Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.
Android July Security Bulletin
Google has released July updates
Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.
Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.
The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.
Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.
Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.
In July, Oracle’s Financial Services Applications product family requires the highest number of patches at 59, 17 percent of the total, followed by Oracle Communications with 56 patches—16 percent of the total, according to security firm Tenable.
Due to the threat posed by a successful attack, Oracle “strongly recommends” you apply the July security patches as soon as you can.
Software vendor Cisco has fixed multiple vulnerabilities in Cisco Nexus Dashboard that could allow an attacker to execute arbitrary commands, read or upload container image files, or perform cross-site request forgery attacks.
Tracked as CVE-2022-20857 and rated “critical” with a severity score of 9.8 out of 10, one of the worst vulnerabilities could allow an unauthenticated, remote attacker to conduct a cross-site request forgery attack on an affected device.
SonicWall is urging users to update straightaway after issuing a patch to fix a critical SQL injection bug. The flaw, tracked as CVE-2022-22280 with a CVSS score of 9.4, is not believed to have been used in any real-life attacks yet, but it’s serious. It’s with this in mind that the firm is advising users upgrade to GMS 9.3.1-SP2-Hotfix-2 and Analytics 126.96.36.199-Hotfix-1.
Hot on the heels of June’s security patch, Atlassian has released another important fix for July, patching critical vulnerabilities that impact Confluence, Jira, Bamboo, Fisheye, Crucible, and Bitbucket users.
CVE-2022-26136 is a vulnerability in multiple Atlassian products that allows a remote unauthenticated attacker to bypass Servlet Filters used by first- and third-party apps. This vulnerability can result in authentication bypass and cross-site scripting.
The second, tracked as CVE-2022-26137, is a cross-origin resource sharing bypass vulnerability in multiple Atlassian products that allows a remote unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests.
Meanwhile, CVE-2022-26138 is a scary flaw that could allow a remote unauthenticated attacker who knows the hardcoded password to log in to Confluence and access all content accessible to users in the user group.
If you use the affected products, update as soon as possible.
Updated 8-1-22, 11 am ET: This story was updated to count the total number of CVEs Apple patched in its iOS 15.6 update rather than the parts of the system impacted, raising the number from 37 to 39.