In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-24706

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.

CVE-2022-29417: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

CVE-2022-0769

An issue was discovered in coreboot 4.13 through 4.16. On APs, arbitrary code execution in SMM may occur.

Permalink

Browse files

cpu/x86/smm: Introduce SMM module loader version 2

Xeon-SP Skylake Scalable Processor can have 36 CPU threads (18 cores).
Current coreboot SMM is unable to handle more than ~32 CPU threads.
This patch introduces a version 2 of the SMM module loader which
addresses this problem. Having two versions of the SMM module loader
prevents any issues to current projects. Future Xeon-SP products will
be using this version of the SMM loader.  Subsequent patches will
enable board specific functionality for Xeon-SP.

The reason for moving to version 2 is the state save area begins to
encroach upon the SMI handling code when more than 32 CPU threads are
in the system. This can cause system hangs, reboots, etc. The second
change is related to staggered entry points with simple near jumps. In
the current loader, near jumps will not work because the CPU is jumping
within the same code segment. In version 2, "far" address jumps are
necessary therefore protected mode must be enabled first. The SMM
layout and how the CPUs are staggered are documented in the code.

By making the modifications above, this allows the smm module loader to
expand easily as more CPU threads are added.

TEST=build for Tiogapass platform under OCP mainboard. Enable the
following in Kconfig.
        select CPU\_INTEL\_COMMON\_SMM
        select SOC\_INTEL\_COMMON\_BLOCK\_SMM
        select SMM\_TSEG
        select HAVE\_SMI\_HANDLER
        select ACPI\_INTEL\_HARDWARE\_SLEEP\_VALUES

Debug console will show all 36 cores relocated. Further tested by
generating SMI's to port 0xb2 using XDP/ITP HW debugger and ensured all
cores entering and exiting SMM properly. In addition, booted to Linux
5.4 kernel and observed no issues during mp init.

Change-Id: I00a23a5f2a46110536c344254868390dbb71854c
Signed-off-by: Rocky Phagura <rphagura@fb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/43684
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>

*   Loading branch information

CVE-2022-29264: cpu/x86/smm: Introduce SMM module loader version 2 · coreboot/coreboot@afb7a81

New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private Web browsing.

BUCHAREST, Romania and SANTA CLARA, Calif., April 21, 2022 -- Bitdefender, a global cybersecurity leader, today announced new enhancements to its Bitdefender Premium Virtual Private Network (VPN) Service designed to bolster privacy, identity protection and security for consumers. New ad blocker and anti-tracker modules as well as whitelist capabilities provide consumers with secure and private web browsing from anywhere in the world using a computer or mobile device. It is simple to set up and comes with an intuitive interface for any level user.

Cybersecurity and data privacy are converging as consumers grow increasingly concerned about who has access to their personally identifiable information, as well as data collected about their online activities and how that data is sold, traded and used. Even when consumers use so-called "Private Browsing" or "Incognito" modes on major web browsers, internet service providers (ISPs), wireless hotspots and websites often still collect information about their browsing history and online behavior.

Data tracking, spyware and other malicious threats are still a reality on open public Wi-Fi networks. According to Firefox telemetry, about 80 percent of web traffic globally is encrypted. Additionally, a study found that about six percent of the top 10,000 websites secured by HTTPS had TLS protocol security flaws.

Recent Bitdefender research revealed that most consumers are highly exposed to risk, with the majority (61 percent) not using VPN services and anti-trackers, ad blockers (44 percent) or privacy software of any type (64 percent) on the personal devices they use most for online activities.

"It has become increasingly difficult for consumers to maintain privacy and keep their data secure as they conduct their digital lives online," said Ciprian Istrate, vice president, Bitdefender Consumer Solutions. "We incorporated ad blocking and anti-tracking capabilities to Bitdefender Premium VPN to deliver both solid protection and anonymity as users enjoy favorite online activities without concern their online behaviors are being tracked or personal data collected and sold either legally or illegally."

**Bitdefender Premium VPN Key Features**

*   **Powerful Encryption for All Web Traffic** \-- Securely encrypt all incoming and outgoing web traffic for Windows, Mac, Android and iOS devices leveraging over 4,000 Bitdefender VPN servers across 49 countries. Keep online identities and activities safe from hackers, ISPs and others for safe online streaming and downloads, with no traffic logs.
*   **Built-In Ad Blocker for Better Browsing Experience** \-- Native ad blocker module removes ads, banners, pop-ups and video ads from websites for a better browsing experience. Blocking intrusive ads reduces the risk of adware and malware, and helps users save bandwidth while reclaiming the entire screen for relevant content only.
*   **Prevent Online Profiling With Anti-Tracker --** Block advertisers, websites and other third-parties from collecting data such as device type, location, web queries, shopping preferences and more. Preventing the collection of such data not only protects consumer privacy, it can speed performance of users' devices.
*   **Achieve System-Wide Protection --** As opposed to web browser extensions that only offer privacy within that browser, Bitdefender VPN Premium blocks disrupting ads and tracking modules across the user's entire device without slowing down systems or leaving gaps in defense.
*   **Whitelist Trusted Websites --** Easily make exceptions to ad blocking and anti-tracking features as desired, by adding the URLs of specific, trusted domains to a whitelist. This enables VPN users to ensure secure, encrypted browsing while accessing websites that might otherwise not load properly when tracking codes are blocked.

