Other issues fixed in October are a buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in the Permissions API tracked as CVE-2022-3448, Google wrote. in his blog. Google also fixed two use-after-release bugs in Safe Browsing and Peer Connection.
Android’s October security bulletin includes fixes for 15 framework and system flaws and 33 kernel and vendor component issues. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local privilege escalation, tracked as CVE-2022-20419. Meanwhile, a flaw in the kernel could also lead to local elevation of privileges without any additional execution privileges needed.
None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has released the update for its Pixel devices and it is also available for Samsung Galaxy S21 and S22 series smartphones and the Galaxy S21 FE.
Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after confirming the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid Windows credentials to run code on the affected machine with system privileges.
Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.
The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its catalog of exploited vulnerabilities.
Although both Cisco flaws require the attacker to be authenticated, it is still important to update now.
Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as high severity with a CVSS score of 8.8. Zoom says versions earlier than 5.12.2 are susceptible to a URL parsing vulnerability identified as CVE-2022-28763.
“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin. .
Earlier this month, Zoom alerted users that its client for meetings for macOS from 5.10.6 and before 5.12.0 contained a debug port misconfiguration.
Software giant VMWare has patched a serious vulnerability in its Cloud Foundation
Tracked as CVE-2021-39144. The remote code execution vulnerability via the open-source XStream library is classified as critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can obtain remote code execution in the context of ‘root’ on the appliance,” said said VMWare in a review.
The VMware Cloud Foundation update also fixes an XML external entity vulnerability with a lower CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform a denial of service.
Software company Zimbra has released patches to fix an already exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.
The exploit was spotted by Rapid7 researchers, who identified signs that it had been used in attacks. Zimbra initially released a workaround to fix this, but now that the fix is out, you should apply it as soon as possible.
Enterprise software company SAP released 23 new and updated security advisories during its October Patch Day. Among the most serious issues is a critical path traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.
Another issue with a CVSS score of 9.6 is an account takeover vulnerability in the SAP Commerce login page.
Software giant Oracle released 370 patches as part of its quarterly security update. Oracle’s critical patch update for October fixes 50 vulnerabilities rated critical.
The update contains 37 new security patches for Oracle MySQL, 11 of which are remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which are remotely exploitable without authentication.
Due to “the threat posed by a successful attack”, Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.