CVE-2017-3760

CVE-2017-3760

http://ift.tt/2ijguGi

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 06:25PM

CVE-2017-3761

CVE-2017-3761

http://ift.tt/2gNbC8L

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 06:25PM

CVE-2017-5531

CVE-2017-5531

http://ift.tt/2iinLpT

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 06:25PM

CVE-2017-6273

CVE-2017-6273

http://ift.tt/2gOqJPw

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 06:25PM

Oracle Patches 250 Bugs in Quarterly Critical Patch Update

Oracle Patches 250 Bugs in Quarterly Critical Patch Update

http://ift.tt/2x2AZtn

Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.

Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38 patches, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.

The bulletin does not immediately indicate the number of critical patches. However, security researchers at Onapsis said that it identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).

“While all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,” said JP Perez-Etchegoyen, CTO of Onapsis.

Onapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.

Perez-Etchegoyen said each of the SQL injections vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business’ enterprise resource planning, supply chain management or finance management systems.

“These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,” Perez-Etchegoyen said.

Onapsis said vulnerabilities found in Oracle’s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.

The patches come just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the recent Equifax breach.

Last month, Oracle used its advisory as an opportunity to remind users that in April it fixed the Struts vulnerability (CVE-2017-5638) which was behind Equifax’s massive breach of 143 million Americans,

Organizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.

Citing a recent Ponemon Research study, Perez-Etchegoyen said less than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.

Also part of Oracle’s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.

Impacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.

Oracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.

 

Security News

via Threatpost | The first stop for security news http://threatpost.com

October 17, 2017 at 06:13PM

Do Work!

Do Work!

http://ift.tt/2ywXqdJ

Finding the way to your first job in cyber security
Publish to Facebook: 
No

By Jonathan Omansky, Senior Director, Development, Security Technology & Response Team

Symantec’s Jonathan Omansky provides a simple set of steps to launch a career in cyber security and to address the critical shortage of qualified cyber security professionals. Check out his first article on how to break into the cyber security field. This week he focuses on step two: research, learn, and assess—and most importantly, do work!

I was raised to know that education and hard work provide opportunities. If I didn’t know how to do something, I learned it through whatever means possible. If books or teachers weren’t available, I’d watch someone (or three people if need be) do a task and then emulate what I saw. I’d read up on a topic, try different ways of getting something done, and learn from my errors.

Let’s use learning how to build an automobile engine as an example. It’s a big job and what I quickly learned is that all big goals need to be broken up into smaller, more digestible chunks of learning. I also learned that I didn’t need to know how to construct the whole engine at first. Instead, I started by focusing on my needs at the time. For instance, I could start by learning how to change the oil or replace a spark plug, completing smaller tasks that allowed me to move forward towards my ultimate goal.

This approach is no different in security. It may seem daunting to learn how to code, to reverse engineer, or to construct a sound security architecture system. If you have interest and ability, the great thing about the security field is people are hiring even if you only currently know how to “change the oil”. Opportunities in cyber security exist at all levels, and now is the best time to jump in!

This brings me to my next bit of advice for those keen on entering our field. Below you’ll find six simple steps to launch a career in cyber security and in this article, I’ll cover the second step, research, learn, and assess, in detail.

  1. Define your career focus
  2. Research, learn, and assess
  3. Read and write
  4. Formulate a view of the attack 
  5. Make friends, make lots of different friends
  6. Don’t be afraid to be wrong


Above: Jonathan Omansky visits Year Up Bay Area as a guest speaker for Symantec Cyber Career Connection students, where he offered tips on cyber security as well as career guidance.

#2. Research, learn, and assess

If you haven’t already selected an area of focus based on my previous blog recommendations, or are overwhelmed by the process of choosing an area, this approach might help.

Research

Many of the interns I’ve mentoredfrom colleges, prep schools, retraining programs, and other learning institutions came into their internships with no exposure to security at all. In these situations, the first thing we work on is finding an area of security that interests them. To do this, I give all interns a learning task, for example, reading up on the latest corporate hack or information leak.

You can find these examples using resources like RSS feeds or news aggregators and focusing your reading on all things cyber security. This is one of my favorite news feeds and Symantec’s own Security Response blog is a great place to start. Twitter is also an excellent resource for reading up on the latest cyber security news. Find a handful of well-known cyber security professionals (including yours truly @jomansky), follow them, and the add some of their followers.

From there I ask them to break down the technical aspects of the story, focusing on things like: why the topic is important; what the risks are and who is at risk; how to detect the threat; and how to protect against it. This process often helps students find topics they are excited to learn about, and provides me with an opportunity to shape their internships.

Learn

Once you’ve defined your focus, it’s up to you to dive in and learn to “change the oil”. Let’s use incident response (IR) as an example. There are a ton of books, blogs, videos, and other learning materials that provide the basic steps on responding to an incident. These tools vary in length and complexity, and once you’ve explored a handful you’ll begin to see a pattern. You’ll learn about IR fundamentals from the perspective of a CSO, a CISO, a junior analyst, a government worker, and more.

It’s also helpful to review articles about actual incidents across different business sectors. Reading the analyst’s view of a particular incident can help you learn what he or she did right or wrong, where technology played a role, and where it was a people or process breakdown. This should give you a sense of what responding to an incident looks like, and give you insight into how to correct specific problems from happening again.

Learning about IR strategies is a great first step. When paired with technical awareness of the tools an incident responder might use to do the job, many of which are free or have trial versions along with demos, you are on your way to your first career opportunity in cyber security.

Assess

After researching security areas, and learning all you can, I next suggest assessing where your knowledge gaps are, and filling them. Focusing on what you’re missing can help ensure you have the full range of knowledge on a topic and that you can speak to it when asked in an interview. Taking incident response as our example again, review the duties and expectations of a dozen incident responder-related jobs, to see where you still need to build skills. Focus on what you’re missing and how you plan to gain that knowledge. The information is out there; go get it!

Though we focused on only one particular category of the cyber security space, incident response, as our example, the approach is the same for all positions, even the more technically advanced roles. The tools and knowledge are available and the cyber security skills gap in today’s job market needs to be filled. It’s up to you to grab this information, learn it, and get your foot in the door.

Follow our CR in Action blog for more on how to launch a cyber security career. Interested in a career in cyber security? Learn more about the Symantec Cyber Career Connection(Symantec C3), which provides a mix of targeted classroom education, non-technical skills development, and cyber security internships to position students to fill in-demand cyber security 

Additional Authors: 

Security News

via Symantec Connect – Security – Blog-Einträge http://ift.tt/2eQnB7E

October 17, 2017 at 06:11PM

Vuln: Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

http://ift.tt/2ghnO0M

Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Bugtraq ID: 101303
Class: Unknown
CVE:

CVE-2017-10416

Remote: Yes
Local: No
Published: Oct 18 2017 12:00AM
Updated: Oct 18 2017 12:00AM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

http://ift.tt/2yos4GF

Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

Bugtraq ID: 101308
Class: Unknown
CVE:

CVE-2017-10417

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

http://ift.tt/2ghnLlC

Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

Bugtraq ID: 101300
Class: Unknown
CVE:

CVE-2017-10329

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Juan Pablo Perez Etchegoyen of Onapsis
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.1.2

Oracle E-Business Suite 12.1.1

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Oracle E-Business Suite 12.1.3

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

Vuln: Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

http://ift.tt/2yptr7V

Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

Bugtraq ID: 101299
Class: Unknown
CVE:

CVE-2017-10014

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Oracle
Vulnerable:

Oracle Hospitality Hotel Mobile 1.1

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM