Security Bulletins
June 2, 2023
Luxoticca Data Breach
In March 2021, the world's largest eyewear company Luxoticca suffered a data breach via one of their partners that exposed the personal information of more than 70M people. The data was subsequently sold via a popular hacking forum in late 2022 and included email and physical addresses, names, genders, dates of birth and phone numbers. In a statement from Luxottica, they advised they were aware of the incident and are currently "considering other notification obligations". Many Notre Dame accounts were impacted by this data breach.
Why are you only hearing about this now? While the breach occurred in March 2021, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly.
Cyber criminals can leverage personal information about victims to create targeted phishing attacks that may seem legitimate based on the specific information they are able to include. These fraudulent messages can come by way of email, text, or phone call. Any time personal data is leaked, it is important to be extra vigilant. For more information on how to recognize and report phishing messages, please refer to this knowledge article.
Using a third-party website like haveibeenpwned.com will search for compromised information based on your email address. You can also sign up to receive alerts.
Since the exposed data did not include passwords, this advisory is for informational purposes only. There is no formal action required.
For more information on the Luxottica data breach, please refer to this BleepingComputer security article.
May 30, 2023
Critical Vulnerability in GitLab Requires Patching
GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released an emergency security update, version 16.0.1, to address a critical vulnerability (CVSS score: 10.0) tracked as CVE-2023-2825.
It impacts GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Earlier versions are not affected.
The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files and other private information.
The Office of Information Technologies (OIT) Information Security team recommends that all GitLab installations running an impacted version are upgraded to the latest version – version 16.0.1 as soon as possible. For those who are using GitLab Runner, it also should be updated to the latest version as soon as possible.
For more technical details on this vulnerability, please refer to the GitLab critical security release and this BleepingComputer security article.
April 14, 2023
New Security Updates for Microsoft Office & Windows OS
Recently, Microsoft published information regarding security vulnerabilities that affect unpatched versions of Microsoft Office applications (for both Mac and Windows devices) and Windows operating systems.
Microsoft Office
The Office of Information Technologies (OIT) Information Security team advises updating all Microsoft Office products on all devices. One of the vulnerabilities could allow cyber criminals to remotely execute malicious code on any computer that uses an affected version of Microsoft Word.
Instructions on how to check or update your current version of Microsoft Office are available in these Microsoft articles:
OIT system engineers will push out these updates to all University-owned, managed Windows computers automatically. If your machine is not managed by OIT, you will need to apply these updates manually. Though managed Mac computers have Office applications set to auto-update by default, please verify your applications are up-to-date.
More information about the Microsoft Office security updates can be found in this Microsoft Release Notes article.
Windows OS
Microsoft has released a new update for the Windows 10 & 11 operating systems to remediate a security vulnerability being actively exploited.
Be sure to update your personal and unmanaged devices as soon as possible. Instructions are available in this Microsoft Support Article.
OIT system engineers will push out these updates to all University-owned, managed Windows computers.
If your Notre Dame-owned computers are not currently managed, contact your departmental IT support or the OIT Help Desk to request this service.
April 12, 2023
New Security Updates for Apple Devices
Recently, Apple released security updates for Apple devices to address critical security vulnerabilities that are actively being exploited.
A full list of these security updates and impacted devices can be found in this Apple Support article.
The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device—both personal and University owned—install the updates immediately. Below are the instructions on how to upgrade your device(s):
- iPhone and iPad: How to install iOS and iPadOS updates
- Mac computers: How to Update macOS
Please allow approximately 10-20 minutes for these updates to complete.
March 21, 2023
Android Phones at Risk of Being Hacked Remotely
Google has issued a warning about a recently discovered vulnerability affecting many Android devices. Affected devices are at risk of being hacked remotely without the device owner’s knowledge.
This means if a cyber criminal has your phone number, the vulnerability gives them access to all the information and text messages on your device. Affected Android devices include:
- Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
- Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series
- Google Pixel 6 and Pixel 7 devices
What You Should Do
At this time, Google has already issued a security patch for Pixel 6 and 7 devices, which is available in this March 2023 security update.
Fixes for the rest of the affected devices are not yet available. If you own any of the other devices, you can protect your device during this time by switching OFF these features in your device settings:
- Wi-Fi calling
- Voice over LTE (VoLTE)
Watch for updates on a fix from your device provider, and update your device as soon as possible.
March 16, 2023
Critical Vulnerabilities in ColdFusion Require Patching
Note: This notice applies to servers running ColdFusion. If you administer ColdFusion systems that are unsupported (i.e., not on versions 2018 or 2021) or outside of OIT systems listed below, please contact the Information Security team for assistance.
Earlier this week, Adobe released security updates for ColdFusion versions 2018 and 2021 to address a critical vulnerability tracked as CVE-2023-26360 and ranked as priority 1 by Adobe. This vulnerability is currently being exploited and allows attackers to remotely execute malicious code on a computer.
ColdFusion administrators running impacted versions 2018 and 2021 must update their installations to the latest versions: Update 16 and Update 6, respectively, as soon as possible.
For more technical details and remediation guidance on these vulnerabilities, please refer to this Adobe Security Bulletin.
ColdFusion Platform Administrators have already patched the following services in DEV, TEST and PROD on ColdFusion 2018 on March 15, 2023:
-
Advising Kiosk
-
Benefactor Event Activity Tracking (BEAT)
-
Cold Fusion Web Services (NDWS)
-
Community Engagement
-
Faculty Profile
-
FERPA Webcourse
-
Institutional Research Reporting
-
Matchstick
-
My Time Off
-
ND Elections
-
ND Marketplace - Touchnet Reporting
-
ND Renew
-
Stewardship Reporting
-
Supersection Builder
-
Table Maintenance
ColdFusion administrators are actively working on addressing CIFAdmin and Online Photo. Sunapsis is being patched by its support vendor this afternoon.
If you have any questions about the ColdFusion vulnerabilities, contact the Information Security team at infosec@nd.edu.
For 24/7 self-service assistance including the virtual agent, go to: servicenow.nd.edu, or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.