Please see Security Advisories for the week ending December 4, 2020
- Apache Releases Security Advisory for Apache Tomcat
- Mozilla Releases Security Update for Thunderbird
- VMware Releases Security Updates for several products
- Apple Releases Security Updates for iCloud for Windows
- Xerox Releases Security Updates for DocuShare
________________________________
Apache Releases Security Advisory for Apache Tomcat
Situation
Apache has released a security advisory addressing a bug in Apache Tomcat.
Affected versions:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M5 to 9.0.39
Apache Tomcat 8.5.1 to 8.5.59
Problem
A bug was discovered in Apache Tomcat that allows re-use of HTTP headers from previous connections.
Implication
An attacker exploiting the bug can cause connection issues and possible information leak issues.
Need
If you are running an affected version, please update to the latest version.
For a brief overview:
________________________________
Mozilla Releases Security Update for Thunderbird
Situation
Mozilla has discovered and patched vulnerability in Thunderbird pre v78.5.1
Problem
A vulnerability in thunderbird pre v78.5.1 where there as a condition that could, if exploited, allow a stack overflow that may lead to compromise of the application or system or leak information.
Implication
Any unpatched systems running Thunderbird run the potential risk of having the vulnerability used to take over the machine or possibly information leaked from the software.
Need
Mozilla recommends updating Thunderbird to the latest versions to ensure the vulnerabilities are patched.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/#CVE-2020-26970
________________________________
VMware Releases Security Updates for several products
Situation
VMware has released security updates to address a vulnerabilityin VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
Problem
VMware has identified how a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
VMware has released security updates for VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. VMware recommends upgrading to latest version as soon as possible.
For a brief overview:
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
________________________________
Apple Releases Security Updates for iCloud for Windows
Situation
Apple has released security updates to address vulnerabilities in iCloud 11.3 (for Windows 10 and later).
Problem
Apple has patched multiple vulnerabilities in their iCloud for Windows product, that if exploited could allow an attacker to compromise the devices if left unpatched.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities, it could allow them to perform an arbitrary code execution taking control of the affected system or gathering data and or files.
Need
Apple recommends installing the latest updates for iCloud on the Windows operating system to protect against these vulnerabilities.
For a brief overview:
For a more technical overview:
https://support.apple.com/en-us/HT211935
________________________________
Xerox Releases Security Updates for DocuShare
Situation
Xerox has discovered and patched vulnerabilities for its Docushare software.
Problem
Xerox has released security updates for DocuShare 6.6.1, 7.0, and 7.5 to address a vulnerability that could allow an unauthenticated attacker to obtain sensitive information.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Xerox has released security updates for DocuShare 6.6.1, 7.0, and 7.5. Please upgrade to latest version to ensure that you are protected.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2020/12/02/xerox-releases-security-updates-docushare
For a more technical overview: