Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.

During the coronavirus pandemic, organizations had to quickly adjust to the disappearance of central offices, employees working from home, and applications moving to the cloud.

The solution usually involved a combination of technologies — such as flexible networking infrastructure, identity and device-base security, and cloud-native applications and capabilities — continuing a trend identified by business analyst firm Gartner in 2019, which dubbed it the secure access service edge, or SASE (pronounced "sassy").

The SASE collection of cloud-centric technologies focuses on the identity of users and devices, granular access controls, functionality pushed to the network edge, and a de-emphasis on data centers — essentially, it's a combination of security technologies and software-defined wide area network infrastructure, commonly referred to as SD-WAN.

The term, however, quickly became a buzzword in the industry, with companies claiming to be SASE-compliant or have products that supported SASE. For that reason, nonprofit industry association MEF — a global industry association focused on network, cloud, and technology — decided this week to create a standard lexicon for SASE technologies and services that defines service attributes, a framework and common definitions, and a zero-trust framework.

The goal is to make services communicate better about capabilities and to make features — especially security features — interoperable across infrastructure, says Stan Hubbard, principal analyst with MEF.

With SASE, "the user can be anything and anywhere, and security and network functions can be distributed away from the enterprise data center to maximize the availability of high-performance edges and security clouds," Hubbard says, adding that "SASE standards are key to addressing the top two SASE service provider challenges which impact growth and efficiency in the market — customer education and lack of an industry standard."

**SASE Deployment Won't Wait for a Standard**

Gartner predicts that SASE will continue to grow quickly. By 2025, about 80% of companies expect to unify their Web, cloud services, and private application access using SASE, up from 20% in 2021, according to Gartner.

Yet, don't expect companies to wait for standards, says Andrew Lerner, vice president and analyst at Gartner.

"We don’t expect the lack of standards to limit adoption, and we also don’t expect the ratification or creation of a new standard to instantly change anything in the market," he says. "With time, we suspect that more offerings will emerge to achieve a certification, but vendors are not waiting, and enterprises aren't waiting either at this point."

The adoption is also driven by industry consolidation and organization's focus on simplifying their enterprise infrastructure. By 2025, about two-thirds (65%) of enterprises will consolidate a variety of SASE components into one or two SASE vendors, a massive increase from the 15% of companies that did so in 2021, according to Gartner.

Network technology and security firm Palo Alto Networks has seen similar industry consolidation. One customer, for example, simplified from nine products and five vendors down to a single SASE product, says Matt De Vincentis, vice president for SASE for the company, which is not a member of MEF.

"Almost every enterprise is trying to reduce the number of security tools and vendors that they have," he says. "Every time there is a new security vulnerability or availability issue, a new group of startups pop up to propose a solution. It's becoming unmanageable for customers."

**MEF Boosts the SASE Conversation**

Yet, with vendors and service providers claiming to have SASE products, both customers and partners need to establish a common dictionary and a common understanding of what capabilities SASE products should have, says MEF's Hubbard.

MEF has created standards, certification programs, and automation tools for the network, cloud, and service provider industries. The latest effort defines standards that define the attributes of SASE services and provides a framework for those services, while a second proposal creates a zero-trust framework for security services using identity, authentication, policy management, and access control to protect and secure organizations' data, systems, and networks.

"The SASE vendor ecosystem lacks common terminology leaving organizations challenged to compare SASE feature sets and solutions," Hubbard says. "Standards help simplify offerings and provide clarity for organizations when selecting SASE services. Choices can be made based on industry-standard features and common definitions allowing for easier evaluation and faster decision making and implementation."

