Recent Security Bulletins

July 11, 2024

Critical GitLab Vulnerability Requires Patching

Who is affected?

• Developers or system administrators hosting a self-managed GitLab instance.

What You Need to Know

• GitLab has patched a critical vulnerability in GitLab Community and Enterprise that allows attackers to run pipeline jobs as any other user.
• Immediate patching is required.
• Impacted GitLab versions include 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2.

Why it matters

• By leveraging this weakness, attackers can exploit it to trigger a new pipeline as an arbitrary user.

Go deeper

• Additional details can be found in this new article, as well as in this official GitLab patch announcement.

The Office of Information Technology (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest version as soon as possible.

---

July 9, 2024

High Severity Vulnerability in OpenSSH Server Requires Patching

Who is affected?

• Anyone who manages OpenSSH servers (sshd) on glibc-based Linux systems or runs Windows Subsystem for Linux 2 on Windows devices.

What You Need to Know

• A high-severity vulnerability was discovered in OpenSSH’s server that allows unauthenticated remote code execution when exploited.
• Versions of OpenSSH prior to 4.4, and between 8.5 and 9.7 are impacted and should be patched as soon as possible.

Why it matters

• This vulnerability gives hackers access for full system compromise. They can also install malware, manipulate data, and create backdoors for persistent access.
• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Learn more

• You can learn more from Qualys about this vulnerability and its impact. 

---

June 4, 2024

High-Severity GitLab Vulnerability Requires Patching

What You Need to Know

• GitLab has patched a high-severity vulnerability that could be exploited by attackers to take over user accounts in cross-site scripting (XSS) attacks.
• Immediate patching is required.
• Impacted GitLab versions include 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.

Who is affected?

• Developers or system administrators hosting a self-managed GitLab instance.

Why it matters

• By leveraging this XSS weakness in the VS code editor (Web IDE), an attacker can craft a malicious page to access sensitive user information.

Go deeper

• Additional details can be found in this new article, as well as in this official GitLab patch announcement.

The Office of Information Technology (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest version as soon as possible.

---

May 31, 2024

Action Required: Slack Privacy Settings for AI Tools

What's new?

• Slack has updated their privacy principles regarding artificial intelligence features.

• Slack is gathering and utilizing customer data and usage information to enhance their AI products.

• Those using Slack must opt out if not interested in having their data collected for these purposes.

• Information Security recommends all Notre Dame related Slack accounts opt out of this feature promptly.

Who is affected?

• Anyone using Slack on campus, particularly those who serve as a workspace owner for their group.

• Each workspace owner must contact Slack directly, following these instructions, to opt out.

Why it matters: 

• University-related business being conducted through Slack channels is considered confidential, and should not be collected and used to inform these tools.

• While Slack assures client protections are in place to safeguard against leaks, there is still risk related to this data collection.

Go deeper:

• Slack has published the full privacy principle update, including instructions for opting out and details on how data will be collected and utilized.

• Be mindful of the University’s policies and guidelines for AI.

---

May 23, 2024

Critical Git Vulnerabilities Require Patching

What You Need to Know

• Five vulnerabilities (one of which is critical) in Git have been detected.

• Immediate patching is required.

• All Git installations running an impacted version need to be upgraded to the latest version (v2.45.1).

Who is affected?

• Developers or system administrators hosting a self-managed Git instance.

Why it matters:

• Various vulnerabilities, including one critical vulnerability, were discovered, affecting multiple Git versions. More detail about each can be found in this GitHub post.

Go deeper

• Platforms affected include Windows, macOS, Linux and BSD.

• This release is coordinated with Visual Studio and GitHub Desktop, which include a subset of Git.

The Office of Information Technology (OIT) Information Security team requires all Git installations running an impacted version to be upgraded to the latest version as soon as possible.

---

May 21, 2024

New Security Updates for Google Chrome

Google has released security updates to its Chrome web browser to fix high-severity vulnerabilities that are actively being exploited. These updates also apply to any web browsers running the same technology (i.e., Microsoft Edge, Brave, Opera, Vivaldi and others).