**Availability**

Bitdefender Premium VPN is available for Windows, macOS, Android and iOS devices. New ad blocker, anti-tracker and whitelist capabilities are now available to all users, including free and trial customers. For more information or to purchase Bitdefender Premium VPN visit https://www.bitdefender.com/solutions/vpn.html.

**About Bitdefender**

Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Guided by a vision to be the world's most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience. For more information, visit https://www.bitdefender.com.

Bitdefender Enhances Premium VPN Service With New Privacy Protection Technologies

From increasing cybersecurity awareness in staff, students, and parents to practicing good security hygiene for devices, using endpoint protection, and inspecting network traffic, schools can boost cybersecurity to keep students safe.

Since the onset of the pandemic, cyberattacks on schools and educational institutions have skyrocketed. In fact, K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risk, tracked more than 1,200 cybersecurity incidents since 2016 in US public school districts, consisting of ransomware attacks, grading system breaches, and child stalkers.

Students, teachers, and parents are increasingly reliant on technology to execute virtual learning. Tech plays a role in everything from personal student information to attendance and grading records. This sensitive data is more vulnerable to breaches, demanding that educational institutions get serious about bolstering their cybersecurity strategies.

Most public schools are exactly known for having robust budgets. While many educational institutions lack the funds for a full-scale cybersecurity plan or full-time IT staff, there are things that can be done to ensure that devices managed by schools are kept safe and secure. To protect a school, it's important to understand why and how cybercriminals target schools, and to train students and employees in best practices for ensuring that school-managed devices are used properly and securely.

**Why Do Attackers Target Schools?  
**Compared with the financial stakes of corporations and critical identification information housed within government agencies, it seems odd that a hacker would target public schools. But it turns out that there is more to be stolen than just lunch money.

The fact is that K-12 schools possess _loads_ of data, especially since schools turned to remote learning. In the last three years, schools handed out millions of digital devices and mobile hotspots to students and employees. These devices are used to access an increasingly large portfolio of online programs and apps for instruction. Without proper policies or device management systems in place, students have unfettered access to the Internet and the dangers within it. Not only are hackers finding their own way in, but user-initiated risk is also a concern. With increased entry points, hackers have myriad opportunities to uncover important data that helps facilitate identity theft. Personal information such as children's Social Security numbers is exposed through a cyberattack on a school, creating a very real problem for those too young to protect themselves.

It turns out that cybercriminals know about school funding problems too. Armed with the assumption that a K-12 school doesn't have the budget to implement and maintain a sophisticated cybersecurity system, hackers find themselves with a roster of easy targets. Not even higher education institutions are immune to cyberattacks. In fact, a university or college's high tuition costs are actually a motivator. In these cases, cybercriminals can take a university's website hostage in order to receive payments.

While educational institutions might offer the best in higher learning, the level of security systems put in place can vary. Without basic training, students and teachers are especially unaware of the tactics used by cybercriminals to obtain information.

Additionally, the sustained use of legacy infrastructure combined with the use of unprotected personal devices can also make an institution more susceptible to bugs and data breaches.

**Common Ways Schools Are Being Targeted  
**Douglas Levin, national director at K12 Information Exchange, found in his research that schools are typically targeted in four major ways.

First, through ransomware. This malicious software can publish or block access to data or a computer system until the victim meets the cybercriminal's demands. Second, victims experience denial-of-service (DoS) attacks in which a cybercriminal interrupts services indefinitely and makes a network or device unavailable for use.

Third on the list is a classic DoS attack: zoombombing. This cyberattack in which an uninvited perpetrator hijacks a Zoom meeting occurred frequently during the pandemic, and became a disruption to learning. It's a concrete example of how modern education needs to evolve to achieve modern security, and a simple fix such as requiring a password to enter a Zoom meeting can help combat such disruptions. Finally, schools are often victims of phishing cyberattacks, in which the cybercriminal has the ability to steal user data like logins, personal addresses, and grading information.

**How Schools Can Protect Themselves  
**School IT teams can bolster cybersecurity with these steps:

*   **Increase cybersecurity awareness** through regular cybersecurity training and awareness campaigns. As students, parents, administrators, and teachers all face different cyber threats, it's essential that these training sessions are relevant to everyone in the system who has access to the school's network and devices.
*   **Practice good security hygiene** for devices. This includes updating software to the most current edition, backing up files, deleting redundant files, and uninstalling unwanted applications. Beyond the device, ensure websites are password protected, infrastructure is locked down, and default passwords are updated.
*   **Do regular checkups on your inventory of assets.** Compare and contrast how your current systems stack up against recommended cyber frameworks, keep a watchful eye on your inventory of assets, and invest in extra protections for legacy systems that are unable to be updated.
*   **Inspect network traffic and Internet use.** Don't allow users with school-issued devices to have free rein of the Internet. Restrict access to illegal or potentially malicious sites that don't meet safe Internet standards. Help your institution zero in on cybersecurity pain points to prioritize spending efforts when the budget is limited.
*   **Prevent unauthorized devices from operating on your networks**. This is best done by restricting administrative access and applying endpoint protection to all school-provided devices. Only IT departments should have administrative capabilities.
*   **Make your cyber policy easily accessible.** Ensure that all faculty, students, and parents are aware of the existing cyber policy, and where they can easily access it to reference. Provide security training sessions to help everyone understand the cyber policy details.

