Here’s our latest overview highlighting the most notable security vulnerabilities that made headlines this week. One such report describes seven flaws affecting a popular DNS caching proxy and DHCP server known as dnsmasq that pose a significant risk of widespread attacks.
The flaws, collectively dubbed DNSpooq, are believed to be impacting products from more than 40 IT vendors, including Cisco, Comcast, Google, Netgear, Red Hat, and Ubiquiti, and major Linux distributions. Three of the vulnerabilities are cache poisoning issues (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) while other four are buffer overflow bugs (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681). The issue was addressed in Dnsmasq 2.83.
Oracle this week released its first cumulative set of security updates for 2021, which contains a total of 329 new patches, including those that address multiple high risk vulnerabilities across such products as Oracle Utilities Framework, Oracle ZFS Storage Appliance Kit, Oracle Retail Merchandising System, Oracle Retail Sales Audit, Oracle Retail Order Broker, MySQL Workbench, MySQL Server, and others.
The January 2021 CPU also includes fixes for CVE-2020-14750, an exploited vulnerability in WebLogic Server, which Oracle addressed with the release of an out-of-band update on November 1, 2020.
Cisco has warned its customers of multiple dangerous flaws in its software-defined networking for wide-area networks (SD-WAN) solutions for business users and Cisco Smart Software Manager On-Prem software.
One of the bugs (CVE-2021-1300) is a buffer-overflow flaw, which stems from incorrect handling of IP traffic; an attacker could exploit the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. As a result, a remote attacker can execute arbitrary code on the target system. The flaw affects the following software releases: IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software and SD-WAN vSmart Controller Software.
Three high risk flaws were found in Cisco Smart Software Manager On-Prem (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142) that could allow an unauthenticated, remote attacker to execute arbitrary commands as a high-privileged user on an affected device.
Maintainers behind VLC media player released version 3.0.12 to address multiple serious issues, including CVE-2020-26664 that could be abused either to trigger a crash of VLC or an arbitrary code execution with the privileges of the target user by tricking the victim into opening a malicious file.
Also, multiple high risk vulnerabilities were reported in Eclipse OpenJ9 (CVE-2020-27221), PeopleSoft Enterprise PeopleTools (CVE-2021-2071), Archive_Tar (CVE-2020-36193), and Hyperion Infrastructure Technology (CVE-2019-12415, CVE-2020-11984). If exploited, these flaws could allow a malicious actor to compromise the affected system, or access sensitive data.