How to mitigate the 0-day Apache path traversal vulnerability with Puppet or Bolt

Apache has disclosed a critical actively exploited path traversal flaw in the popular Apache web server, version 2.4.49. This path traversal means that an attacker can trivially read the contents of any file on the server that the Apache process has access to. This could expose highly sensitive information, even as critical as the server's own private SSL certificates. See the Sonatype blog for more technical information on the vulnerability.


The Vulnerability Conundrum: Improving the Disclosure Process

The vulnerability disclosure process involves reporting security flaws in software or hardware, and can be complex. Cooperation between the organization responsible for the software or hardware, and the security researcher who discovers the vulnerability can be complicated. In this blog we’ll look at the vulnerability disclosure process, the parties involved and how they can collaborate productively.


Continuous vulnerability prevention

Is your application security improving, staying the same, or getting worse? How do you prevent changes from introducing new vulnerabilities? While there are many ways to scan for vulnerabilities, the resulting noise can be overwhelming, making it hard to see whether things are getting better or worse. Scanning continuously, addressing new critical vulnerabilities as they arise drives constant improvement in security posture — a "ratcheting up" of security over time.


Head-to-Head: Penetration Testing vs. Vulnerability Scanning

To release reasonably secure products, vendors must integrate software security processes throughout all stages of the software development lifecycle. That would include product architecture and design; implementation and verification; deployment and monitoring in the field; and back again to design to address the changing threat landscape, market needs, and product issues.


How to better prioritize vulnerability remediation through automated penetration testing

As most MSPs know, small- and medium-sized businesses are the most likely targets for cyberattacks. They lack many of the resources and infrastructure of their larger counterparts and a single cyberattack can be devastating. Analyzing and remediating vulnerabilities is an essential part of any security program. But current vulnerability management processes spit out long lists of instances that may or may not need remediation.


Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites and used by many leading companies.

Risk Mitigation Strategies for Tcp/IP Vulnerabilities in OT

JFrog in collaboration with Forescout Research Labs recently released the fourth study from Project Memoria - the industry’s most comprehensive study of TCP/IP vulnerabilities. INFRA:HALT covers 14 vulnerabilities affecting the popular closed source TCP/IP stack NicheStack. These vulnerabilities can cause Denial of Service or Remote Code Execution, allowing attackers to take targeted OT and ICS devices offline or take control of them.

Scanning Dependencies in your sources using JFrog CLI and Xray

Security vulnerabilities and license violations should be found as early as possible and the earlier in the SDLC , the better. As part of the “ Shift Left ” vision, JFrog CLI and Xray now allow scanning dependencies directly from sources , on-demand, using a simple command line. This functionality allows benefiting from the same JFrog Xray vulnerability and license scanning capabilities, even before deployment to JFrog Artifactory.


August/2021 - HAProxy 2.0+ HTTP/2 Vulnerabilities Fixed

If you are using HAProxy 2.0 or newer, it is important that you update to the latest version. A vulnerability was found that makes it possible to abuse the HTTP/2 parser, allowing an attacker to prepend hostnames to a request, append top-level domains to an existing domain, and inject invalid characters through the :method pseudo-header.