1. Home
  2. Cybersecurity
  3. Recent Security Bulletins
  4. Past Security Bulletins

Past Security Bulletins

December 21, 2023

New Security Updates for Google Chrome

Google has released security updates to patch high-severity vulnerabilities in its Chrome web browser that are actively being exploited. These updates also apply to any Chromium-based web browsers running the same technology (i.e., Microsoft Edge, Brave, Opera, Vivaldi and others).

The Office of Information Technologies (OIT) Information Security team recommends updating all Chromium-based browsers on personal devices, including those at home this holiday season.

Instructions on how to manually update your Chrome browser are available in this Google Chrome Help web page. If you are using a different Chromium-based web browser, please refer to their support documentation.

Though these security vulnerabilities are specific to Chromium-based web browsers, please ensure security updates are applied regularly for all web browsers.

For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

December 13, 2023

New Security Updates for Apple Devices

Apple has released updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any personal Apple device install the updates immediately. Below are the instructions on how to upgrade your device(s):

Please allow approximately 10-20 minutes for these updates to complete.

For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

December 4, 2023

New Security Updates for Google Chrome

Google recently released security updates to its Chrome web browser to fix high-severity vulnerabilities that are actively being exploited. While Google Chrome browser is the most common, these updates also apply to any Chromium-based web browsers running the same technology (i.e., Microsoft Edge, Brave, Opera, Vivaldi and others).

The Office of Information Technologies (OIT) Information Security team recommends updating all Chromium-based browsers on both personal and University owned devices. Most University managed computers have automatic updates enabled for Google Chrome—restart your Chrome browser to allow it to update to the latest release.

Instructions on how to manually update your Chrome browser are available in this Google Chrome Help web page. If you are using a different Chromium-based web browser, please refer to their support documentation.

While these security updates are specific to Chromium-based web browsers, please ensure security updates are applied regularly for all web browsers.

If you have questions, contact your departmental IT support staff. For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

December 1, 2023

New Security Updates for Apple Devices

Recently, Apple released security updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technologies (OIT) Information Security team recommends that anyone with any Apple device—both personal and University owned—install the updates immediately. Below are the instructions on how to upgrade your device(s):

Please allow approximately 10-20 minutes for these updates to complete.

For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

November 1, 2023

Critical Apache ActiveMQ Vulnerability Requires Patching

Summary

  • A server product called Apache ActiveMQ has a serious vulnerability that requires immediate patching.

Who does this apply to?

  • Server and system administrators running Apache ActiveMQ

What you need to do

  • Affected users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

More information

A vulnerability has been identified in Apache ActiveMQ and requires immediate patching. Some versions are vulnerable to Remote Code Execution. This could allow a remote attacker unauthorized access to a system. The vendor rates this as critical severity, with a base score of 10.0. Learn more about the vulnerability, affected versions, and remediation steps at the advisory notice.

For 24/7 self-service assistance including the virtual agent, go to: servicenow.nd.edu, or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

October 26, 2023

New Security Updates for Apple Devices

Recently, Apple released security updates for Apple devices to address significant security vulnerabilities.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technology (OIT) Information Security team recommends that anyone with any personal Apple device install the updates immediately. Below are the instructions on how to upgrade your device(s):

Please allow approximately 10-20 minutes for these updates to complete.

For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

October 13, 2023

New Security Updates for Apple Devices

Recently, Apple released security updates for Apple mobile devices to address a security vulnerability that has been exploited in attacks.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technology (OIT) Information Security team recommends that anyone with any Apple device—both personal and University owned—install the updates immediately. Below are the instructions on how to upgrade your device(s):

Please allow approximately 10-20 minutes for these updates to complete.

For 24/7 self-service assistance including the virtual agent, go to servicenow.nd.edu or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

October 11, 2023

Advisory: HTTP/2 Rapid Reset Attack Requires Patching

This advisory applies to anyone hosting a public site. It was recently disclosed that over the last three months a number of web applications have been targeted with a novel HTTP/2-based distributed denial-of-service (DDoS) attack.

The Rapid Reset technique attack takes advantage of the “stream multiplexing” feature in HTTP/2 by repeatedly sending and canceling requests. This record-breaking attack reached millions of requests per second.

The Office of Information Technology (OIT) Information Security team advises that anyone hosting a public site apply available patches to maintain site functionality. Patches have already been released for several main web servers listed below:

For more technical details on this DDoS attack, refer to this Google Cloud Blog article.

For 24/7 self-service assistance including the virtual agent, go to: servicenow.nd.edu, or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.

June 2, 2023

Luxoticca Data Breach

In March 2021, the world's largest eyewear company Luxoticca suffered a data breach via one of their partners that exposed the personal information of more than 70M people. The data was subsequently sold via a popular hacking forum in late 2022 and included email and physical addresses, names, genders, dates of birth and phone numbers. In a statement from Luxottica, they advised they were aware of the incident and are currently "considering other notification obligations". Many Notre Dame accounts were impacted by this data breach.

Why are you only hearing about this now? While the breach occurred in March 2021, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly.

Cyber criminals can leverage personal information about victims to create targeted phishing attacks that may seem legitimate based on the specific information they are able to include. These fraudulent messages can come by way of email, text, or phone call. Any time personal data is leaked, it is important to be extra vigilant. For more information on how to recognize and report phishing messages, please refer to this knowledge article.

