The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company. […] Read More
BleepingComputer
Apache DolphinScheduler Vulnerability Let Hackers Execute Remote Code
A critical vulnerability has been identified in Apache DolphinScheduler, a popular open-source workflow orchestration platform.
This security flaw, designated as CVE-2024-43202, allows hackers to execute remote code, posing a significant threat to affected systems.
The vulnerability affects Apache DolphinScheduler versions 3.0.0 up to, but not including, 3.2.2. This security issue was discovered by a security researcher known as “an4er” and officially disclosed by ShunFeng Cai on the Apache DolphinScheduler’s developer mailing list.
The flaw has been categorized with an “important” severity level, indicating that attackers could exploit it to execute arbitrary code remotely.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
This could allow unauthorized users to take control of affected systems, leading to data breaches, system disruptions, or further malicious activities.
The vulnerability impacts all versions of Apache DolphinScheduler before 3.2.2. Users of the affected versions are strongly urged to upgrade to version 3.2.2 immediately. This latest release includes patches that address the security flaw, safeguarding systems against potential exploitation.
The Apache Software Foundation has emphasized the importance of this upgrade to mitigate risks associated with this vulnerability. Users who cannot upgrade immediately are advised to implement additional security measures to protect their systems.
The Apache DolphinScheduler community has responded swiftly to this security threat, providing users with the necessary updates and guidance. This incident underscores the importance of maintaining up-to-date software and being vigilant about security advisories.
As cyber threats continue to evolve, organizations are reminded to prioritize security and regularly monitor their software infrastructure for vulnerabilities.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
The post Apache DolphinScheduler Vulnerability Let Hackers Execute Remote Code appeared first on Cyber Security News.
AWS Repeats Same Critical RCE Vulnerability 3 Times in 4 Years
Amazon Web Services (AWS) has introduced the same remote code execution (RCE) vulnerability three times over the last four years through its Neuron SDK, highlighting critical lapses in securing its Python package installation processes.
Despite previous warnings and fixes, the same dependency confusion vulnerability has resurfaced with new package releases in its software ecosystem.
The issue was first discovered in April 2022 when Giraffe Security flagged a vulnerability in AWS’s Neuron SDK, a set of Python libraries enabling machine learning workloads on AWS’s specialized hardware.
The problem stemmed from AWS’s official installation instructions and documentation, which recommended a command like the following:
pip install transformers-neuronx --extra-index-url=https://pip.repos.neuron.amazonaws.com
At a glance, the command seems simple, instructing Python’s pip
package manager to install the package transformers-neuronx
from the AWS-specific repository (https://pip.repos.neuron.amazonaws.com
). However, this approach contains a hidden danger rooted in how pip
handles the parameters.
The --extra-index-url
parameter does not exclusively restrict package downloads to the specified private repository.
Instead, it allows pip
to search the default public PyPi repository for packages, falling back on it if the package is not found in the specified index. This creates a critical vulnerability: malicious actors could upload a package with the same name to PyPi, tricking users into downloading and executing malicious code.
In 2022, Giraffe Security confirmed this vulnerability by claiming unprotected AWS package names like mx-neuron
on PyPi and reporting the flaw through AWS’s bug bounty program.
AWS promptly addressed the issue by uploading placeholder “dummy” versions of the affected packages to PyPi, preventing further exploitation. However, the root cause—a flawed reliance on the --extra-index-url
parameter—remained unaddressed.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Further research in 2022 revealed that this was not the first instance of such a vulnerability. Historical data from libraries.io, a database of open-source software, showed that AWS’s torch-neuron
package had been similarly exposed in 2020, demonstrating an earlier instance of the same dependency confusion risk.
At the time, a security researcher had uploaded numerous versions of the package to PyPi to highlight the flaw, forcing AWS to take corrective action.
Despite being aware of the issue since at least 2020, AWS failed to implement a lasting solution, leading to repeated vulnerabilities being exposed in 2022.
Despite multiple warnings and fixes over the years, Giraffe Security’s latest investigation in December 2024 revealed that AWS had once again introduced the same vulnerability.
The Neuron SDK’s private package index had expanded significantly, but AWS had neglected to preemptively claim the newly added package names on PyPi. This allowed Giraffe Security to successfully register some of the new package names under its own PyPi account—a clear indication that AWS failed to learn from past mistakes.
Amazon’s repeated missteps raise questions about their approach to addressing this issue. On one hand, their quick response to past reports suggests that they take the vulnerability seriously. However, the recurrence of the same flaw indicates a lack of systemic processes to prevent it.
There could be different perspectives driving this oversight:
--extra-index-url
, AWS’s reliance on this parameter in official tutorials is arguably misleading.This situation underscores a critical security lesson: even trusted sources like official AWS documentation are not immune to mistakes.
Developers should always scrutinize and fully understand package installation processes before implementing them in production systems. Safer alternatives—such as using the --index-url
parameter to restrict downloads exclusively to private repositories or leveraging modern package managers like Poetry—should be considered.
While this recurring issue may seem like a niche vulnerability, it has broader implications for security in the cloud ecosystem.
Dependency confusion attacks have become a growing concern, particularly as more organizations rely on private package registries in tandem with public repositories like PyPi or npm.
The responsibility to mitigate these risks lies not only with end-users but also with service providers like AWS, who must ensure their tools and documentation follow security best practices.
Despite repeated attempts to contact Amazon for comment, Giraffe Security has not received a response. As one of the largest cloud providers globally, AWS’s lack of a robust and permanent solution in this case is surprising, especially given its reputation for prioritizing security.
AWS’s repeated failures to address the same RCE vulnerability in its Neuron SDK highlight a concerning lapse in security processes. While the immediate fixes to individual reports have been swift, the lack of a permanent resolution to the underlying issue remains troubling.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post AWS Repeats Same Critical RCE Vulnerability 3 Times in 4 Years appeared first on Cyber Security News.
Germany drafts law to protect researchers who find security flaws
The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. […] Read More