The Office of Information Technology (OIT) Information Security team recommends updating all affected browsers on both personal and University owned devices. Most University managed computers have automatic updates enabled for Google Chrome—restart your Chrome browser to allow it to update to the latest release.

Instructions for manually updating your Chrome browser are available in this Google Chrome Help web page. If you are using a different web browser, please refer to their support documentation.

While these security updates are specific to Chromium-based web browsers, please ensure security updates are applied regularly for all web browsers.

---

May 15, 2024

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device – both personal or University-owned – install the updates immediately. Below are the instructions on how to upgrade your device(s):

• iPhone and iPad: How to install iOS and iPadOS updates

• Mac computers: How to Update macOS

Please allow approximately 10-20 minutes for these updates to complete.

---

May 13, 2024

New Security Updates for Google Chrome

Google has released security updates to its Chrome web browser to fix high-severity vulnerabilities that are actively being exploited. These updates also apply to any web browsers running the same technology (i.e., Microsoft Edge, Brave, Opera, Vivaldi and others).

The Office of Information Technology (OIT) Information Security team recommends updating all affected browsers on both personal and University owned devices. Most University managed computers have automatic updates enabled for Google Chrome—restart your Chrome browser to allow it to update to the latest release.

Instructions for manually updating your Chrome browser are available in this Google Chrome Help web page. If you are using a different web browser, please refer to their support documentation.

While these security updates are specific to Chromium-based web browsers, please ensure security updates are applied regularly for all web browsers. 

---

May 2, 2024

Vulnerability Found in R Programming Language

Summary

• A vulnerability has been discovered in R, an open source programming language, which supports data visualization, machine learning and statistical computing.

• Threat actors can execute arbitrary code when a malicious file is loaded and could be used as part of a supply chain attack.

Who is affected?

• Anyone running an individual machine with R programming installed, or working in a lab where a machine containing R programming is being used.

The big picture

• In any version starting at 1.4.0 up to but not including 4.4.0, the deserialization of untrusted data in the R statistical programming language can occur.

• Patches were included in R Core version 4.4.0, as well as Windows and Mac binaries. The updated version will also be included in various Linux distributions.

Learn more

• https://nvd.nist.gov/vuln/detail/CVE-2024-27322

• https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/

---

April 30, 2024

Security Flaw in Several Chinese Keyboard Apps

Summary

• Several widely-used keyboard apps for Chinese speakers have been exposed to critical security flaws that allow their every keystroke to be intercepted.

• Updates to impacted apps should be installed promptly.

Who is affected?

• Those who use pinyin keyboard apps to romanize Chinese characters.

The big picture

• Since these keyboards are cloud-based, exploitation of these flaws could permit cyber criminals to decrypt Chinese-language mobile users' keystrokes.

• Apps impacted include:

• Baidu

• Honor

• Huawei

• iFlyTek

• OPPO

• Samsung

• Tencent

• Vivo

• Xiaomi

• Updates are available for many of these apps, and it is recommended that users apply those updates immediately.

Learn more

• News Sources:

• Bugs in keyboard apps revealing what users type

• Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

• Original Research Group Findings:

• Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers

---

April 10, 2024

HTTP/2 Continuation Flood Attack Requires Patching

What you need to know

• A new HTTP/2 DoS attack has been discovered, which could pose a greater threat than the Rapid Reset attack disclosed in October 2023.

• Patches are available, and Information Security advises anyone hosting a public site to apply these patches immediately:

• Upgrade Apache Tomcat to versions 8.5.99, 9.0.86, 10.1.197 or later

• Upgrade Apache to version 2.4.59 or later

• Upgrade Node.js to versions 18.20.1, 20.12.1, 21.7.2 or later

Who is affected?

• Website administrators running HTTP/2 sites.

Why it matters

• Attackers could cause websites to crash.

• Researches suggest a single machine has the potential to cause disruption to websites and APIs that use HTTP/2.