With SASE Definition Still Cloudy, Forum Proposes Standard

Red Hat Security Advisory 2022-9076-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9076-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9076  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug/tzjgjWX9erEAQh0kA/9FYWQo7DPaJ42rNiE78pcFYEc6CA8ZGBP  
LHbv060pE98N3G61Kly7offDi2QrN7x0VVauoxugg9zcF8fnSTMpahR0sMZ4aAqM  
o+CaoYKvq+IvqYi+a0n+wuJFsrcNT4DsjcW3k6+52WEIPmpN4M0conmqXn0LP/yA  
Kx36GH0KJHWTnIokS1mfbUid4rtKAd3cF4KlSlbEVJu5RSPTBngAWPNld0upJLcy  
WD0B8bhSUn7H9tpMw3isqEfSDae9+YGXHkyb9MB3ICALMLlvkQibkbF9wo/1Up0M  
895bgOjQ/CoxJaHRk5pEK+fqwufiWtdABDYM12PRfk3aSdd54jDpT9HG9nV3cZHR  
boVdaeuOJFyZAzziiDZo2q9Je8Nm5ox8kgQ8UO5UY7Dr7AFNgbvIPYi3ISZ1RbZZ  
+9IuxSnW3YUrW/8QUqmyDruhS7deMYJogirvWdWwt5tSpAA5Tr7Aj1Cix3u8nHZZ  
Tej4JtE9Ch8gq7s7ppwj2hif+1JV7liUWtEp4YtKvqA+R/5svqBBwS6EI+4Woj72  
jY9YrporG0NoOPcWKt3bf5Zhr1fimiwnubJy5a6vDT9LheouWEEU+F51pz/u/ldB  
Jets+wx2yhT0fh7V/4rufKw6G3XhTo5dZwZnDzkLBDFSx57t7g5VMZta++olFUpe  
jcpjOgm6OJw=nZth  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9076-01

Red Hat Security Advisory 2022-9070-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9070-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9070  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhCNzjgjWX9erEAQherg/+LMLB/21bl4GmwLLL8/2eIGHY9tbmaSfl  
t0159LZ6kfabpE0j+buZ155ljY6aHzCuWcJBofBCIHAATgVjeZ1rzKdSEEJ2hqGt  
zrtXbpSq3e63YM9cgeeKGasOZk8GAq6IrRshqX0sE7YqkHjlxJiqZAU6GOal+RtC  
3SjBG2nCbEfgdRBPYr6GgBDN4KqvCDUdBFxK+TSv+5v2OL80m2kMpf6E7zsjPL3D  
VX6oEJ3P6gGatZZlq4BodglHPvPSL1yqwvucHQJ0V10G6WudFNBO8K6bQCLaRowl  
4BmqL82T/537ytSeClvjJQRaYH2pTuMC2PuF6Ryrrki+C/EVJYPA9Pj/NPWmsxhC  
YVKleKQ8NQpFsOJTy8NZ+STKJ0OE5Epm01AlDuiHRcr2WqqWIbd/yyYXYM9W3uYh  
L6vUU05JB16V3Au2IVeFR5lUpX16wkYgcIuijhXJfyJoPuVSYX9PxOcEydtKdyIw  
tZcCkn4aBaXP0af2heB6XbtHNVaPdzkVqZyvwUo1lMp2cheQpinalwD6002pUMB+  
i1eq4qP90rssf0EQqJ/e+W0yUlThzD4RCpK2RI1DsxM8/F7J7YLi40iH9smN3Sm8  
TLsYNfMldiuK1OTWKE8Chr/hJL6dlUvgGMH5/X+HqnFpHWztcDSoo4yZgRF3tJt+  
nua339DDTn8=kb0x  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9070-01

Red Hat Security Advisory 2022-9071-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9071-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9071  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.6.0-1.el8_1.src.rpm

ppc64le:  
firefox-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_1.ppc64le.rpm

