Other issues that were fixed in October were a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a usage after-free in the Tracked Permissions API as CVE-2022-3448, Google wrote in Blog. Google also fixed two free after-use errors in Safe Browsing and in Peer-to-Peer Connections.
Google Android
The Android Security Bulletin for October includes fixes for 15 bugs in Framework and System and 33 issues in kernel and vendor components. One of the most concerning is a critical security vulnerability in a Framework component that could lead to local privilege escalation, tracked as CVE-2022-20419. Meanwhile, a vulnerability in the Kernel can also lead to local privilege escalation without the need for additional execute privileges.
None of the issues are known to have been used in the attacks, but you should still check your device and update it when possible. Google has released the update for its Pixel devices, and it’s also available for the Samsung Galaxy S21 and S22 series smartphones, and the Galaxy S21 FE.
Cisco
Cisco has urge The companies patched two vulnerabilities in the AnyConnect Secure Mobility Client for Windows after it was confirmed that the vulnerabilities were being used in attacks. Tracked as CVE-2020-3433, the first name could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.
Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.
The U.S. Cybersecurity and Infrastructure Agency added Cisco bugs to the List of Exploited Vulnerabilities.
While both Cisco vulnerabilities require an attacker to be authenticated, it’s important to update now.
Launch
Video conferencing service Zoom patched a number of issues in October, including a vulnerability in the Zoom client for meetings, which was marked as high severity with a CVSS Score of 8.8. . Zoom says versions prior to version 5.12.2 are vulnerable to a URL parsing vulnerability tracked as CVE-2022-28763.
“If a malicious Zoom meeting URL is opened, the link could direct the user to connect to an arbitrary network address, leading to additional attacks including session hijacking,” Zoom said in a statement. security bulletin.
Earlier this month, Zoom warned users that its app for meetings for macOS starting with 5.10.6 and prior to 5.12.0 has a debug port misconfiguration.
VMWare
Software giant VMWare has patched a critical vulnerability in its Cloud Foundation
Tracked as CVE-2021-39144. The remote code execution vulnerability through the open source library XStream is rated as severe with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream to serialize input in VMware Cloud Foundation, a malicious actor could remotely execute code in the ‘root’ context on the device,” VMWare said in a statement. one advisory.
The VMware Cloud Foundation update also addresses the object-external XML vulnerability with a lower CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could have allowed unauthenticated users to perform a denial of service.
Zimbra
Software company Zimbra has released patches to fix an exploited code execution vulnerability that could have allowed attackers to gain access to user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.
Mining was discovered by Rapid7 researchers, who identified signs it was used in the attacks. Zimbra originally came up with a solution to fix it, but now that the patch is available, you should apply it ASAP.
SAP
Enterprise software company SAP published 23 new and updated Security Notes during the October Patch Day. Among the most serious issues was a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.
Another issue with a CVSS score of 9.6 is the account entry vulnerability in the SAP Commerce login page.
Oracle
Software giant Oracle has released 370 patches as part of its quarterly security update. Oracle’s Important patch update in October, fixing 50 vulnerabilities rated as critical.
The update contains 37 new security patches for Oracle MySQL, 11 of which can be remotely exploited without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which can be remotely exploited without authentication.
Due to the “threat posed by a successful attack,” Oracle “highly recommends” that customers apply the Critical Patch Update security patches as soon as possible.