Using a third-party website like haveibeenpwned.com will search for compromised information based on your email address. You can also sign up to receive alerts.

Since the exposed data did not include passwords, this advisory is for informational purposes only. There is no formal action required.

For more information on the Luxottica data breach, please refer to this BleepingComputer security article.

May 30, 2023

Critical Vulnerability in GitLab Requires Patching

GitLab, a web-based Git repository for developer teams that need to manage their code remotely, has released an emergency security update, version 16.0.1, to address a critical vulnerability (CVSS score: 10.0) tracked as CVE-2023-2825.

It impacts GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Earlier versions are not affected.

The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files and other private information.

The Office of Information Technology (OIT) Information Security team recommends that all GitLab installations running an impacted version are upgraded to the latest version – version 16.0.1 as soon as possible. For those who are using GitLab Runner, it also should be updated to the latest version as soon as possible.
For more technical details on this vulnerability, please refer to the GitLab critical security release and this BleepingComputer security article.

April 14, 2023

New Security Updates for Microsoft Office & Windows OS

Recently, Microsoft published information regarding security vulnerabilities that affect unpatched versions of Microsoft Office applications (for both Mac and Windows devices) and Windows operating systems.

Microsoft Office

The Office of Information Technology (OIT) Information Security team advises updating all Microsoft Office products on all devices. One of the vulnerabilities could allow cyber criminals to remotely execute malicious code on any computer that uses an affected version of Microsoft Word.

Instructions on how to check or update your current version of Microsoft Office are available in these Microsoft articles:

OIT system engineers will push out these updates to all University-owned, managed Windows computers automatically. If your machine is not managed by OIT, you will need to apply these updates manually. Though managed Mac computers have Office applications set to auto-update by default, please verify your applications are up-to-date.

More information about the Microsoft Office security updates can be found in this Microsoft Release Notes article.

Windows OS

Microsoft has released a new update for the Windows 10 & 11 operating systems to remediate a security vulnerability being actively exploited.

Be sure to update your personal and unmanaged devices as soon as possible. Instructions are available in this Microsoft Support Article.

OIT system engineers will push out these updates to all University-owned, managed Windows computers.
If your Notre Dame-owned computers are not currently managed, contact your departmental IT support or the OIT Help Desk to request this service.

April 12, 2023

New Security Updates for Apple Devices

Recently, Apple released security updates for Apple devices to address critical security vulnerabilities that are actively being exploited.

A full list of these security updates and impacted devices can be found in this Apple Support article.

The Office of Information Technology (OIT) Information Security team recommends that anyone with any Apple device—both personal and University owned—install the updates immediately. Below are the instructions on how to upgrade your device(s):

Please allow approximately 10-20 minutes for these updates to complete.

March 21, 2023

Android Phones at Risk of Being Hacked Remotely

Google has issued a warning about a recently discovered vulnerability affecting many Android devices. Affected devices are at risk of being hacked remotely without the device owner’s knowledge.

This means if a cyber criminal has your phone number, the vulnerability gives them access to all the information and text messages on your device. Affected Android devices include:

  • Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
  • Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series
  • Google Pixel 6 and Pixel 7 devices

What You Should Do

At this time, Google has already issued a security patch for Pixel 6 and 7 devices, which is available in this March 2023 security update.

Fixes for the rest of the affected devices are not yet available. If you own any of the other devices, you can protect your device during this time by switching OFF these features in your device settings:

  • Wi-Fi calling
  • Voice over LTE (VoLTE)

Watch for updates on a fix from your device provider, and update your device as soon as possible.

March 16, 2023

Critical Vulnerabilities in ColdFusion Require Patching

Note: This notice applies to servers running ColdFusion. If you administer ColdFusion systems that are unsupported (i.e., not on versions 2018 or 2021) or outside of OIT systems listed below, please contact the Information Security team for assistance.

Earlier this week, Adobe released security updates for ColdFusion versions 2018 and 2021 to address a critical vulnerability tracked as CVE-2023-26360 and ranked as priority 1 by Adobe. This vulnerability is currently being exploited and allows attackers to remotely execute malicious code on a computer.

ColdFusion administrators running impacted versions 2018 and 2021 must update their installations to the latest versions: Update 16 and Update 6, respectively, as soon as possible.

For more technical details and remediation guidance on these vulnerabilities, please refer to this Adobe Security Bulletin.

ColdFusion Platform Administrators have already patched the following services in DEV, TEST and PROD on ColdFusion 2018 on March 15, 2023:

  • Advising Kiosk

  • Benefactor Event Activity Tracking (BEAT)

  • Cold Fusion Web Services (NDWS)

  • Community Engagement

  • Faculty Profile

  • FERPA Webcourse

  • Institutional Research Reporting

  • Matchstick

  • My Time Off

  • ND Elections

  • ND Marketplace - Touchnet Reporting

  • ND Renew

  • Stewardship Reporting

  • Supersection Builder

  • Table Maintenance

ColdFusion administrators are actively working on addressing CIFAdmin and Online Photo. Sunapsis is being patched by its support vendor this afternoon.

If you have any questions about the ColdFusion vulnerabilities, contact the Information Security team at infosec@nd.edu.

For 24/7 self-service assistance including the virtual agent, go to: servicenow.nd.edu, or contact the OIT Help Desk during business hours at 574-631-8111 or oithelp@nd.edu.