Remediation guidanceįor customers on currently supported versions of EPMM the recommendation is to apply the latest fix for CVE-2023-35081. Ivanti is continuing to work actively with customers to upgrade their appliances and helping them apply the fix. The vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been utilized in targeted attacks.ĬISA and NCSC-NO released a joint cybersecurity advisory on CVE-2023-35078 and CVE-2023-35081 on August 1, 2023, and urged organizations to apply the patches released by the organization. Ivanti is continuing its investigation into two critical vulnerabilities which were disclosed publicly at the same time a patch was available on July 24 and July 28 respectively. It’s clear that software security testing will continue to evolve and is currently on the rise which helps us all. The other good news is that time-to-fix has been cut by nearly 50% in open-source software during 2022. The upside is that 94% of these companies have improved the testing processes they had in place prior to the Log4j exposure. According to some recent reports, developers are spending more time on security analysis and testing, but it is still less than 50% of all companies. The Log4j vulnerability provided focus on the need for more security testing during software development. The CVSS continues to evolve, remaining a relevant and important factor in our patch processes be on the lookout for the final release later this year. One additional section to consider is the new Supplemental Metrics Group which provides insight into the automation, recovery, vulnerability response effort, and other important factors that are associated with the vulnerability and may be of importance to you in prioritizing the updates in your regular patching routine. This is a great step forward towards providing a clear understanding of what each score encompasses. FIRST also clarified the terminology with Base, Environment, and Threat designators which clearly shows the factors used in the calculation.įor example, CVSS-B only uses base metrics to calculate the ‘pure’ severity score of the vulnerability in the absence of environment and threat, whereas, CVSS-BTE takes into account the base, environment, and threat metrics which provides the risk associated with the vulnerability. The ‘Temporal’ metrics were renamed to ‘Threat’ metrics which aligns with industry standards. For newcomers to CVSS, the nomenclature changes will be welcome. The changes were substantial enough to prompt a version change from 3.1. The comments are in review and FIRST is targeting a publication date of October 1st this year. The public preview of CVSS 4.0 ended this week providing the last opportunity to add to this important security tool. The good news is that attention on security testing and providing better security tools is on the rise. In July alone Microsoft addressed 84 CVEs in Windows 11, 99 in Windows 10, and even 69 in Windows Server 2012. The continued onslaught of phishing attacks, ransomware deployment, and other exploitation is forcing the community to pay closer attention to early identification, as well as fast response, to vulnerabilities in their software. August 2023 Patch Tuesday: Microsoft fixes critical bugs in Teams, MSMQ
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |