July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.

The July security update also includes fixes for four elevation of privilege vulnerabilities in the company's perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.

**Priority One: CVE-2022-22047**

Security experts who reviewed Microsoft's latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as "Important," giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July's update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.

"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," an analysis on Trend Micro Zero Day Initiative's blog noted. "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system." Attacks of this type often leverage macros, which is why Microsoft's recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.

Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft's characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. "Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month," he says.

**Other Bugs That Need Urgent Attention**

Other bugs in Microsoft's July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.

CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. "While this is listed at 'Tampering', an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution," Trend Micro's ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”

CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker "to invest time in repeated exploitation attempts through sending constant or intermittent data." Trend Micro's ZDI assessed the bug as having properties that could potentially make it wormable. "If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly," the security vendor noted.

CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system's user, Microsoft said.

"On the surface, this one looks nasty," Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. "This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters," Breen said.

CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.

"Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability," Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. "Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch," Breen said.

**Windows Print Spooler Flaws Make a Comeback**

Microsoft's July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.

"We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527)," said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.

The risk with these four fixes is the potential to impact print functionality, Ivanti's Goettl says.

"Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts," he says. "This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization."

**Surfeit of Azure Site Recovery Bugs**

Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. "They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed," he says.

And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. "Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process," he notes.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

LONDON and BOSTON - July 12, 2022- Privitar, the leader in modern data provisioning, today announced it has acquired Kormoon, a software platform that helps organizations manage the complexities of data privacy regulations by analyzing data usage, assessing risk, and automating compliance. Kormoon’s powerful technology will be used to extend the functionality of Privitar’s market-leading data privacy and provisioning offerings, adding new capabilities to quickly enable organizations to understand and comply with the rules governing data.

“Using data in a lawful and compliant way is often complicated, slow, and expensive. Navigating the complex web of data privacy, data sovereignty, and industry-specific regulations is incredibly challenging,” said Jason du Preez, CEO and co-founder of Privitar. “With the acquisition of Kormoon, Privitar is reinforcing our commitment to helping organizations use all of their data safely, ethically and in a compliant manner. Kormoon makes navigating data compliance incredibly simple. By combining Kormoon with Privitar’s world-class data privacy and modern data provisioning solutions, we are enabling data executives to streamline and automate compliance to ever-changing privacy rules and regulations.”

Kormoon calculates, communicates, and automates the steps to comply with relevant data rules including data privacy and protection, data localization, and cross-border transfer requirements. These include data compliance rules and requirements from around the world including Europe’s GDPR, Brazil’s LGPD, USA’s HIPAA and CCPA, and also new and emerging laws in countries such as the UAE, Saudi Arabia, China, India, and beyond. Combining powerful automation technology and inputs from expert advisors to assess an organization's level of risk, the Kormoon solution provides a simplified workflow to ensure requirements are met. Kormoon’s prescriptive guidance makes it simple for users to provide details about the data an organization collects, where they collect, access, and use it, and the data’s purpose, then recommends clear steps and actions for achieving data compliance.

“Kormoon's platform aims to improve time and cost efficiency of providing data privacy and protection advice to businesses worldwide. We help organizations understand and keep on top of data compliance rules by providing them with a simple workflow, access to regularly updated knowledge, and a cost-effective way to understand what it is that they need to do,” said Paul McCormack, founder of Kormoon. “By uniting with Privitar, we are empowering organizations with a one-stop-shop that ensures that their data is safe, compliant, and accessible for decision making.”

**About Privitar**

Privitar empowers organizations to use their data safely and ethically. Our modern data provisioning solution builds collaborative workflows and policy-based data privacy and access controls into data operations. Only Privitar has the right combination of technology, domain expertise, and best practices to support data-driven innovation while navigating regulations and protecting customer trust.

Founded in 2014, Privitar is headquartered in London, with regional headquarters in Boston and locations throughout the US and Europe. For more information, visit www.privitar.com.

**About Kormoon**

Kormoon is a software platform that calculates, communicates, and automates the steps professionals need to take to comply with relevant data rules, including data privacy and protection, data localization, and cross-border transfer requirements.

Privitar Announces Kormoon Acquisition, Extending Data Privacy and Provisioning Capabilities

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Today, the Git project released new versions which address a pair of security vulnerabilities.

GitHub is unaffected by these vulnerabilities1. However, you should be aware of them and upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.

**CVE-2022-24765**

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.

Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command  
execution when working on a shared machine.

The most effective way to protect against this vulnerability is to upgrade to Git v2.35.2. This version changes Git’s behavior when looking for a top-level .git directory to stop when its directory traversal changes ownership from the current user. (If you wish to make an exception to this behavior, you can use the new multi-valued safe.directory configuration).

If you can’t upgrade immediately, the most effective ways to reduce your risk are the following:

*   Define the GIT_CEILING_DIRECTORIES environment variable to contain the parent directory of your user profile (i.e., /Users on macOS,  
    /home on Linux, and C:\Users on Windows).
*   Avoid running Git on multi-user machines when your current working directory is not within a trusted repository.

Note that many tools (such as the Git for Windows installation of Git Bash, posh-git, and Visual Studio) run Git commands under the hood. If you are on a multi-user machine, avoid using these tools until you have upgraded to the latest release.

Credit for finding this vulnerability goes to 俞晨东.

\[source\]

**CVE-2022-24767**

This vulnerability affects the Git for Windows uninstaller, which runs in the user’s temporary directory. Because the SYSTEM user account inherits the  
default permissions of C:\Windows\Temp (which is world-writable), any authenticated user can place malicious .dll files which are loaded when  
running the Git for Windows uninstaller when run via the SYSTEM account.

The most effective way to protect against this vulnerability is to upgrade to Git for Windows v2.35.2. If you can’t upgrade  
immediately, reduce your risk with the following:

*   Avoid running the uninstaller until after upgrading
*   Override the SYSTEM user’s TMP environment variable to a directory which can only be written to by the SYSTEM user
*   Remove unknown .dll files from C:\Windows\Temp before running the  
    uninstaller
*   Run the uninstaller under an administrator account rather than as the  
    SYSTEM user

Credit for finding this vulnerability goes to the Lockheed Martin Red Team.

\[source\]

**Download Git 2.35.2**

**Explore more from GitHub**

**Company**

The latest on GitHub, from GitHub.

Learn more

**The ReadME Project**

Stories and voices from the developer community.

Learn more

**GitHub Actions**

Native CI/CD alongside code hosted in GitHub.

Learn more

**Work at GitHub!**

Check out our current job openings.

Learn more

CVE-2022-29187: Git security vulnerability announced | The GitHub Blog

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /dev/pts/ and /dev/tty*.

Subject

Re: \[PATCH\] proc: restrict access to /proc/interrupts

From

Date

Mon, 07 Nov 2011 13:06:32 -0500

On Mon, 07 Nov 2011 21:45:22 +0400, Vasiliy Kulikov said:  
\> /proc/interrupts contains the number of emitted interrupts, which  
\> should not be world readable.  The information about keyboard  
\> interrupts number may be used to learn the precise number of characters in  
\> users' passwords by simply watching the changes of number of emitted  
\> interrupts during the life of gksu-like programs.  
\>   
\> The PoC is publicly available at:  
\>   
\> http://www.openwall.com/lists/oss-security/2011/11/07/9

This doesn't close the hole entirely.  You can still figure it out by  
watching the files in /dev/pts/ and /dev/tty\* for changes in last-modify  
time.

This whack-a-mole  "turn off permissions on generally useful files because  
there's an exposure" really has to stop.  On probably the vast majority of  
Linux systems, it's an embedded or a laptop/desktop, and if you have a  
malicious user running code on it already, the fact they can find out how many  
characters are in the password is the \*least\* of your problems.

This sort of thing needs to be done as part of an overall security model  
(in other words, something like Smack or SELinux should be moderating  
the accesses in a more fine-grained manner than "chmod it to 0").

And if you're worried about them knowing the length of the password, you  
probably should be using appropriate PAM configurations to enforce a minimum  
length/complexity high enough that even if they know the password is 23  
characters long, it doesn't do them any real good...

\[unhandled content-type:application/pgp-signature\]

CVE-2011-4916: LKML: Valdis.Kletnieks@vt ...: Re: [PATCH] proc: restrict access to /proc/interrupts

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 12 Jul 2022 16:36:10 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900)
 - Retbleed - arbitrary speculative code execution with return instructions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407

   Retbleed - arbitrary speculative code execution with return instructions

ISSUE DESCRIPTION
=================

Researchers at ETH Zurich have discovered Retbleed, allowing for
arbitrary speculative execution in a victim context.

For more details, see:
  https://comsec.ethz.ch/retbleed

ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
Intel.

Despite the similar preconditions, these are very different
microarchitectural behaviours between vendors.

On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion).

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

On Intel CPUs, Retbleed is not a new vulnerability; it is only
applicable to software which did not follow Intel's original Spectre-v2
guidance.  Intel are using the ETH Zurich allocated CVE-2022-29901.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

ARM have indicated existing guidance on Spectre-v2 is sufficient.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Whether a CPU is potentially vulnerable depends on its
microarchitecture.  Consult your hardware vendor.

For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults
in XSA-254 and follow-on fixes.  Therefore, the Xen Security Team
believes there are no further changes necessary on these CPUs.
Administrators who deviated from the default mitigations are potentially
affected and should re-evaluate their threat model.

For AMD, CPUs from the Zen2 microarchitecture and earlier are
potentially vulnerable.  Zen3 and later CPUs are not believed to be
vulnerable.

The patches for Xen implement the IBPB-at-entry mitigation.  This
depends on the IBPB microcode distributed by AMD in 2018 as part of the
original Spectre/Meltdown work.  Consult your dom0 OS vendor.

In addition to IBPB, "cross thread" safety is necessary.  On Zen2 CPUs,
Xen uses STIBP by default.  On Zen1 CPUs, SMT needs disabling either in
the firmware, or by passing \`smt=0\` on Xen's command line.  On Fam15h
CPUs, Cluster Multi-Threading needs disabling in firmware.

Due to performance concerns, dom0 is excluded from IBPB-on-entry
protections by default.  This is because PV dom0 is trusted in most
deployments.  If your threat model model doesn't allow for dom0 to be
treated specially, boot with \`spec-ctrl=ibpb-entry\` which will cause
IBPB-on-entry protections to be applied to dom0 too.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

For the 4.15 and 4.16 branches in particular, these patches depend on:

 - x86/spec-ctrl: Only adjust MSR\_SPEC\_CTRL for idle with legacy IBRS
 - x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint
 - xen/cmdline: Extend parse\_boolean() to signal a name match
 - x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives

which have been recently backported.

xsa407/xsa407-?.patch           xen-unstable
xsa407/xsa407-4.16-\*.patch      Xen 4.16.x
xsa407/xsa407-4.15-\*.patch      Xen 4.15.x
xsa407/xsa407-4.14-\*.patch      Xen 4.14.x
xsa407/xsa407-4.13-\*.patch      Xen 4.13.x

