On September 14, CVE-2020-14386 was reported as a “high” severity threat. This CVE is a kernel security vulnerability that enables an unprivileged local process to gain root access to the system. CVE-2020-14386 is a result of a bug found in the packet socket facility in the Linux kernel. It allows a bad actor to trigger a memory corruption that can be exploited to hijack data and resources and in the most severe case, completely take over the system.

Today we released updates for a series of vulnerabilities termed ‘There’s a hole in the boot’ / BootHole in GRUB2 (GRand Unified Bootloader version 2) that could allow an attacker to subvert UEFI Secure Boot. The original vulnerability, CVE-2020-10713, which is a high priority vulnerability was alerted to Canonical in April 2020.

Links are so fundamental to web development that they're almost invisible. When we link to a third-party page, we hardly ever consider how it could become an opportunity to exploit our users. In this article, Julien Cretel introduces us to three techniques that bad actors can use to target our users and discusses how to avoid them.

With open source in our roots, we’re always excited about integrations with tools like OpenVAS, a popular open source vulnerability scanner that Greenbone Networks has maintained since 2009. If you’re not currently using OpenVAS, you can find the project here. OpenVAS contains more than 50,000 vulnerability tests with a community constantly updating its feed to adapt to the ever-evolving security landscape.

On July 14, 2020, Microsoft released a security update related to a remote code execution (RCE) and denial of service (DoS) vulnerability (CVE-2020-1350) in Windows DNS Server (2003 - 2019).

A new vulnerability, CVE-2020-8557, has been detected in kubelet. It can be exploited by writing into /etc/hosts to cause a denial of service. The source of the issue is that the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager, so it’s not taken into account when calculating ephemeral storage usage by a pod.

Today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases include an important security fix for an issue that affects all Grafana versions from 3.0.1 to 7.0.1.

A security vulnerability (CVE-2020-8555) with a Medium severity has been reported that affects following versions of Kubernetes: Note, an attack using this vulnerability requires permission to create a pod or StorageClass and would typically only be granted to internal administrators or developers within an organization. It is possible to mitigate an attack by implementing policies using Gatekeeper and restricting StorageClass using Kubernetes access controls.

This CVE is a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services).