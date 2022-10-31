



Other issues fixed in October were a heap buffer overflow in WebSQL, tracked as CVE-2022-3446, and a use-after-free bug in the Permissions API, tracked as CVE-2022-3448, according to Google. wrote on the blog. Google also fixed his two use-after-free bugs in Safe Browsing and Peer Connections.

google android

The October Android Security Bulletin includes fixes for 15 framework and system flaws and 33 kernel and vendor component issues. One of the issues of greatest concern is a critical security vulnerability in a framework component that could lead to local privilege escalation, tracked as CVE-2022-20419. On the other hand, kernel flaws can also allow privilege escalation locally without the need for additional execution privileges.

Although there are no known issues used in attacks, it makes sense to check the device and update if possible. Google has issued an update for his Pixel devices, which is also available for the Samsung Galaxy S21 and S22 series smartphones, as well as the Galaxy S21 FE.

Cisco

Cisco asked companies to patch two flaws in the AnyConnect Secure Mobility Client for Windows after the vulnerabilities were confirmed to be used in attacks. The first, tracked as CVE-2020-3433, could allow an attacker with valid Windows credentials to execute code with system privileges on the affected machine.

On the other hand, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco vulnerability to its catalog of already exploited vulnerabilities.

Both Cisco flaws require attackers to be authenticated, but it’s still important to update now.

zoom

Video conferencing service Zoom patched multiple issues in October. This includes a flaw in the Zoom client for meetings, marked as high severity with a CVSS score of 8.8. Zoom states that versions prior to version 5.12.2 are susceptible to a URL parsing vulnerability tracked as CVE-2022-28763.

If a malicious Zoom meeting URL is opened, the link could entice users to connect to arbitrary network addresses, leading to additional attacks including session hijacking, Zoom said in a security bulletin. I’m here.

Earlier this month, Zoom warned users that the meetings client for macOS 5.10.6+ and prior to 5.12.0 contained a debug port misconfiguration.

VMware

Software giant VMWare patched critical vulnerabilities in Cloud Foundation

Tracked as CVE-2021-39144. The Remote Code Execution Vulnerability Via XStream Open Source Library is rated as having a Critical severity of up to a CVSSv3 base score of 9.8. VMWare advises that unauthenticated endpoints leveraging his XStream for VMware Cloud Foundation input serialization may allow malicious actors to execute remote code in the context of “root” on the appliance says there is

The VMware Cloud Foundation update also addresses the XML External Entity vulnerability, lowering the CVSSv3 base score to 5.3. This bug, tracked as CVE-2022-31678, could allow an unauthenticated user to cause a denial of service.

Jimbra

Software company Zimbra has issued a patch to fix an already exploited code execution flaw that could allow attackers to gain access to user accounts. His CVSS severity score for this issue, which is tracked as CVE-2022-41352, is 9.8.

The exploit was discovered by Rapid7 researchers and identified the symptoms used in the attack. Zimbra originally released a workaround to fix this issue, but a patch is now available and should be applied as soon as possible.

SAP

Enterprise software company SAP has released 23 new and updated security notes for October Patch Day. One of the most serious issues is a critical path traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins, Work Instruction Viewer and Visual Test and Repair, with a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security updates. Oracle’s October Critical Patch Update fixes 50 vulnerabilities rated Critical.

This update contains 37 new security patches for Oracle MySQL, 11 of which could be exploited remotely without authentication. It also includes 24 new security patches for Oracle Financial Services Applications, 16 of which could be exploited remotely without authentication.

Due to the threat created by a successful attack, Oracle strongly recommends that customers apply the Critical Patch Update security patches as soon as possible.

