Singapore uncovers four critical vulnerabilities in Riverbed software

Singapore’s Cyber Security Group, an agency charged with securing the nation’s cyberspace, has uncovered four critical flaws in code from network software company Riverbed.

The vulnerable application is SteelCentral AppInternals, formerly referred to as AppInternals Xpert, provided by Riverbed’s Aternity division. AppInternals provides application performance monitoring and diagnostics, and is part of SteelCentral. Customers usually deploying this in their datacenter and on their cloud servers to collect information about performance, transaction traces, and more, so it can all be monitored from a centralized UI.

Specifically, the insecure code is in Dynamic Sampling Agent, which is the collection component of AppInternals. Versions affected, according to a CVE record, include 10.x, versions prior to 12.13.0, and versions prior to 11.8.8. Aternity’s advisory about the security holes is locked behind a customer login page. We’ve asked the vendor for more information.

News of the flaws emerged in a blog post by cybersecurity specialist Kang Hao Leng, who said the discovery was made in November 2021.

Along with two others, Kang found a total of seven bugs while testing Riverbed’s wares, with four of these rated as critical, all within the AppInternals’ Dynamic Sampling Agent.

The four critical vulnerabilities are listed as CVE-2021-42786, CVE-2021-42787, CVE-2021-42853, and and CVE-2021-42854.

The four are rated 9.8, 9.4, 9.1 and 9.8 respectively out of 10 on the CVSS scale, the worst of which can be exploited by an unauthenticated user to inject and run payloads of malicious code on a remote target.

For CVE-2021-42786, this remote-code execution vulnerability in the software’s API is a lack of input validation of a URL path. For CVE-2021–42787, a lack of input validation of a filename made it possible for attackers to use characters like “../” as a name, leading to potential directory traversal, meaning miscreants could gain unauthorized access to restricted resources.

CVE-2021-42853 and CVE-2021-42854 also involved directory transversal vulnerabilities in API endpoints. The blog post describes the flaws in detail and assures us that the bugs have been patched, and Kang said remediation was swift. Users of Riverbed’s software should ensure they are up to date with their deployments.

“Riverbed worked with the research team on the assessment, identification, and mitigation of the vulnerabilities as they were discovered, evaluated, and validated,” Wayne Loveless, CISO, at Riverbed, told The Register.

“Product engineering and security teams have security assessment and testing processes integrated into our software development lifecycle (SDLC). Updates were made available as part of Riverbed customer support services via the support portal.” ®

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Encouraging Webb Telescope Image Shows a Single Star in a Familiar Pattern thumbnail

Encouraging Webb Telescope Image Shows a Single Star in a Familiar Pattern

Engineers have brought 18 dots of starlight into a coherent pattern. Image: NASA/STScI/J. DePasqualeA major milestone in the commissioning of the James Webb Space Telescope has been met, as engineers continue to bring the observatory’s view of the universe into focus.Annotated view of the new mosaic image, matching the mirror to each dot. Image: NASA/STScI/J.…
Read More
Canada Post workers go on strike, stopping deliveries thumbnail

Canada Post workers go on strike, stopping deliveries

Government benefit cheques will continue to be delivered, however Nov 15, 20242:30 PM EST 0 comments Around 55,000 Canada Post workers are now on strike nationwide after failing to reach a negotiated agreement with their employer. As part of the strike, almost all mail and parcel deliveries will be halted until the Canadian Union of
Read More
Samsung launches Eco Remote, a new TV remote  It can be recharged with a signal from your home router. thumbnail

Samsung launches Eco Remote, a new TV remote It can be recharged with a signal from your home router.

Samsung ได้เปิดตัว Eco Remote รีโมททีวีรุ่นใหม่ภายในงาน CES ที่ผ่านมา ที่นอกจากรีโมทรุ่นนี้จะสามารถชาร์จไฟด้วยพลังงานแสงอาทิตย์ได้แล้ว ยังสามารถชาร์จผ่านคลื่นวิทยุจากเราเตอร์ได้อีกด้วยEco Remote รุ่นใหม่นี้ก็มีความสามารถในการชาร์จด้วยพลังงานแสงอาทิตย์เหมือนกับรุ่นก่อน ๆ แต่ Samsung ยังได้เพิ่มความสามารถในการชาร์จด้วยคลื่นความถี่วิทยุ โดยการรวบรวมคลื่นวิทยุของเราเตอร์และแปลงเป็นพลังงานรีโมทรุ่นใหม่นี้ยังสามารถชาร์จได้จากแสงทั้งภายนอกและภายในอาคาร หรือชาร์ขผ่าน USB-C (การชาร์จที่เร็วที่สุด) ซัมซุงกล่าวว่ากำลังมีแผนที่จะเปิดตัวรีโมทรุ่นสีขาวภายในปีนี้ด้วย โดยบริษัทมีจุดมุ่งหมายเพื่อเสริมทีวี “lifestyle” เช่น The Frame, Serif และ Sero ให้ดีขึ้นแน่นอนว่าจุดประสงค์ในการเปิดตัวรีโมททีวีพลังงานแสงอาทิตย์ก็เป็นเพราะต้องการลดการใช้แบตเตอรี่ AAA ที่มีปัญหาแบตเตอรี่ที่ถูกใช้แล้วทิ้งถึง 99 ล้านก้อนในช่วงเวลา 7 ปีที่ผ่านนั่นเองที่มา thevergeEco Remote Samsung
Read More
PDD Q2 Financial Report: Net Profit up 47% YoY thumbnail

PDD Q2 Financial Report: Net Profit up 47% YoY

On August 29th, PDD released its unaudited financial report for the second quarter ending on June 30, 2023. The financial report shows that during the reporting period, PDD’s total revenue was 52.281 billion yuan ($7.17 billion), a 66% increase compared to the same period last year. The net profit attributable to ordinary shareholders was 13.108
Read More
Windows 11 24H2 will block processors that lack the SSE4.2 instruction set thumbnail

Windows 11 24H2 will block processors that lack the SSE4.2 instruction set

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. In context: Windows 11 has introduced more demanding hardware requirements for the installation and operation of the operating system. With the latest major upgrade on the horizon, Microsoft appears to be intensifying its efforts to ensure that the OS is incompatible
Read More

The rise of digitization in schools and the dangers of cybercrime

Thank you for joining us on "The cloud hub: From cloud chaos to clarity." Vishal Salvi, senior vice president, CISO, and head of the cyber security practice at Infosys, and Shahryar Khazei, ex-chief information officer of the Los Angeles Unified School District, discuss the challenges that schools and educational institutions face with the increase in
Read More
Index Of News
Total
0
Share