$ sha256sum xsa407\* xsa407\*/\*
0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1  xsa407.meta
8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc  xsa407/xsa407-1.patch
5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f  xsa407/xsa407-2.patch
1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013  xsa407/xsa407-3.patch
8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e  xsa407/xsa407-4.13-01.patch
fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946  xsa407/xsa407-4.13-02.patch
9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27  xsa407/xsa407-4.13-03.patch
1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd  xsa407/xsa407-4.13-04.patch
016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008  xsa407/xsa407-4.13-05.patch
cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a  xsa407/xsa407-4.13-06.patch
46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93  xsa407/xsa407-4.13-07.patch
cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a  xsa407/xsa407-4.13-08.patch
55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc  xsa407/xsa407-4.13-09.patch
f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f  xsa407/xsa407-4.13-10.patch
aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191  xsa407/xsa407-4.13-11.patch
e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf  xsa407/xsa407-4.13-12.patch
59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927  xsa407/xsa407-4.13-13.patch
ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0  xsa407/xsa407-4.13-14.patch
d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1  xsa407/xsa407-4.13-15.patch
af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f  xsa407/xsa407-4.13-16.patch
8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501  xsa407/xsa407-4.13-17.patch
1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9  xsa407/xsa407-4.13-18.patch
a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde  xsa407/xsa407-4.13-19.patch
cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a  xsa407/xsa407-4.13-20.patch
0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c  xsa407/xsa407-4.13-21.patch
fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4  xsa407/xsa407-4.14-01.patch
e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2  xsa407/xsa407-4.14-02.patch
69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf  xsa407/xsa407-4.14-03.patch
47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759  xsa407/xsa407-4.14-04.patch
14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8  xsa407/xsa407-4.14-05.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.14-06.patch
85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a  xsa407/xsa407-4.14-07.patch
0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82  xsa407/xsa407-4.14-08.patch
1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd  xsa407/xsa407-4.14-09.patch
4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d  xsa407/xsa407-4.14-10.patch
074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55  xsa407/xsa407-4.14-11.patch
e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949  xsa407/xsa407-4.14-12.patch
61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a  xsa407/xsa407-4.15-1.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.15-2.patch
03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511  xsa407/xsa407-4.15-3.patch
ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600  xsa407/xsa407-4.15-4.patch
aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a  xsa407/xsa407-4.15-5.patch
55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64  xsa407/xsa407-4.15-6.patch
a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17  xsa407/xsa407-4.15-7.patch
ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab  xsa407/xsa407-4.15-8.patch
3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe  xsa407/xsa407-4.16-1.patch
b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522  xsa407/xsa407-4.16-2.patch
825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76  xsa407/xsa407-4.16-3.patch
402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860  xsa407/xsa407-4.16-4.patch
ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf  xsa407/xsa407-4.16-5.patch
4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e  xsa407/xsa407-4.16-6.patch
1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7  xsa407/xsa407-4.16-7.patch
d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de  xsa407/xsa407-4.16-8.patch
c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c  xsa407/xsa407-4.patch
eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4  xsa407/xsa407-5.patch
aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72  xsa407/xsa407-6.patch
cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6  xsa407/xsa407-7.patch
cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3  xsa407/xsa407-8.patch
$

NOTE CONCERNING LACK OF EMBARGO
===============================

The disclosers did not authorise us to predisclose.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx
Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i
WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL
nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1
87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl
XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc=
=CEa6
-----END PGP SIGNATURE-----

**Download attachment "**xsa407.meta**" of type "**application/octet-stream**" (1366 bytes)**

**Download attachment "**xsa407/xsa407-1.patch**" of type "**application/octet-stream**" (5521 bytes)**

**Download attachment "**xsa407/xsa407-2.patch**" of type "**application/octet-stream**" (3502 bytes)**

**Download attachment "**xsa407/xsa407-3.patch**" of type "**application/octet-stream**" (3626 bytes)**

**Download attachment "**xsa407/xsa407-4.13-01.patch**" of type "**application/octet-stream**" (5069 bytes)**

**Download attachment "**xsa407/xsa407-4.13-02.patch**" of type "**application/octet-stream**" (4860 bytes)**

**Download attachment "**xsa407/xsa407-4.13-03.patch**" of type "**application/octet-stream**" (8358 bytes)**

**Download attachment "**xsa407/xsa407-4.13-04.patch**" of type "**application/octet-stream**" (6380 bytes)**

**Download attachment "**xsa407/xsa407-4.13-05.patch**" of type "**application/octet-stream**" (4572 bytes)**

**Download attachment "**xsa407/xsa407-4.13-06.patch**" of type "**application/octet-stream**" (2096 bytes)**

**Download attachment "**xsa407/xsa407-4.13-07.patch**" of type "**application/octet-stream**" (3343 bytes)**

**Download attachment "**xsa407/xsa407-4.13-08.patch**" of type "**application/octet-stream**" (1570 bytes)**

**Download attachment "**xsa407/xsa407-4.13-09.patch**" of type "**application/octet-stream**" (5054 bytes)**

**Download attachment "**xsa407/xsa407-4.13-10.patch**" of type "**application/octet-stream**" (3900 bytes)**

**Download attachment "**xsa407/xsa407-4.13-11.patch**" of type "**application/octet-stream**" (7893 bytes)**

**Download attachment "**xsa407/xsa407-4.13-12.patch**" of type "**application/octet-stream**" (2636 bytes)**

**Download attachment "**xsa407/xsa407-4.13-13.patch**" of type "**application/octet-stream**" (4926 bytes)**

**Download attachment "**xsa407/xsa407-4.13-14.patch**" of type "**application/octet-stream**" (5507 bytes)**

**Download attachment "**xsa407/xsa407-4.13-15.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.13-16.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.13-17.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.13-18.patch**" of type "**application/octet-stream**" (10871 bytes)**

