Happy Friday fellow Linux geeks! This week, important updates have been issued for Wireshark, Apache Log4j and Speex. Read on to learn about these vulnerabilities and how to secure your system against them. According to the CISA, Log4j could be the most serious security threat ever seen. Learn about this critical bug and how to protect against it in a new feature article. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Signature 150

Wireshark

The Discovery 

Multiple important security vulnerabilities have been discovered in the Wireshark network protocol analyzer (CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925, CVE-2021-39926, CVE-2021-39928 and CVE-2021-39929).

WiresharkThe Impact 

These flaws could result in denial of service (DoS) or the execution of arbitrary code.

The Fix

Wireshark has released a security update mitigating these issues. We recommend that you upgrade your Wireshark packages immediately to protect the security, integrity and availability of your systems.

Your Related Advisories:

Register to Customize Your Advisories

Apache Log4j

The Discovery 

A critical security vulnerability has been discovered in Apache Log4j, a popular Logging Framework for Java. The vulnerability (CVE-2021-44228) affects versions 2.0beta9 to 2.14.1. JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. CISA Director Jen Easterly has warned that this bug is “one of the most serious” she’s seen in her entire career, “if not the most serious”.
ApacheLog4J

The Impact

This flaw could be exploited by an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 

The Fix

Apache Log4j has issued an important update mitigating this dangerous bug. We strongly recommend that you upgrade your apache-log4j2 packages to the latest 2.15 version immediately! 

Your Related Advisories:

Register to Customize Your Advisories

Speex

The Discovery

A zero division error in read_samples in the Speex audio compression codec (CVE-2020-23903) has been identified.

The ImpactParrot Speex Org 3

This flaw allows attackers to cause a denial of service (DoS) via a crafted WAV file.

The Fix

Speex has released updated packages fixing this zero-day vulnerability. Update now!

Your Related Advisories:

Register to Customize Your Advisories