AusCERT Week in Review for 20th July 2018 20 Jul 2018


AusCERT Week in Review
20 July 2018

Good afternoon, and welcome to the end of another week in Infosec.

This week saw the quarterly Oracle patch day come with a record-breaking
number of CVEs. I hope our members can keep up with the huge amount of
patching required to use Oracle products!

In addition, the Australian government launched My Health Record this
week, and was promptly bombarded with opt-out requests. Asking to store
(and share) your personal medical data for the rest of your life may not
go down well with many australians, especially as scandals involving data
breaches and misuse become more and more common.

Here are some of the significant news stories from this week:

-----

Defence attacked over new technology restrictions
Author: Julian Bajkowski
Date: 19 July 2018
https://www.itnews.com.au/news/defence-attacked-over-new-technology-restrictions-498612

"Australia's top universities have blasted a massive expansion of
intrusive powers proposed by the Department of Defence.

The new powers would allow Defence to enter and search all technology
projects in Australia and restrict and dictate how information from them
is shared between researchers and industry."

---
Oracle product vulnerabilities hit all-time high
Author: Juha Saarinen
Date: 18 July 2018
https://www.itnews.com.au/news/oracle-product-vulnerabilities-hit-all-time-high-498543

"The July 2018 Critical Patch Update (CPU) set of security fixes for Oracle
products released overnight closes no fewer than 334 vulnerabilites,
up from 251 in April and more than the highest number remedied so far,
308 in July 2017.

Of the 334 flaws, 61 are considered as critical with high Common
Vulnerabilities Scoring System ratings of 9.0 to 10.0."

---
My Health Record systems collapse under more opt-outs than expected
Author: Stilgherrian
Date: 16 July 2018
https://www.zdnet.com/article/my-health-record-systems-collapse-under-more-opt-outs-than-expected/

"Australians attempting to opt out of the government's new centralised health
records system online have been met with an unreliable website. Those phoning
in have faced horrendous wait times, sometimes more than two hours, often
to find that call centre systems were down as well, and staff unable to help.

The Australian Digital Health Agency (ADHA), which runs the My Health
Record system, is reportedly telling callers that they weren't expecting
the volume of opt-outs."


Here are this week's noteworthy security bulletins (in no particular order):

1. ESB-2018.2076 - Cisco Policy Suite: Root compromise -
Remote/unauthenticated
https://www.auscert.org.au/bulletins/65426

Several vulnerabilities in Cisco Policy Suite have a large impact.

2. ESB-2018.2075 - ffmpeg: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/65330

Vulnerabilities in ffmpeg could lead to a crash or code execution from
viewing/processing malicious video files.

3. ESB-2018.2103 - Jenkins: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/65534

A new vulnerability in Jenkins could allow users to move the configuration file
to a new location.


-------

Stay safe, stay patched, and have a good weekend!

Anthony and the team at AusCERT


« Back to all blog entries