Hello, welcome to the Wednesday, July 19th, 2017 edition of the Santernet Storm Center's Stormcast. My name is Johannes Ulrich and if I'm recording from Jacksonville, Florida. Today we got a number of patches to start out with, first of all, Oracle released its quarterly critical patch update or short CPU.

The one vulnerability is being addressed here among all the different vulnerabilities

that the Oracle did fix is a vulnerability in the Oracle Weblogic server.

It's the only vulnerability that reaches a base score of 10

in the CVSS scale and it can lead to a full compromise of the web server without authentication.

There is not a lot of details here, but Oracle states that this is an easily exploitable

vulnerability that allows unauthenticated attackers with network access via HTTP to compromise

Oracle Weblogic server and that this vulnerability may also significantly impact additional products.

So pay attention to this patch.

Now probably the most popular piece of Oracle software is Java,

and yes, there is another update for Java,

so make sure you apply that.

And if you're running any of Cisco's WebEx browser extensions in Google Chrome or Mozilla

Firefox, again, time to update and unauthenticated remote attacker will be able to execute

arbitrary code due to a vulnerability in this plugin.

This vulnerability was found again by Google's project Zero, quite a bit of details in their

announcement about this vulnerability, so an exploit shouldn't really be all that difficult to come by.

Now, then we also have an update for Node.js. Now, this only fixes a denial of service

vulnerability, but definitely something you do want to address. It's not that difficult to exploit.

It's a problem in that they're using a constant hash table seat, which means it's pretty

easy to flood hash tables with data that an attacker may send you, which then leads to a progressively

slower application until it eventually is no longer usable.

...