x86_64:  
firefox-102.6.0-1.el8_1.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_1.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhHtzjgjWX9erEAQjFOA//bCHb3VrCnrVth/bYPBQIQPFtFDxMpo1j  
L+xg1IkE+PZT+Jt4XUkLQUCbgUsLMTnevoW7sGLhmnt725ajJWHt3jfsSb0orSaq  
nfiTD0dN372RpXTAeIRx6wwqjcOu5ca5jMGjmH3YynyORNKWp88OUcBkyNEC2BSm  
qJop6fIeXLqej4sGYtuy/jmmUqMUAOyrpBPYZP7nKOop14gT++uZOlg0o4fHF1jS  
shXc6hWK+gEuIWR06aaBArZrRrCFWTYbDh7gUXQrcQmV932ySCPJdrGNitG0dzQq  
Yk0QiH6qRCZdYI15IuWOGmjR1aHL6OJ4gXeYcLYF/2+YS042S/xgpzkYtN+7LokO  
eRk7UPQkBlAYfhIO9CbFpAM9m9hGjam/kMAQAjDgyyPCwUxQLQ9ge06bZS7qvnHM  
QDu1Rbzea0IhakSJX80iEzLNVr8CCcYHWhp3wnjOYsknQ0mMADaOQJF20j586biL  
3NWSXWf9Zu+uR9yTcn9an0l9zdSJrb4iRWYkkpJWYVBJ1NB06wXpckd9h9s37Jw+  
BcM4OONW+SnkOCoQwbU+5oKh59ZRTDw7lLu9NN3PO0PfCot6JprF6ASSUahpiX36  
d3LDcJ2jgiqkJ5U0qkGVczliZAL0lrTEOQCTfrLSPVP2DPel2VIODzRBo2mQgSlR  
YsDGuPuX5k0=AKSZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9071-01

Red Hat Security Advisory 2022-9080-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9080-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9080  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.6.0-2.el9_1.src.rpm

aarch64:  
thunderbird-102.6.0-2.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el9_1.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhGNzjgjWX9erEAQjtTw/6AqW1PdXm6F1AU3Neni40iiX0RA83g1uY  
B2BYJdojeJnh98kn7EpgUyPvoJaQuLd8CT8pqWvgr2g9Yl1vHrvz9gJeNasQxtmz  
nCzp41y6P7Gh8re+Fc9WFVEKkuT5Wl/u+4Q2gwIuUQMEeqd3aqg+DOyz6VbIObBs  
ftwwurT87UMm7hMt3sg9H7wQqn97/JQ2TUDD/eQVGFybXvDGVq/S4yG00IifO7rE  
jG2Gj1U0MMCdExNDpIxZ07zRkJJNAW4f0ywKNnsIGbyU3LSCwdfJS4UGCGLFaZDU  
rQZ2JwXp9QUBbVof3Sh8S47lft6XDYI1PlkwaX8T9CsNRNaQEQo0pjbOn4LK6uJ0  
I+0L5n3wH8gNlQQ8sAPsTjMjsKkrAkEovvNgC4+NFm408rlE3g0hSXTnnXVCc+3E  
/JfZJVrNE9vf2rwhv1xVcJ8ebqAbsdd7SZycZqe/BpeNqgW0ouKE99GP3baw4SkL  
FV739xDFbgdE08e/ltn7zfpnRP+nUBDouIopjmkej6jYvkk2ORUE6ywWvKrKNSHU  
2Uw+yyl/+RYzJ7C8+cTsC35B5gUDIBV4PjNV+oIXjJ7KkZaBP61mKjvkQ439NZob  
LUMdb4UuMInDJ4k3MKrZfQ1gw4pSFOG+62ve/XyS8vc/DSFF63T5y7HMSLGHvM8w  
kfxPKfoWkfc=yYPd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9080-01