It's clear that educational institutions are at a higher risk for cyberattacks due to a lack of training and resources dedicated to cybersecurity. But savvy schools can keep their students and employees safer by understanding how attackers target schools, spreading cybersecurity awareness, and taking additional proactive steps to safeguard devices and systems.

Creating Cyberattack Resilience in Modern Education Environments

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

This release addresses a minor issue in the security fixes implemented in 1.6.6. While those fixes addressed most of the security concerns in the security issue reported to us by the researcher, our fix had a minor bug that allowed something to sneak through. This release fixes that, and includes the changes from 1.6.6.1 that compile AntiSamy.jar to Java 7 bytecode.

It specifically addresses CVE-2022-29577, which is the complete fix to: CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. - https://www.cvedetails.com/cve/CVE-2022-29577.

CVE-2022-29577: Release Release version 1.6.7 · nahsra/antisamy

In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.

Merged requested to merge mcatanzaro/memory-corruption into master Apr 15, 2022

This reverts commit 232c6134.

I got my browser stuck in a crash loop today while visiting a website with a page title greater than ephy-embed.c's MAX\_TITLE\_LENGTH, the only condition in which ephy\_string\_shorten() is ever used. Turns out this commit is wrong: an ellipses is a multibyte character (three bytes in UTF-8) and so we're writing past the end of the buffer when calling strcat() here. Ooops.

Shame it took nearly four years to notice and correct this.

Edited Apr 15, 2022 by Michael Catanzaro

CVE-2022-29536: Fix memory corruption in ephy_string_shorten() (!1106) · Merge requests · GNOME / Epiphany · GitLab

Cloud security is constantly evolving and consistently different than defending on-premises assets. Denonia, a recently discovered serverless cryptominer drives home the point.

One of the more important points to get across when addressing cloud security is to make it clear to all involved that cloud security is not only different, but that it keeps evolving. If security professionals needed a reminder of this, they need to look no further than the recent discovery of Denonia, a cryptominer that operates in serverless environments.

Denonia was found by the Cado Security research team, and it released details a few days ago. Denonia is a Go-based cryptominer malware, and it appears to be the first such malware to specifically exploit AWS Lambda, the well-known serverless function execution service. The researchers indicate that Denonia was not widely disseminated and that it executes the XMRig mining software for stealing CPU cycles for mining Morero, while using techniques such as DNS-over-HTTPS (DoH) for evasion. The initial deployment mechanism is unknown but may be a matter of overprivileged environments.

While small in scope, Denonia is notable for its use of the cloud technology stack as intended —it's a Lambda function executing on a Linux environment like any other. This is interesting, as it means similar malware can execute in other serverless function execution environments from other cloud providers as well.

**How the Vulnerabilities Differ**  
To be clear, this is different than some of the vulnerabilities that have been reported across major providers recently, such as ChaosDB (a flaw in Azure's CosmosDB service found by the Wiz security team last year), AWS CloudFormation and AWS Glue issues found by Orca Security, and some of the Google Cloud GKE vulnerabilities raised by the Palo Alto Networks Unit 42 security research team. In those cases, the cloud providers worked directly with the research teams to address those issues.

When discussing cloud security, too often we hear some confusion about security responsibilities. While cloud providers have worked to clarify some of this via their different "shared responsibility models," end-user organizations retain the overall responsibility for securing their cloud estates. Cloud providers are responsible for the structural security of the cloud environment itself, but customers are responsible for the workloads. This includes both ensuring that environments have been properly configured with the adequate mixture of configurations that yield capabilities and privileges — often the realm of cloud security posture management (CSPM) and cloud permissions management (CPM) offerings — and also ongoing monitoring of the multiple events taking place within those cloud estates, which may fall under cloud workload protection platforms (CWPP) or even cloud detection and response (CDR).

The lesson, then, to be learned from the discovery of Denonia is that cloud security keeps evolving: Runtime threats against an organization are not simply the same malware that would execute on a virtual machine but evolve into containers — indeed, exposed container management interfaces or those with poor authentication are often used to launch unauthorized workloads — and now serverless workloads. Organizations looking to address this dynamic need to have the right elements of people, processes, and technology to properly understand the new threat landscape, to look deeply into their cloud stack, and to work together with their cloud engineering and development teams.

Denonia Malware Shows Evolving Cloud Threats

The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and \[have\] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

**Understanding the Data**  
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

**Governance to the Forefront**  
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

  

    

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.

Tag

#perl