Preface: FlexNet Publisher (formerly known as FLEXlm) is a software license manager from Flexera Software which implements license management and is intended to be used in corporate environments to provide floating licenses to multiple end users of computer software.

Vulnerability background: The design weakness found on 2018. But the official announcement was release on 2019-01-28.

Vulnerability detail: Allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop.

Impact: A successful exploit could allow the attacker to cause the affected software to stop responding, or use the memory corruption to execute arbitrary code.

Official announcement: https://secuniaresearch.flexerasoftware.com/advisories/85979/

Preface: Node.js is popular in technology world. No matter crypto or distributed ledger platform, Docker development, REST API…etc can deploy by node.js.

About node.js?
Node.js is a JavaScript runtime environment that processes incoming requests in a loop, called the event loop (initialization and callbacks) and offers a Worker Pool to handle expensive tasks like file I/O. Modern kernel can handle multiple operations executing in the background. Node.js design aim to let’s kernel tells Node.js so that the appropriate callback may be added to the poll queue to eventually be executed. Perhaps such design concept provides an opportunity to hacker!

Vulnerability details (CVE-2019-5737): An attacker could exploit this vulnerability when establishing an HTTP or HTTPS connection in keep-alive mode by sending headers to the targeted system over time to keep the connection open for an extended period. As a result a denial of service condition occurred. Official announcement display in below url: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Preface: Python provides the essential programming language for smart devices and solutions for the Internet of Things and Industry 4.0.

Technical background: When you use AES128 encrypt string, if the encrypted string is too long. It will contain \r\n in it. Actually, the encryption output is an array of 8-bit bytes, not characters.
The code is Base64 encoding the encrypted data with an option to insert line breaks every 64 characters.

About python-gnupg: gnupg module enables Python to use the functionality of GNU Privacy Guard or GnuPG. With this module Python programs can create and managed keys, encrpt and decrypt data, sign and verify.

Vulnerability detail: A design weakness due to insufficient validation of user-supplied input submitted to the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used. Such vulnerability could allow a local attacker to control or modify sensitive information on a targeted system.

Remedy: Added checks to disallow newline-type characters in passphrases. https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112

Preface: Medical software manufacturer uses Adobe ColdFusion to more securely collect electronic clinical outcome assessment (eCOA) data.Digital solutions company uses Adobe ColdFusion to help midmarket companies manage eCommerce more effectively. Some expert predicted that ColdFusion was losing the market but he is still alive.

Critical statement of this vulnerability and remedy.
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.

Should you have interested, please refer below official announcement for reference.

https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html