Red Hat Security Advisory 2022-9077-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9077-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9077  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.6.0-2.el8_1.src.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhJNzjgjWX9erEAQiI6g//QAHaUzB5WdVmUnglLO6NAz1B7iHY9AFu  
lGJQij+kpcZWhhlJNO8ETcHckgpaFZ4Ybzew+lgKFClBFTg89g2ikwAoWykFVSU0  
qAJLnTsnsXbjXidkZUwsoQjFkWrZKw2AFtNI0oL6Yosf9UGaHHZj/JAlzX6YyEXk  
oXaWxK42fE5uYMSDmyfZOswfdfkKK+E20RNz1wmtg07Q23WGOZe6gY52zvQ+2wBA  
QLJWnMFZDzGG5OTTnHhKy/KKdoGE2ARKLZ91uNuWZFWO45CBhHurtDOUGQ4ig2kZ  
HblnRhiqWMC1A1j4faoKbjMc/Fkz40cDj/1xeSuRuKyFDfYPHjAoAH9p1OUcEkwX  
dmMS0ADGE8cTM7YlCRJ7mdtsLRa5AuJU2gjpGaT+NX1X12nT2AJEdk0mgvHVYuaA  
gZTuoHMfRU3lkmfx9Jl1lCmdlPlRAb2+t5KUGXvseOH8hdS/ykFpyymE1uFTMxSC  
GVEeDmxJ4Kh5MjrGmooMX5O8lo0Slo+RCRM1UJ2/f16GkD4FQ5WeIr8L1n9W6TZa  
Fe1ZKYgOC5fLW2l3e7KgyQkyWgCVrZG1kXR6qOMpOsL7cJMVGf0sxRfUD80kvw1f  
Q3RXhpyMulm7yj0dIKPhaTGoVsn9l4fTMfbewLgXEivDcQazx6GuajvRoZBpmcss  
qSWftN0eQtE=bnHu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9077-01

Bangresta version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Bangresto 1.0 SQLi## Author: nu11secur1ty## Date: 12.16.2022## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html## Demo: https://axcora.my.id/bangrestoapp/start.php## Software: https://github.com/mesinkasir/bangresto## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto## Description:The `itemID` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the itemID parameter, and a databaseerror message was returned.The attacker can be stooling all information from the database of thisapplication.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: itemID (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)## Proof and Exploit:[href](https://streamable.com/moapnd)## Time spent`00:30:00`

Bangresta 1.0 SQL Injection

Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack. 
As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late.

Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack.

As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late. There was nothing special or unique about the attack, and it wasn't the last of its kind either.

So why are we, in IT, still happily whistling into the wind and moving along as if nothing happened? Is everyone's disaster recovery plan really that good? Are all the security measures in place – and tested?

**Let's Do a Quick Recap (of What You Should Be Doing)**

First, cover the basics. Perform proper user training that includes all of the usual: password hygiene, restrictions on account sharing, and clear instructions not to open untrusted emails or to access unscrupulous websites. It's an inconvenient fact that human actions continue to be the weakest link in cyber defense, but it's a fact.

Thinking about the infrastructure side, consider proper asset auditing, because you can't protect what you don't know exists. As a next step, implement network segmentation to separate all traffic into the smallest possible divisions.

Simply put, if a server does not need to see or talk to another server, then that server shouldn't be connected to the same VLAN, no exceptions. Remote access should move from traditional VPN access to zero-trust networking alternatives.

Everything must be encrypted, even if communication is internal only. You never know what has already been breached, so someone can eavesdrop where you least expect it.

Finally, don't let users randomly plug devices into your network. Lock ports and restrict Wi-Fi access to known devices. Users will complain, but that is just part of the tradeoff. Either way, exceptions should be kept to a minimum.

**Patching Your Servers Really Matters**

Moving on to servers, the key advice is to keep everything updated via patching. That's true for exposed, public-facing servers, such as web servers – but it's equally as true for the print server tucked away in the closet.

An unpatched server is a vulnerable server and it only takes one vulnerable server to bring down the fortress. If patching is too disruptive to do daily, look to alternative methods such as live patching and use it everywhere you can.

Hackers are crafty individuals and they don't need you to make it easier for them, so plug as many holes as possible – as fast as possible. Thanks to live patching, you don't have to worry about prioritizing vulnerabilities to patch, because you can just patch them all. There is no downside.

**Take a Proactive Approach**

If a server no longer has a reason to exist, decommission it or destroy the instance. Whether it's a container, VM, instance, or a node, you need to act ASAP. If you don't, you'll end up forgetting about it until it is breached. At that point, it's too late.

So, you should maintain a proactive approach. Keep up with the latest threats and security news. While some vulnerabilities have a disproportionate share of attention due to being "named" vulnerabilities, sometimes it's one of the countless "regular" vulnerabilities that hits the hardest. You can use a vulnerability management tool to help with this.

