News

Security Alerts

April 24, 2025

CVE-2025-0618 Code Injection

This is a notice from the Information Security Office to alert you of a medium-severity vulnerability that affects the Trellix HX management console for our EDR agent. This vulnerability can only be exploited by manipulating a previously compromised endpoint agent to send a malformed event to the console. The patch was applied to the console, and no change is needed on the endpoints.

May 7, 2024

CVE-2024-27322 Vulnerability in R Programming language

This is a notice from the Information Security Office to alert you to a vulnerability that impacts the R programming language. Please share this alert internally with IT admins, service owners, and researchers who run the product so they are aware and know what actions to take to address this vulnerability.

April 29, 2024

xz Utils

xz utils is a popular data compression library found in many Linux distributions. The critical vulnerability found in recent versions of the xz library, liblzma, includes a malicious code injection designed to allow unauthorized remote access. Click for more details.

CVE-2023-40547 Linux Shim Bootloader

Shim is a bootloader that facilitates the Secure Boot process on computers using Unified Extensible Firmware Interface. The bug involves trusting the remote server’s HTTP headers while booting over HTTP, which might allow an out-of-bounds write, and privileged code execution.

January 9, 2023

LastPass Security Incident

LastPass has updated the information on the Security Incident they disclosed in August. They have discovered that the attackers were able to leverage the information they got in August to gain access to some customer data including some encrypted vault backups. ISO has provided guidance to campus users of LastPass. Click for further details.

March 31, 2022

Vulnerability in the Spring Framework (CVE-2022-22965)

A critical vulnerability has been found in the widely used Java framework Spring Core. While Remote Code Execution (RCE) is possible and a Proof-of-Concept has already been released, how to exploit the vulnerability can vary based on system configuration and research on it is still evolving.

December 10, 2021

Critical Vulnerability in log4j (CVE-2021-44228)

A critical vulnerability has been found in the widely used Java logging library log4j. This vulnerability can allow remote code execution by an unauthenticated attacker, is easy to exploit, and proof of concept code is publicly available.

September 14, 2021

Critical vulnerability in Apple products

Apple released a security update for macOS, watchOS, iOS, iPadOS, and Safari. Apple is aware of a report of potential exploits in the wild.

July 27, 2021

MacOS, iPadOS, and iOS Local Privilege Escalation Vulnerability (CVE-2021-30807)

A software update was released fixing a local privilege escalation vulnerability affecting MacOS, iPadOS, and iOS. A proof of concept exploit has been publicly released and Apple reports this vulnerability is currently being exploited.

April 5, 2021

UC Email Security Incident Notice

Updated May 11, 2021:

UCOP Notice to UC Community: https://ucnet.universityofcalifornia.edu/data-security/index.html

Updated Apr. 15, 2021:

March 31, 2021

IRS Warning of Impersonation Attacks Targeting Universities

Mar. 31st - The Internal Revenue Service issued a warning of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have ".edu" email addresses. The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.

The fraudulent email displays the IRS logo and uses various subject lines such as "Tax Refund Payment" or "Recalculation of your tax refund payment." It asks people to click a link and submit a form to claim their refund.

February 11, 2021

Microsoft Patches for CVE-2021-24074 and CVE-2021-24094

This month Microsoft released patches for multiple serious vulnerabilities in the Windows TCP/IP network stack (including CVE-2021-24074, CVE-2021-24094)[1,2]. These vulnerabilities can allow for remote code execution. Additionally, Microsoft appears to have released patches for Windows 7 and Windows Server 2008 which are officially no longer supported.

January 26, 2021

Buffer Overflow in Sudo - Root Privilege Escalation Vulnerability (CVE-2021-3156)

A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. The flaw can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the flaw. Researchers have developed working exploits against Ubuntu, Debian, and Fedora Linux distributions. Other UNIX-based operating systems and distributions are also likely to be exploitable. [1] [2]

October 15, 2020

Windows Vulnerability - CVE-2020-16898

A serious vulnerability exists in the Windows TCP/IP network stack [1,2]. Currently, it is known that this vulnerability can be used to trigger a Denial of Service (DoS) event, however, Microsoft and others are warning that it may also be possible to remotely execute code. An attacker can exploit this vulnerability by sending a crafted ICMPv6 Router Advertisement to the target system. The vulnerability does not require authentication or user-interaction.

June 18, 2020

Vulnerability in iOS Mail App

Summary

The Information Security Office is aware of published reports that there are flaws in the built-in Mail app on iPhones. These flaws reportedly allow attackers to get remote access in the context of the Mail app without any interaction on the users part. [1]

March 24, 2020

Windows Zero-Day Exploit: Type 1 Font Parsing Remote Code Execution Vulnerability

Summary

The Information Security Office (ISO) is aware of the new, unpatched Windows Zero-day exploit, that has been reported by Microsoft[1] and in the press[2]. The vulnerability is currently unpatched; however, workarounds are available.

March 13, 2020

Patch IMMEDIATELY – Microsoft SMBv3 Compression - Wormable RCE Vulnerability - CVE-2020-0796

Summary

*** Patch Windows 10 and affected Windows Server 2019 systems IMMEDIATELY, even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate delays in patching. ***

January 14, 2020

Patch IMMEDIATELY! - Microsoft Remote Desktop Gateway Remote Code Execution Vulnerability (CVE-2020-0610)

Summary

*** Vulnerable RD Gateway servers should be patched IMMEDIATELY even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate any delays in patching. ***

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway).

Patch IMMEDIATELY! - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

Summary

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability affects the Microsoft Windows 10 desktop operating system, as well as Windows Server 2016 and 2019.

Microsoft has released a security update that addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

January 13, 2020

Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution

Summary

Mozilla has published an out-of-band patch for Mozilla Firefox and Firefox Extended Support Release (ESR). It fixes a type confusion vulnerability in Mozilla’s Javascript compiler, IonMonkey. This vulnerability is identified as CVE-2019-17026. [1]

Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. [2]