by Michael Hawkins. An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or patch as soon as you are able to. We prepared the patch for this as soon as we became aware of the issue, to ensure a fix was available for this release.It
More info:
https://moodle.org/mod/forum/discuss.php?d=432947&parent=1742073
by Michael Hawkins. Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Chris PrattWorkaround:Remove the moodle/site:uploadusers capability from users who do not also have the moodle/user:delete capability, until
More info:
https://moodle.org/mod/forum/discuss.php?d=432948&parent=1742074
by Michael Hawkins. Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Andrew LyonsWorkaround:Remove the moodle/badges:configurecriteria capability from users to prevent them
More info:
https://moodle.org/mod/forum/discuss.php?d=432949&parent=1742075
by Michael Hawkins. The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Sara Arjona (@sarjona)CVE identifier:N/AChanges (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71703Tracker issue:MDL-71703 Upgrade PHPMailer to
More info:
https://moodle.org/mod/forum/discuss.php?d=432950&parent=1742077
by Michael Hawkins. The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Sara Arjona (@sarjona)CVE identifier:N/AChanges (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71722Tracker issue:MDL-71722
More info:
https://moodle.org/mod/forum/discuss.php?d=432951&parent=1742078
New application development and modernization efforts are driving increased container adoption at a rapid pace. And according to Gartner, “By 2025, more than 85 percent of global organizations will be running containerized applications in production.”1 While there are many benefits to adopting containers and Kubernetes it also presents some challenges. The rise of containerized microservices … ContinuedThe post Securing the Container Lifecycle from Build to Run appeared first
More info:
https://blogs.vmware.com/security/2022/03/securing-the-container-lifecycle-from-build-to-run.html?utm_source=rss&utm_medium=rss&utm_campaign=securing-the-container-lifecycle-from-build-to-run
This article was written by Sudhir Devkar Summary AvosLocker Ransomware is a recent ransomware with the capability to encrypt Linux systems. AvosLocker seems to be targeting the VMware ESXi virtual machines and Virtual Machine File System (VMFS) files. By targeting VMs, AvosLocker takes advantage of faster and easier encryption of multiple servers with a single … ContinuedThe post AvosLocker – Modern Linux Ransomware Threats appeared first on VMware Security Blog.
More info:
https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html?utm_source=rss&utm_medium=rss&utm_campaign=avoslocker-modern-linux-ransomware-threats
Cybersecurity innovation defined Innovation (the verb) is the process of creating and delivering customer value. An innovation mindset is one that deeply understands the customer’s desired outcomes and creates value through new tools, processes, and approaches to facilitate those outcomes. In the case of cybersecurity innovation, it is not just going to be about ways to … ContinuedThe post The Cybersecurity Innovation Mindset appeared first on VMware Security Blog.
More info:
https://blogs.vmware.com/security/2022/03/the-cybersecurity-innovation-mindset.html?utm_source=rss&utm_medium=rss&utm_campaign=the-cybersecurity-innovation-mindset
Multiple Intel CPU vulnerabilities Security Advisory Security Advisory Description CVE-2021-0091 Improper access control in the firmware for some Intel(R) Processors may allow an unauthenticated ...
More info:
https://support.f5.com/csp/article/K08173228?utm_source=f5support&utm_medium=RSS
Initial Publication Date: 2022/03/17 20:42 PST AWS is aware of an issue present in OpenSSL versions 1.0.2, 1.1.1, and 3.0 in which a certificate containing invalid explicit curve parameters can cause denial of service (DoS) by triggering an infinite logic loop. This issue was eliminated in the releases of OpenSSL 1.0.2zd, 1.1.1n, and 3.0.2. AWS is aware of this issue and is actively investigating for impact to AWS services.
More info:
https://aws.amazon.com/security/security-bulletins/AWS-2022-003/