News

Security Alerts

October 18, 2019

Kubernetes Vulnerabilities Allow Authentication Bypass, DoS (CVE-2019-16276)

Summary

Two dangerous vulnerabilities have recently been discovered in Kubernetes, the open-source container-orchestration system: 
CVE-2019-16276
CVE-2019-11253

Impact

    October 1, 2019

    Vulnerability in Exim Could Allow for Remote Command Execution (CVE-2019-16928)

    Summary

    A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands on the mail server. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    May 14, 2019

    Patch IMMEDIATELY! - Microsoft Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)

    Summary

    *** Vulnerable RDP servers should be patched IMMEDIATELY even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate any delays in patching. ***

    MS Windows Error Reporting Local Privilege Escalation Vulnerability (CVE-2019-0863)

    Summary

    A zero-day elevation of privilege vulnerability exists in the way Microsoft Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

    While details about the use of the exploit are not available, it has reportedly been used in limited attacks against specific targets. Successful exploitation has been observed in the wild. [2][3]

    July 13, 2016

    Remote Code Execution Vulnerabilities in Drupal 7 Third-party Modules
    Highly critical remote code execution vulnerabilities have been announced by the Drupal security team for the third-party modules RESTWS, Coder, and Webform Multiple File Upload. Open Berkeley Drupal sites are NOT affected.

    June 13, 2016

    Apple Ends Support for Quicktime on Windows
    Apple has announced that it will no longer support Quicktime on Windows. All users are advised to remove Quicktime on Windows machines as there are multiple zero-day, remote code execution vulnerabilities that Apple has announced they will not be patching.

    October 14, 2014

    POODLE: SSL 3.0 Vulnerability (CVE-2014-3566)
    A major flaw, dubbed POODLE, has been discovered by Google in the design of SSL version 3.0.