16/10/2021

Licensing Consultant

Not just any technology

Bugs aplenty as VMware, Cisco and F5 drop security updates

It truly is shaping up to be a busy week for administrators as Cisco, VMware, F5 and OpenSSL have all introduced safety updates for recently disclosed vulnerabilities.

So far there have been no studies of any of the bugs being exploited in the wild, but tests and setting up the fixes as soon as doable is advised, as a quantity of the vulnerabilities could permit for code execution.

In Cisco’s scenario, there are a full 17 CVE-listed vulnerabilities resolved by sixteen distinctive advisories, nevertheless most networks will only need a part of these updates. The most major of the flaws is CVE-2021-1577, an arbitrary read/publish flaw in Application Coverage Infrastructure Controller. That bug is rated as a crucial safety possibility.

A different bug, CVE-2021-22156, is listed as a crucial vulnerability for BlackBerry QNX products, nevertheless Cisco claimed that the QNX cases in its routing and switching equipment could not be exploited.

Customers working F5 equipment with the Big-IP and Big-IQ platforms will want to update their equipment following the release of an advisory from the seller detailing 29 distinctive safety flaws in numerous versions of equally choices. None of the CVE-listed flaws is viewed as to be a crucial safety possibility, but 13 of the 29 are listed as large-possibility, like a person (CVE-2021-23025) that would perhaps permit for remote code execution.

For VMware, this week’s safety update resolved a full of 6 CVE-listed vulnerabilities. The impacted products are Cloud Basis, vRealize Functions Supervisor (prior to variation eight.5), and vRealize Suite Lifecycle Supervisor.

The worst of the VMware flaws is CVE-2021-22025, a damaged accessibility control vulnerability in the vRealize Functions Supervisor (vROps) API. An attacker with network accessibility could be able to insert new nodes to a vROps cluster. People rogue nodes could then perhaps take care of other nodes inside of the digital network.

Also truly worth noting is CVE-2021-22026 and CVE-2021-22027, a pair of server-facet request forgeries in vRealize Functions Supervisor that would perhaps permit for information and facts disclosure.

Shifting in excess of to OpenSSL, the safety advisory addresses a pair of bugs that influence numerous builds. CVE-2021-3711 is a decryption buffer overflow that could bring about a malicious application to obtain memory accessibility, though CVE-2021-3712 is a read buffer overrun that could cause a crash or perhaps give accessibility to memory contents.

In equally instances, updating to OpenSSL 1.1.eleven will patch the difficulty.