Please see Security Advisories for the week ending January 15, 2021
- Microsoft Releases January 2021 Security Updates
- Cisco Releases Security Updates for Multiple Products
- Apache Releases Security Advisory for Tomcat
- Juniper Networks Releases Security Updates for Multiple Products
- Adobe Releases Security Updates for Multiple Products
- Mozilla Releases Security Update for Thunderbird
- SAP Releases January 2021 Security Updates
________________________________
Microsoft Releases January 2021 Security Updates
Situation
Microsoft has released its monthly security updates for December 2020. These updates address vulnerabilities in the following Microsoft software:
- Microsoft Windows
- Microsoft Defender
- Microsoft Edge (Edge HTML and Chromium-based)
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows Codecs Library
- Visual Studio
- SQL Server
- Microsoft Malware Protection Engine
- .NET Core
- .NET Repository
- ASP .NET
- Azure
Problem
Microsoft has released fixes for 83 vulnerabilities, of which 10 are classified as Critical and 73 as Important. The most serious of these vulnerabilities is a zero-day Microsoft Defender remote code execution vulnerability (CVE-2021-1647) and the previously disclosed Microsoft splwow64 elevation of privilege vulnerability (CVE-2020-0986 and CVE-2021-1648).
Implication
Microsoft has fixed a variety of different vulnerabilities with the impact depending on the product and vulnerability. The most severe of which could allow a remote attacker to take control of the affected system.
Need
Microsoft recommends updating all affected Microsoft software as soon as possible to protect against these vulnerabilities.
For a brief overview:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan
For a more technical overview:
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has discovered numerous vulnerabilities in several products including Any connect Connected Mobile Experiences, and Small Business Routers Management interface’s.
Problem
Cisco has found numerous newly discovered vulnerabilities across its products and has issued patches. Unpatched systems are exposed to a multitude of vulnerabilities that could allow attackers to escalate privileges, perform information gathering attacks, and allow an unauthenticated remote attacker to execute arbitrary code with root privileges.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Cisco advises patching the software and hardware to the most recent security updates as soon as possible.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Apache Releases Security Advisory for Tomcat
Situation
Apache has released a patch for Tomcat that affects the following versions:
- Apache Tomcat 10.0.0-M1 to 10.0.0-M9
- Apache Tomcat 9.0.0.M1 to 9.0.39
- Apache Tomcat 8.5.0 to 8.5.59
- Apache Tomcat 7.0.0 to 7.0.106
Problem
When serving resources from a network location using the NTFS file system it may be possible to bypass security constraints and/or view the source code for JSPs in some configurations.
Implication
If an attacker exploits this vulnerability, they could obtain sensitive information.
Need
Upgrade to Apache Tomcat 10.0.0-M10 or later
Upgrade to Apache Tomcat 9.0.40 or later
Upgrade to Apache Tomcat 8.5.60 or later
Upgrade to Apache Tomcat 7.0.107 or later
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/apache-releases-security-advisory-tomcat
For a more technical overview:
________________________________
Juniper Networks Releases Security Updates for Multiple Products
Situation
Juniper Networks has released security updates to address vulnerabilities affecting multiple products.
Problem
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
CISA and Juniper Networks encourages users and administrators to review the Juniper Networks technical overview page, linked below, and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
________________________________
Adobe Releases Security Updates for Multiple Products
Situation
Adobe is releasing security updates across multiple software applications to prevent vulnerabilities which may allow a remote attacker to exploit unpatched software and gain remote access or control to the machine with the software installed.
Problem
Adobe has found and patched vulnerabilities in their software packages. These vulnerabilities could allow a remote attacker to exploit the software and gain remote access or control the affected machine or obtain leaked information from the application. The affected programs are Illustrator, Animate, Photoshop, Campaign Classic. InCopy, Captivate, Bridge
Implication
If this software remains unpatched it leaves vulnerabilities exposed where a remote attacker could exploit the software and obtain remote access or remote control over the machine affected or obtain information from the software.
Need
Adobe Recommends installing the latest patches for the affected software distributions.
- Photoshop APSB21-01
- Illustrator ASPB21-02
- Animate ASPB21-03
- Campaign Classic APSB21-04
- InCopy APSB21-05
- Captivate APSB21-06
- Bridge APSB21-07
For a brief overview:
________________________________
Mozilla Releases Security Update for Thunderbird
Situation
Mozilla has discovered and patched vulnerabilities in its open-source email client Thunderbird.
Problem
Mozilla has found several bugs in its most recent version of Thunderbird that an attacker can exploit to take control of the system. Per Mozilla a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free.
Implication
Failure to patch systems could result in loss of control of affected systems.
Need
Mozilla advises patching to the most up to date version of Thunderbird, version 78.6.1.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/
________________________________
SAP Releases January 2021 Security Updates
Situation
SAP has released security updates to address vulnerabilities affecting multiple products.
Problem
SAP has released security updates for: SAP Business Warehouse, SAP NetWeaver, SAP Commerce Cloud, SAP Master Data Governance, and SAP Banking Services. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
CISA and SAP encourages users and administrators to apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/01/12/sap-releases-january-2021-security-updates
For a more technical overview:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476