The world is on the way go to robotics automation skeleton. No only the factory, even though software deployment is included. Although you don’t believe this is the prelude. Not a coincidence.But we can’t evade this industries revolution.
The artificial intelligence work status depends on what type of issue encounters. The zero day (vulnerability) similar man kind tumor. The infectious diseases of computer are the malware and computer virus infection.
Go deep to the subject (Apache OpenWhisk security alert).
Function as a service (FaaS) is a category of cloud computing services that provides a platfor allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an OS and software application.
An open source project driven by IBM and Adobe, Apache OpenWhisk is a robust Functions-as-a-Service (FaaS) platform that can be deployed in the cloud or within the data center. Apache OpenWhisk now supports the PHP runtime.
There are total two items of vulnerabilities confirm on apache openwhisk product this month.
CVE-2018-11756 – https://github.com/apache/incubator-openwhisk-runtime-php/commit/6caf902f527250ee4b7b695929b628d560e0dad1
CVE-2018-11757 – https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891896f25c39bc336ef6dda53f80f466ac4ca3c8
Jenkins is the leading open-source automation server. Built with Java, it provides over 1000 plugins to support automation. Is it a robot?
Basically, Jenkins is commonly used for building projects, running tests to detect bugs and other issues as soon as they are introduced, static code analysis and deployment.
For instance combining Jenkins and Docker together can bring improved speed and consistency to your automation tasks.
That is you can configure Jenkins to build Docker Images based on a Dockerfile. You can use Docker within a CI/CD pipeline, using Images as a build artefact that can be promoted to different environments and finally production. Usually, the freestyle automated job can create to accomplish a specific task in the CI pipeline, it can be compile the code, run integration tests or deploy application.
A complete CI pipeline is made up of three major parts: Integration: Build code and run unit tests.
Delivery: Deploy your application to a staging or production environment.
If Jenkins is sick (vulnerabilities) today? Any worries about that?
An official announment state the following: https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390
Archer Technologies provided enterprise governance, risk, and compliance management software. The product aim to reduce enterprise risks, manage and demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls. Whereby, it integrate with your internal systems equivalent as workflow management especially approval process.
REST API relies on a stateless, client-server, cacheable communications protocol. The HTTP protocol is use in default.
Reference hyperlink shown as below:
Retrospectively cyber attack encountered on Nuclear power facility in past. The SCADA system facilities vendor are working hard to hardening their device and provided cyber security advisory. An cyber security alert announced by ABB that a software engineering tool for configure Panel 800 has vulnerability occurs. ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. However the vulnerabilites indicated that theattacker could create a specially crafted file and try to trick a person using the Panel Builder 800 to open this file (see below hyperlink – technical note)
Perhaps the techincal limitation sometimes was happened in their fundemental design. See Alert B in attached diagram. Since panel 800 is a Intel CPU base with Windows CE OS. My concern is that It is not known whether Intel XScale or Marvell Feroceon cores are affected by these issues (Meltdown and Spectre)? But no worries, tomorrow will be a better day!
Cyber attack wreak havoc, perhaps this is a digital world. We focus cyber attacks happens in company and personal workstation in past decade. The smartphones and IoT devices market coverage bigger than hardward devices in business world. From business point of view, it is a good oppuntunities. The telcom services providers will be more business growth. Meanwhile the cyber security attacks looks like a heavy burden in their business operations.
DNS services is the major components of internet server. Their services similar a phone book.
f you are the customer of PowerDNS, you must be stay alert! For more details, please see below reference (Hyperlink):
PDNS before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow only occurs when the -ecs-stamp option of dnsreplay is used.
QNAP’s Network Attached Storage(NAS) is the friend from SME users. Even thought IT Dept, they are also satisfy with NAS. Since the price is affordable and provides plug and play function. It is common that NAT on firewall will be deploy with Hide NAT. As a result your QNAP’s will be receive the new patch update. At the same time it benefits to hacker once vulnerability occurs.
Please remind that you have to create firewall rule deny NAS go to internet at this moment.
It is better to do the remediation now. See below:
A consulting firm observe that the abuse of the SAP Invoker Servlet rapidly increase (built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms)). The fact is that customer may not aware or encounter technical difficulties to remediate a former vulnerability. May be a new attack (former vulnerability + Zero day) let the risk happens.
Quick step of remediation in the moment:
1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
2. Analyze systems for malicious or excessive user authorizations.
3. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
4. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
Should you have interest of the report. You can go to this place to download.
The installation packages of Android apps (.APK files) are deploy with.ZIP files. Because of the fundemental design concept. It let malware has way for infection. Yes, threat actor can place a malicious DEX file at the start of the APK file. But V2 signing mechanism can avoid above types of infection. However of the compatiblity issue, older Android versions with only version 1 of the signing scheme application still alive. We known that risk may occurs in such circumstances. The fact is that Enterprise MDM solutions may not detect these apps.
Elliptic Curve Diffie Hellman (ECDH) make man in the middle attack difficult since hacker would not be able to find out the shared secret and therefore it looks secure. The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final ‘E’ stands for “ephemeral”). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. The truth is that similar type of setup has vulnerability occurs.Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.
Reference: Vulnerability Note VU#304725 Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange – https://www.kb.cert.org/vuls/id/304725
- CVE-2018-8037: User sessions can get mixed up
- CVE-2018-1336: Denial Of Service (DoS) via UTF-8 decoder
- CVE-2018-8034: No host name verification in WebSocket client