Latest News

Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page templates via crafted URLs.

A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation.

The North Korea-linked group Kimsuky used ChatGPT to create deepfakes of military ID documents in an attempt to compromise South Korean targets.

### Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because `Arrays.equals` was used to compare secret values such as client proofs and server signatures. Since `Arrays.equals` performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. ### Patches This vulnerability has been patched by replacing `Arrays.equals` with `MessageDigest.isEqual`, which ensures constant-time comparison. Users should upgrade to version **3.2** or later to mitigate this issue. ### Workarounds Because the attack requires high precision and repeated attempts, the risk is limited, but the only reliable mitigation is to upgrade to a patched release (version 3.2 or later). ### References - [Java `MessageDigest.isEqual` Documenta...

The data security platform comes with a predictive capability that separates it from other offerings aimed at protecting enterprise data, the startup says.

Secure document editing protects sensitive data with encryption and compliance tools, while reducing costly breaches and building trust,…

"Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments.

### Impact matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. ### Patches The issue has been patched and users should upgrade to 38.2.0. ### Workarounds Avoid using `MatrixClient::getJoinedRooms` in favour of `getRooms()` and filtering upgraded rooms separately.

The newly emerged worm has spread across hundreds of open source software packages, stealing credentials and infecting other components without much direct attacker input.

Apple has released security updates for all platforms to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.