DocuShare flaws could lead to data leakage unless you install these patches
Xerox has moved to fix two flaws in its DocuShare enterprise document-management platform that could enable hackers to steal data from users. The remedy comes after Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin. CISA urged users and administrators to apply a patch that fixes two bugs in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The
vulnerability is rated “Important.” SEE MORE Xerox rushes to patch number swapping scanning flaw SEE MORE Xerox sues Google and Yahoo over patent infringement SEE MORE Xerox to cut five per cent of workforce SEE MORE Xerox plans to acquire Global Imaging Systems According to Xerox’s advisory, the bugs, tracked as CVE-2020-27177, expose users to a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox didn’t share any details on the bugs or explain how an attacker could take advantage of the flaws. The document did, however, provide links to updated versions on Linux, Windows, and Solaris. A server-side request forgery (SSRF) attack is where an attacker abuses functionality on the server to read or update internal resources. “The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed,” according to OWASP Foundation. An XML External Entity (XXE) is a type of attack against an application that parses XML input. This attack may lead to confidential data disclosure, denial of service, server-side request forgery, port scanning from the machine’s perspective where the parser is located, and other system impacts. Jamie Akhtar, CEO and co-founder of CyberSmart, told ITPro that organizations can often protect themselves from the vast majority of cyber attacks by merely adhering to a basic set of cyber hygiene standards. Chief among these is staying aware of the vulnerabilities that exist, then swiftly updating and patching devices. “Xerox has already made available patches to the security flaws in their exposed systems. It is now down to organizations to implement these. Those who delay this will no doubt attract the attention of cybercriminals, who see these businesses as an easy target,” Akhtar said. “Unfortunately, software providers may not always have a ‘hotfix’ available for all software. In this case, the Solaris version of DocuShare 7.5 is not yet available. In these situations, organizations should implement temporary mitigation procedures until a permanent solution is offered.”
Date: 2020-12-04
itpro.co.uk
UK gov finally unveils its new National Cyber Force (2020-11-20) | The UK government has revealed details on its new National Cyber Force NCF a defence body which will aim to ensure the safety and cyber security of the nation The NCF will combine the expertise of personnel from GCHQ the MoD MI6 and the Defence Science and Technology Laboratory unifying them under one command Although separate from the business security-focused NCSC the two bodies will work togeth.. |
Dell XPS 13 7390 (late 2019) review gallery (2020-12-02) | Despite featuring a 10th-gen Intel chip barely a thread separates the two XPS 13s released last year |
What is a managed IT service? (2019-07-26) | It is now a common trend in the enterprise world to undergo a digital transformation doctrine whereby old and on-site hardware and infrastructure get replaced with digital systems and services But moving from old to new systems and IT operations can be a daunting task There are numerous advantages but it to get the most out of digital transformation IT leader and teams need to have a very careful .. |
DWP exposed 6,000 people’s data online for two years (2020-11-11) | The Department for Work and Pensions DWP has removed the personal details of thousands of people after they were exposed online for two years The files published in March and June 2018 listed routine payments to the outsourcing giant Capita and included the National Insurance NI numbers of approximately 6000 people according to the Mirror These individuals were believed to be applying for the disa.. |
Global Ethernet testing market expected to reach $2 billion by 2025 (2020-11-26) | The global ethernet testing market is expected to reach a valuation of $2 billion by 2025 according to a new report by Frost & Sullivan Connected devices incorporation of network virtualization functions and shift to a multi-tenant cloud infrastructure arekey factors driving the growth of global the Gigabit Ethernet GbE market the report found SEE MORE UKs 5G rollout lags in Europe with just 30% c.. Global Ethernet testing market expected to reach $2 billion by 2025 |
Asus Designo Curve MX38VC review: Designo thanks (2020-12-04) | There are three reasons to consider the Asus Designo Curve MX83VC over the spiritually similar LG UltraWide 38WN95C The 239 price difference is the most obvious because that still buys you a gently curved 375in IPS display but Asus hopes to also tempt you with a 15W wireless charger Place a suitable phone on the centre of its stand and a gentle blue light starts pulsing to show its working Theres .. |
Gap between screen and body on Pixel 5 is “normal”, claims Google (2020-11-05) | Googlehas said that a visiblegap that some customers have reported seeing between the display and body of the recentlyreleasedPixel 5 smartphoneis normaland part of the devices design Pixel 5 units were said to be popping up where theres a gap between the display and the frame/bodyaccording to one user on Googles official Pixel support forum while others have posted on other forums picturesshowing.. |
UK remote workers fuel home office equipment demand (2020-11-16) | Continuedremote working in the UK is creating an increase in demand for homeoffice equipment and furniture according to research Around half of the UKs remote workers have purchased home office items such as desks and computers according to product research firm Growth from Knowledge GFK SEE MORE What remote working lessons can we learn from the first lockdown? SEE MORE For the desperate the cloud.. |
AWS’ new S3 Storage Lens gives an in-depth view of cloud storage (2020-11-19) | AWS customers can now find out how they could cut storage costs with the new S3 Storage Lens service AWS bills S3 Storage Lens as a cloud storage analytics solution that gives users visibility into their object storage usage and activities over all the accounts and S3 buckets they have with AWS The service features over 29 usage and activity metrics and interactive dashboards that can aggregate an.. AWS’ new S3 Storage Lens gives an in-depth view of cloud storage |
Acer ConceptD 500 review gallery (2020-12-02) | A stylish and monstrously powerful PC for content creators |