Learn more

• Learn more about these vulnerabilities and mitigation steps.

---

March 29, 2024

Text Scam Targeting Notre Dame Users

Information Security is aware of an ongoing text scam - known as smishing - impersonating the University’s Chief Information Officer, threatening to delete the user’s email account.

Remember, Notre Dame will never text you to inform you your account is being deactivated, or ask for any personal information. If you receive this message, please report it to infosec@nd.edu, then delete the message and block the number.

---

March 21, 2024

New Security Updates for Google Chrome and Firefox 

Google and Mozilla have released security updates to their respective Chrome and Firefox web browsers to fix high-severity vulnerabilities.

The Office of Information Technologies (OIT) Information Security team recommends updating all impacted browsers on both personal and University owned devices. Most University managed computers have automatic updates enabled for Google Chrome—restart your Chrome browser to allow it to update to the latest release.

Instructions for manually updating your Chrome browser are available in this Google Chrome Help web page, and those for manually updating Firefox can be found here.

While these security updates are specific to Chromium-based and Firefox web browsers, please ensure security updates are applied regularly for all web browsers.

---

March 6, 2024

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device – both personal or University-owned – install the updates immediately. Below are the instructions on how to upgrade your device(s):

• iPhone and iPad: How to install iOS and iPadOS updates

• Mac computers: How to Update macOS

Please allow approximately 10-20 minutes for these updates to complete.

---

January 24, 2024

Critical GitLab Vulnerability Requires Patching

What You Need to Know

• For the second time this month, a critical vulnerability in GitLab has been detected which needs to be patched ASAP.

• All GitLab installations running an impacted version need to be upgraded to the latest versions (16.8.1, 16.7.4, 16.6.6, 16.5.8).

Who is affected?

• Developers or system administrators hosting a self-managed GitLab instance (specific versions)

Why it matters:

• Various vulnerabilities, including one critical vulnerability, were discovered, affecting multiple GitLab versions. More detail about each can be found in this GitLab Critical Security Release.

Go deeper

GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released security updates for both the Community Edition (CE) and Enterprise Edition (EE) to address security vulnerabilities, including one considered critical.

The Office of Information Technologies (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest versions (16.8.1, 16.7.4, 16.6.6, 16.5.8) as soon as possible.

For more technical details on this vulnerability, please refer to this GitLab Critical Security Release.

---

January 23, 2024

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device – both personal or University-owned – install the updates immediately. Below are the instructions on how to upgrade your device(s):

• iPhone and iPad: How to install iOS and iPadOS updates

• Mac computers: How to Update macOS

Please allow approximately 10-20 minutes for these updates to complete.

---

January 16, 2024

Critical Vulnerability in GitLab Requires Patching

What You Need to Know

• GitLab has a critical vulnerability that needs to be patched ASAP

Who is Affected?

• Developers or system administrators hosting a self-managed GitLab instance (specific versions)

Why it Matters:

• Attackers could use this to send password reset requests to unverified email addresses, allowing account takeover.

Technical details and upgrade instructions

Go Deeper:

GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released security updates for both the Community Edition (CE) and Enterprise Edition (EE) to address a critical vulnerability tracked as: CVE-2023-7028 (base score: 10).

The exploitation of CVE-2023-7028 could allow password reset requests to be sent to unverified email addresses, allowing account takeover. If two-factor authentication is active, the second factor is still needed for successful log-in.

This vulnerability impacts the following versions of GitLab:

• 16.1 prior to 16.1.5

• 16.2 prior to 16.2.8

• 16.3 prior to 16.3.6

• 16.4 prior to 16.4.4

• 16.5 prior to 16.5.6

• 16.6 prior to 16.6.4

• 16.7 prior to 16.7.2

The Office of Information Technologies (OIT) Information Security team requires all GitLab installations running an impacted version to be upgraded to the latest versions (16.7.2, 16.6.4, or 16.5.6) as soon as possible.

For more technical details on this vulnerability, please refer to this GitLab Critical Security Release.