Security Leftovers

posted by Roy Schestowitz on Oct 29, 2022

• CISA Has Added One Known Exploited Vulnerability to Catalog | CISA

  CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates.

• VMware fixes remotely exploitable flaw in open-source library XStream

  Multi-cloud services provider VMware has issued a fix for a critical vulnerability in VMware Cloud Foundation which could have been exploited remotely.

  The flaw would have enabled an attacker to carry out a pre-authenticated remote code execution in VMware NSX Manager, according to the security firm Source Incite who discovered the issue.

  Satnam Narang. senior staff research engineer at security firm Tenable, said VMware had patched this flaw, and one more on Tuesday.

  "VMware released patches for two vulnerabilities in VMware Cloud Foundation, one of which is a vulnerability disclosed last year in an open-source library called XStream," he said.

  "According to its advisory, VMware notes that an attacker could exploit the flaw by targeting an unauthenticated endpoint that leverages XStream to serialise inputs, which could lead to remote code execution.

  "The affected version of the product is end-of-life, yet, due to the severity of the flaw, VMware chose to release a patch for it, indicating it is likely easy to exploit and may see in-the-wild exploitation in the near future.

• Replace PSP with Kubewarden policy | SUSE Communities

  Kubewarden is a policy engine for Kubernetes. Its mission is to simplify the adoption of policy-as-code . Since PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, you can use Kubewarden as a replacement to PSP policies .

• Sigstore project announces general availability and v1.0 releases [Ed: Google (and IBM) one step closer to denying GNU/Linux users running software of their choice on their machines, hiding behind the front group called 'Linux' Foundation]

  Today, the Sigstore community announced the general availability of their free, community-operated certificate authority and transparency log services. In addition, two of Sigstore’s foundational projects, Fulcio and Rekor, published v1.0 releases denoting a commitment to API stability. Google is proud to celebrate these open source community milestones. 

  Sigstore is a standard for signing, verifying, and protecting open source software. With increased industry attention being given to software supply chain security, including the recent Executive Order on Cybersecurity, the ability to know and trust where software comes from has never been more important. Sigstore simplifies and automates the complex parts of digitally signing software—making this more accessible and trustworthy than ever before.