“A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.”
There exists a proof of concept and write-up.
And we consider most of our users do not expose Microsoft SQL Server Reporting Service directly to the internet, so this CVSS Environmental Score can be lowered down to a 7.6 (High).
Per Basefarm Vulnerability process we still consider this a priority 1 (of 3) issue, and we will not wait until normal patch window to mitigate this issue. Internally we are tracking this progress in BF-VLN-1990987, registered 2020-02-18.
Published by Wordfence: 2020-02-18
No known CVE
“This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.
This vulnerability has not yet been patched. We are only trying to get the word out so people can remove the plugin temporarily as the vulnerability is being actively exploited. ”
Basefarm considers this a Base CVSS Score: 9.8 (Critical) – there is no fix and it is currently being actively exploited.
Basefarm has done some initial investigations regarding the use of this WordPress Theme, but has not identified any customers or internal usage. Basefarm has decided not to track this vulnerability further internally, but want to make it visible by posting this vulnerability bulletin.
“vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.0.”
“vRealize Operations for Horizon Adapter has an improper trust store configuration leading to authentication bypass. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.”
“vRealize Operations for Horizon Adapter contains an information disclosure vulnerability due to incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.”
The issue has been evaluated by our VMware technicians and Basefarm has concluded that we do not use Horizon Adapter and our systems are therefor not affected by these vulnerabilities.
“A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account.”
The vulnerability has a CVSS Base score of 9.8, Critical.
Basefarm has triaged this vulnerability and found that we are not using the Cisco Smart Software Manager On-Prem software. Basefarm will not track this vulnerability further.
This blog post is a short summary of this week’s Information Security News put together by SecOps team.
Basefarm have started to publish vulnerability bulletin in the blog posts, feel free to share this with our customers:
Top 3 Security News:
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).
It was October 1999. Macs had just got embedded Wi-Fi, Napster had launched, and Yahoo had purchased Geocities for $3.6bn. Something else happened that escaped most computer users at the time: CVE posted its first bug. The Common Vulnerabilities and Exposures (CVE) system is 20 years old this week.
Created by the non-profit Mitre Corporation, which oversees several federal government programs, CVE provides common identifiers for cybersecurity bugs, making them easier to track and fix.
Top 5 Security News
“When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.”
There is not enough details available yet, but the vulnerability has at least a CVSS Base score of 8.1, High. This depends on how hard it is to exploit, etc.
There is proof of concept published, but as of writing no known public exploitation of this vulnerability.
Basefarm customers will be upgraded as part of normal patching routines.