Put in place a disaster recovery plan. Start from the simple premise of "what if we woke up tomorrow and none of our IT worked?"

Answer these questions: How quickly can I get barebone services up and running? How long does it take to restore the entire data backup? Are we testing the backups regularly? Is the deployment process for services properly documented… even if it's a hardcopy of the ansible scripts? What are the legal implications of losing our systems, data, or infrastructure for several weeks?

**Most Importantly: Act Now, Don't Delay**

If you struggle with any of the answers to the questions above, it means you have work to do – and that's not something you should delay.

As an organization, you want to avoid getting into a position where your systems are down, your customers are going to your competitor's website, and your boss is demanding answers – while all you have to offer is a blank stare and a scared look on your face.

That said, it's not a losing battle. All the questions we posed can be answered, and the practices described above – while only just scratching the very surface of everything that should be done – are a good starting point.

If you haven't yet looked into it… well, the best starting point is right now – before an incident happens.

_This article is written and sponsored by_ _TuxCare__, the industry leader in enterprise-grade_ _Linux automation__. TuxCare offers unrivaled levels of efficiency for developers, IT security managers, and_ _Linux server administrators_ _seeking to affordably enhance and simplify their cybersecurity operations. TuxCare's Linux kernel live security patching, and standard and_ _enhanced support services_ _assist in securing and supporting over one million production workloads._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cyber Security Is Not a Losing Game – If You Start Right Now

InfraGard's members include key security decision-makers and stakeholders from all 16 US civilian critical-infrastructure sectors.

A hacker using the handle "USDoD" has reportedly stolen contact information on more than 80,000 members of an FBI-run program called InfraGard and put the information up for sale on an English-speaking Dark Web forum.

The information the hacker accessed from InfraGard's database appears to be fairly basic and in some cases does not even include an email address, according to KrebsOnSecurity, which first reported on the incident this week. But the information belongs to CISOs, security directors, IT and C-suite executives, healthcare professionals, emergency managers, and law enforcement and military personnel directly responsible for protecting US critical infrastructure.

**A Potentially Valuable Asset**

As such, the stolen data represents a valuable asset for adversaries, says former InfraGard member Chris Pierson, currently CEO of BlackCloak, an online privacy-protection service for top executives and corporate leaders.

"The InfraGard database of contacts is a big win for any intelligence agency or nation-state to possess," Pierson says. The compromised data is nowhere close in sensitivity compared to major breaches such as the one that the US Office of Personnel Management (OPM) disclosed in 2015. Still, it is very practical and easy to use from an attacker's perspective, he says.

"While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation's critical infrastructure is immensely valuable," Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation's collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

According to KrebsOnSecurity, the hacker "USDoD" gained access to the InfraGard database by first applying for a new account using the name, date of birth, and Social Security number of a chief executive officer at a large financial services company. The hacker apparently applied for InfraGard membership in November and provided an attacker-controlled email address and the actual phone number of the CEO, as contact information.

**An Opsec Lapse?**

Though InfraGard was supposed to have vetted that information, they never did and instead approved the application based on the information that the hacker had provided, KrebsOnSecurity reported. Similarly, though accessing InfraGard's portal requires two-factor authentication, the hacker found he could use the email address as a second factor instead — thereby obviating the need for access to the real CEO's phone.

Once on the portal, the attacker discovered that InfraGard user information could be relatively easily accessed via an API built into several components on the website, KrebsOnSecurity said, citing a direct conversation with the attacker. The hacker then apparently got a friend to code a Python query for retrieving all available InfaGard member information via the API. KrebsOnSecurity quoted the attacker as setting an asking price of $50,000 for the stolen dataset, but not really expecting any buyers at that price because of the basic nature of the information.

InfraGard member Will Carson, director of IT and cybersecurity at Cybrary, expressed frustration over the incident. “As an InfraGard member, it certainly isn't great to hear your information may have been disclosed from a news outlet before you hear from the impacted organization," he said in a statement responding to the news. He expressed disappointment over being unable to log into his InfraGard account after the apparent breach.

"Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional," he says.

The FBI did not immediately respond to a Dark Reading request for comment submitted via email to its press office.

