Red Hat Security Blog: May 2015 archives

  • JSON, Homoiconicity, and Database Access

    During a recent review of an internal web application based on the Node.js platform, we discovered that combining JavaScript Object Notation (JSON) and database access (database query generators or object-relational mappers, ORMs) creates interesting security challenges, particularly for JavaScript programming environments. To see why, we first have to examine traditional SQL injection. Traditional SQL injection Most programming languages do not track where strings and numbers come from....
    Posted 2015-05-20T13:30:18+00:00 - 0
  • VENOM, don't get bitten.

    QEMU is a generic and open source machine emulator and virtualizer and is incorporated in some Red Hat products as a foundation and hardware emulation layer for running virtual machines under the Xen and KVM hypervisors. CVE-2015-3456 (aka VENOM) is a security flaw in the QEMU's Floppy Disk Controller (FDC) emulation. It can be exploited by a malicious guest user with access to the FDC I/O ports by issuing specially crafted FDC commands to the controller. It can result in guest controlled...
    Posted 2015-05-13T11:46:18+00:00 - 0
  • Explaining Security Lingo

    This post is aimed to clarify certain terms often used in the security community. Let's start with the easiest one: vulnerability. A vulnerability is a flaw in a selected system that allows an attacker to compromise the security of that particular system. The consequence of such a compromise can impact the confidentiality, integrity, or availability of the attacked system (these three aspects are also the base metrics of the CVSS v2 scoring system that are used to rate vulnerabilities). ISO/IEC...
    Posted 2015-05-06T13:30:56+00:00 - 0