Category Archives: Projects

Vulnerability Management news and publications #1

Vulnerability Management news and publications #1. Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.

On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.

Alternative video link (for Russia): https://vk.com/video-149273431_456239095

I usually follow the news using my automated telegram channel @avleonovnews. And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what’s going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.

I took 10 news items from Saved Messages and divided them into 5 categories:

  1. Active Vulnerabilities
  2. Data sources
  3. Analytics
  4. VM vendors write about Vulnerability Management
  5. de-Westernization of IT

Continue reading

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches. Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239094

On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 vulnerabilities in the report.

Continue reading

Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches

Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches. Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239089

I have set direct links in comments_links.txt for Qualys, ZDI and Kaspersky blog posts.

Continue reading

Vulristics May 2022 Update: CVSS redefinitions and bulk adding Microsoft products from MS CVE data

Vulristics May 2022 Update: CVSS redefinitions and bulk adding Microsoft products from MS CVE data. Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics.

Alternative video link (for Russia): https://vk.com/video-149273431_456239088

CVSS redefinitions

A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in V8 (Chromium). This vulnerability does not exist in NVD.

Continue reading

Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics

Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics. Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it’s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.

Alternative video link (for Russia): https://vk.com/video-149273431_456239085

You can see them in my automated security news telegram channel avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.

Continue reading

Gitlab OmniAuth Static Passwords and stored XSS

Gitlab OmniAuth Static Passwords and stored XSS. Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon as possible.

Alternative video link (for Russia): https://vk.com/video-149273431_456239079

Unfortunately, Gitlab, as well as some other Western companies, is currently hostile to the country where I live and work. So their calls to immediately install updates now have additional connotations. If Gitlab is so clearly politically motivated that even the logo on their site has been recolored in a certain way, then what else can be expected from their updates? Backdoors? Malicious functionality that wipes data? Quite possible. IMHO, when companies are so willing to mix geopolitical messages and business, it exposes them as unreliable vendors that should be avoided.

But let’s get back to vulnerabilities. There are 17 CVEs in the bulletin. We will start with the most critical one.

Continue reading

Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection

Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection. Hello everyone! This episode will be about last week’s high-profile vulnerabilities in Spring. Let’s figure out what happened.

Alternative video link (for Russia): https://vk.com/video-149273431_456239078

Of course, it’s amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it’s not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.

Spring is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, at least 21 on the website. And because Spring belongs to VMware, you can find a description of the vulnerabilities on the VMware Tanzu website. VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private “clouds”. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let’s look at the 3 most serious vulnerabilities published in the last month.

Continue reading