Security Bulletins
March 21, 2023
Android Phones at Risk of Being Hacked Remotely
Google has issued a warning about a recently discovered vulnerability affecting many Android devices. Affected devices are at risk of being hacked remotely without the device owner’s knowledge.
This means if a cyber criminal has your phone number, the vulnerability gives them access to all the information and text messages on your device. Affected Android devices include:
- Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
- Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series
- Google Pixel 6 and Pixel 7 devices
What You Should Do
At this time, Google has already issued a security patch for Pixel 6 and 7 devices, which is available in this March 2023 security update.
Fixes for the rest of the affected devices are not yet available. If you own any of the other devices, you can protect your device during this time by switching OFF these features in your device settings:
- Wi-Fi calling
- Voice over LTE (VoLTE)
Watch for updates on a fix from your device provider, and update your device as soon as possible.
March 16, 2023
Critical Vulnerabilities in ColdFusion Require Patching
Note: This notice applies to servers running ColdFusion. If you administer ColdFusion systems that are unsupported (i.e., not on versions 2018 or 2021) or outside of OIT systems listed below, please contact the Information Security team for assistance.
Earlier this week, Adobe released security updates for ColdFusion versions 2018 and 2021 to address a critical vulnerability tracked as CVE-2023-26360 and ranked as priority 1 by Adobe. This vulnerability is currently being exploited and allows attackers to remotely execute malicious code on a computer.
ColdFusion administrators running impacted versions 2018 and 2021 must update their installations to the latest versions: Update 16 and Update 6, respectively, as soon as possible.
For more technical details and remediation guidance on these vulnerabilities, please refer to this Adobe Security Bulletin.
ColdFusion Platform Administrators have already patched the following services in DEV, TEST and PROD on ColdFusion 2018 on March 15, 2023:
-
Advising Kiosk
-
Benefactor Event Activity Tracking (BEAT)
-
Cold Fusion Web Services (NDWS)
-
Community Engagement
-
Faculty Profile
-
FERPA Webcourse
-
Institutional Research Reporting
-
Matchstick
-
My Time Off
-
ND Elections
-
ND Marketplace - Touchnet Reporting
-
ND Renew
-
Stewardship Reporting
-
Supersection Builder
-
Table Maintenance
ColdFusion administrators are actively working on addressing CIFAdmin and Online Photo. Sunapsis is being patched by its support vendor this afternoon.
If you have any questions about the ColdFusion vulnerabilities, contact the Information Security team at infosec@nd.edu.
For 24/7 self-service assistance including the virtual agent, go to: servicenow.nd.edu, or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.