Stolen Data on 80K+ Members of FBI-Run InfraGard Reportedly for Sale on Dark Web Forum

Facebook's parent company has also expanded bug-bounty payouts to include Oculus and other "metaverse" gadgets for AR/VR.

Facebook parent Meta will pay up to $300,000 to security researchers who report exploitable remote code execution (RCE) vulnerabilities in the Android and iOS versions of Facebook, Messenger, Instagram, and WhatsApp.

The actual amount will vary depending on the amount of user interaction — measured in "clicks" — to trigger the flaw. To qualify for the maximum payout, a security researcher would need to include working proof-of-concept code for exploiting the flaw in any of the current or previous two versions of Android or a currently supported version of Apple's iOS.

**Updated Payout Guidelines**

In addition to the updated guidelines for mobile RCE, Meta this week also released new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities. 

The maximum payout for a 2FA flaw is $20,000, while that for an ATO vulnerability is $130,000. Here again, the actual payout will depend on the ease with which an attacker can exploit a vulnerability. For instance, a researcher who reports and demonstrates an exploitable zero-click authentication bug can garner the $130,000 payout, while a one-click ATO will fetch a $50,000 reward.

The company also introduced new payout guidelines for bugs reported in its Meta Quest Pro and other virtual reality (VR) technologies, making Meta one of the first companies to set rewards for vulnerabilities in VR and mixed-reality devices.

Meta's updated payout guidelines for mobile RCE bugs and its new rewards for ATO and authentication bypass flaws are the latest tweaks to the company's nearly 11-year bug-bounty program. Under it, Meta has so far paid some $16 million to freelance researchers from around the world who have reported bugs in its online platforms.

The latest changes are part of the company's effort to ensure that the bug bounties Meta offers and the products that are covered under the program remain aligned with evolving threats, says Neta Oren, the security engineer who leads Meta's bug-bounty initiative.

"Every year, we continue to learn new things about how to best engage with the community and adjust our program to address some of the most impactful areas in evolving spaces," Oren says. "Our program has grown from just covering Facebook's Web page in 2011 to now cover all of our Web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace, and more."

**Crowdsourced Cybersecurity**

Meta's bug-bounty program is similar to those of the hundreds of other companies that have implemented crowdsourced vulnerability-hunting programs in recent years. Many security experts consider these programs as a relatively cost-effective way of finding vulnerabilities that internal security teams might have missed. The programs give ethical hackers a structured way to find and report vulnerabilities they might discover on a website or Web application — and receive a reward for their effort.

Many of these programs include Safe Harbor clauses that exempt security researchers working under the bug-bounty program from legal liability for their research. For vendors, the programs offer a way to get top-notch security researchers to essentially conduct penetration tests on their platforms in a relatively cost-effective manner. Importantly, it also gives them a better shot at ensuring that researchers report a vulnerability directly to them rather than disclosing it publicly before a fix is available, or worse, selling it to a gray-market purchaser.

Some, though, have cautioned about such programs collapsing under the volume of bug reports that researchers can submit, especially if the organization's security team isn't mature enough or ready enough to respond to them.

**Large Volume of Reports**

Since Facebook launched its bug-bounty program in 2011, the company has received more than 170,000 reports from bug hunters around the world. The company identified more than 8,500 of those reports to be valid vulnerability disclosures, for which it has paid a total of $16 million in rewards. 

So far this year, Meta has received some 10,000 reports from researchers in 45 countries and issued bounties totaling more than $2 million for 750 or so identified vulnerabilities. India, Nepal, and Tunisia topped the list of countries in terms of where bounties were awarded so far this year.

"One benefit of having a 10-plus-year bug-bounty program is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services," Oren says. "These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn't necessarily know to look for."

One example of impactful-but-niche was an account takeover and 2FA bypass chain issue that a long-time security researcher reported this year in Facebook's phone number-based account recovery flow; the vulnerability could have allowed an attacker to reset passwords and take over accounts unprotected by 2FA. Meta awarded $163,000 for the discovery.

Tag

#sap