostics Agent, SAP Business Client, SAP NetWeaver Process Integration, SAP BusinessObjects Business Intelligence Platform (Promotion Management, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP NetWeaver (BI CONT ADDON), SAP NetWeaver Enterprise Portal, SAP

Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch contains a fix for one actively exploited zero-day vulnerability. Also, Microsoft has released an updated Microsoft Edge version (112.0.1722.34) to fix multiple vulnerabilities.  Microsoft has fixed (97) vulnerabilities, with (7) classified as critical as they could allow the attacker to perform remote code

Sophos has released security updates to fix multiple vulnerabilities in Sophos Web Appliance versions older than 4.3.10.4. The addressed vulnerabilities could allow the remote attacker to gain access, cause a cross-site scripting attack, or execute arbitrary/JavaScript code on the affected versions. Sample of the addressed vulnerabilities: 1. Sophos Pre-auth Command Injection Vulnerability (CVE-2023-1671): CVSS: 9.8 Attack Vector: Network

In March 2023, security researchers uncovered a sophisticated supply chain attack that employed a trojanized version of the 3CX VoIP desktop client. This attack specifically targeted the clients of 3CX, representing a significant threat to the security of businesses that rely on this popular communication software. 3CX is a widely-used communication software that offers a range of features, including

Adobe has released security updates addressing vulnerabilities in ColdFusion 2018 update 15 and below, and ColdFusion 2021 update 5 and below. The addressed vulnerabilities could allow the remote attacker to execute arbitrary code or obtain information from the affected systems. Sample of the addressed vulnerabilities: 1. Deserialization of Untrusted Data Vulnerability (CVE-2023-26359): • CVSS: 9.8 • Attack

Aruba has released security updates addressing multiple vulnerabilities in ClearPass Policy Manager. The addressed vulnerabilities could allow the attacker to perform various attacks such as elevate privileges, disclose information, perform cross-site scripting, or gain access and execute arbitrary code on the affected systems. Sample of the addressed vulnerabilities: 1. Unauthenticated Arbitrary User Creation Leads to Complete System Compromise (CVE-2023-25589):

Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch contains a fix for two actively exploited zero-day vulnerabilities. Also, this patch includes a release for an updated edge version (111.0.1661.41) to fix multiple vulnerabilities. Microsoft has fixed (83) vulnerabilities, with (9) classified as critical as they could allow the attacker to perform

SAP has released security updates to address several vulnerabilities affecting multiple products. This month’s patch fixes several vulnerabilities affecting multiple SAP products SAP Business Objects Business Intelligence Platform (CMC), SAP NetWeaver, SAP NetWeaver AS for Java, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP Business Objects (Adaptive Job Server), SAP Solution Manager and ABAP managed systems (ST-PI), SAP

Tenable has released security updates to fix a critical vulnerability in Tenable.sc, tenable.io, and Nessus. The addressed vulnerability could allow the authenticated attacker to modify the scan variables, and manipulate audit policy variables to execute arbitrary commands on credentialed scan targets. Tenable Plugin Arbitrary Code Execution Vulnerability (CVE-2022-4313): • CVSS: 9.1 • Attack Vector: Network • Attack Complexity:

Linux has released security updates to fix vulnerabilities in Linux Kernel and Sudo utility before 1.9.13p2. The addressed vulnerabilities could allow the attacker to execute arbitrary code or cause a denial of service attack on the affected system. Sample of the addressed vulnerabilities: 1. Sudo Code Execution Vulnerability (CVE-2023-27320): • CVSS: 9.8 • Attack Vector: Network •

Cisco has released security updates to address vulnerabilities affecting multiple products. The severity of the addressed vulnerabilities could allow the remote attacker to gain access, obtain information, cause a denial of service, and trigger Cross-site Scripting (XSS) or server-side request forgery (SSRF) attacks on the affected products. Sample of the addressed vulnerabilities: 1. Cisco IP Phone Command Injection Vulnerability

Aruba has released security updates to fix vulnerabilities across multiple Aruba products. The severity of the addressed vulnerabilities could allow the remote attacker to execute code, obtain information, bypass security restrictions, and perform crosssite scripting. Sample of the addressed vulnerabilities: Unauthenticated Command Injections in the PAPI Protocol (CVE-2023-22747): • CVSS: 9.8 • Attack Vector: Network • Attack Complexity:

VMware has released security updates to fix multiple vulnerabilities in multiple VMware products. The addressed vulnerabilities could allow the remote authenticated attacker to read arbitrary files, cause a denial of service attack, conduct an SSRF attack, or execute arbitrary code by using specially-crafted request/XML content to gain access to the affected product. Sample of the addressed vulnerabilities: 1. VMware