1/5/24: CVEs, Terrapin, 'everything'...

Happy 2024! Here is this week's security highlights:

AWS is warning customers over a “recent CVE”

Unnerving some, AWS did not disclose what the CVE was, nor share an associated security bulletin in its emailed warning, despite saying it will automatically terminate customers’ affected tasks by January 19.?The security note (it’s arguably not hugely critical) was the latest reminder, however that cloud and container security remains a work in progress on the transparency front.

CISA warns federal agencies of exploited Google Chrome & OS vulnerabilities

Two new vulnerabilities have been added to the list of exploited bugs by the Cybersecurity and Infrastructure Security Agency (CISA). CISA on Tuesday warned of a vulnerability concerning the open-source Perl library, classified as CVE-2023-7101, as well as a bug impacting Google Chrome that was addressed by the company last month. The vulnerabilities were added to the government’s Known Exploited Vulnerabilities (KEV) document, giving federal civilian agencies until January 23 to patch them.

Software supply chain security remains a challenge for most enterprises

The number of CVEs (Common Vulnerabilities and Exposures) continues to increase at a steady pace and there’s nary a container out there that doesn’t include at least some vulnerabilities. Some of those may be in libraries that aren’t even used when the container is in production, but they are vulnerabilities nevertheless. According to Slim.ai‘s latest Container Report, the average organization now deploys well over 50 containers from their vendors every month (and almost 10% deploy more than 250).

'everything' blocks devs from removing their own npm packages

The package is quite aptly named as downloading "everything" will gradually pull in every single npm package that's ever been published to the npmjs.com registry onto your computer, potentially making it run out of storage. Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy.

New Terrapin flaw could let attackers downgrade SSH protocol security

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol. Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix truncation attack." The flaw impacts many SSH client and server implementations, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting the maintainers to release patches to mitigate potential risks.

Subscribe for more weekly security highlights!