**Download attachment "**xsa407/xsa407-4.13-19.patch**" of type "**application/octet-stream**" (4384 bytes)**

**Download attachment "**xsa407/xsa407-4.13-20.patch**" of type "**application/octet-stream**" (3045 bytes)**

**Download attachment "**xsa407/xsa407-4.13-21.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.14-01.patch**" of type "**application/octet-stream**" (3900 bytes)**

**Download attachment "**xsa407/xsa407-4.14-02.patch**" of type "**application/octet-stream**" (9426 bytes)**

**Download attachment "**xsa407/xsa407-4.14-03.patch**" of type "**application/octet-stream**" (2636 bytes)**

**Download attachment "**xsa407/xsa407-4.14-04.patch**" of type "**application/octet-stream**" (4926 bytes)**

**Download attachment "**xsa407/xsa407-4.14-05.patch**" of type "**application/octet-stream**" (5459 bytes)**

**Download attachment "**xsa407/xsa407-4.14-06.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.14-07.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.14-08.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.14-09.patch**" of type "**application/octet-stream**" (11097 bytes)**

**Download attachment "**xsa407/xsa407-4.14-10.patch**" of type "**application/octet-stream**" (4429 bytes)**

**Download attachment "**xsa407/xsa407-4.14-11.patch**" of type "**application/octet-stream**" (3076 bytes)**

**Download attachment "**xsa407/xsa407-4.14-12.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.15-1.patch**" of type "**application/octet-stream**" (5459 bytes)**

**Download attachment "**xsa407/xsa407-4.15-2.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.15-3.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.15-4.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.15-5.patch**" of type "**application/octet-stream**" (11095 bytes)**

**Download attachment "**xsa407/xsa407-4.15-6.patch**" of type "**application/octet-stream**" (4449 bytes)**

**Download attachment "**xsa407/xsa407-4.15-7.patch**" of type "**application/octet-stream**" (3076 bytes)**

**Download attachment "**xsa407/xsa407-4.15-8.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.16-1.patch**" of type "**application/octet-stream**" (5461 bytes)**

**Download attachment "**xsa407/xsa407-4.16-2.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.16-3.patch**" of type "**application/octet-stream**" (3586 bytes)**

**Download attachment "**xsa407/xsa407-4.16-4.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.16-5.patch**" of type "**application/octet-stream**" (11095 bytes)**

**Download attachment "**xsa407/xsa407-4.16-6.patch**" of type "**application/octet-stream**" (4449 bytes)**

**Download attachment "**xsa407/xsa407-4.16-7.patch**" of type "**application/octet-stream**" (3140 bytes)**

**Download attachment "**xsa407/xsa407-4.16-8.patch**" of type "**application/octet-stream**" (12475 bytes)**

**Download attachment "**xsa407/xsa407-4.patch**" of type "**application/octet-stream**" (3378 bytes)**

**Download attachment "**xsa407/xsa407-5.patch**" of type "**application/octet-stream**" (11155 bytes)**

**Download attachment "**xsa407/xsa407-6.patch**" of type "**application/octet-stream**" (4458 bytes)**

**Download attachment "**xsa407/xsa407-7.patch**" of type "**application/octet-stream**" (3187 bytes)**

**Download attachment "**xsa407/xsa407-8.patch**" of type "**application/octet-stream**" (12536 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29901: oss-security - Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed

New data from security training provider shows half of untrained users in consulting, energy, and healthcare industries fall for phishing attacks.

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organizations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

One-Third of Users Without Security Awareness Training Click on Phishing URLs

An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon.

**Advisory ID:** Druva/DVSA-2022-001

**Issue Date:** 07-07-2022

**Last Updated:** 08-06-2021 (Initial Advisory)

**Advisory Status**: Final

**Version:** 1.0

**Overall Severity Classification:** High

**Summary **

The inSync Client versions were susceptible to vulnerabilities that could allow malicious users with user-level privileges to inject code and escalate privileges to root by chaining these flaws. These vulnerabilities cannot be exploited remotely and are exploitable only if the malicious user has user-level access to the device. Druva has released an inSync Client update that overcomes these vulnerabilities. Customers are strongly advised to upgrade to the latest version to remediate these vulnerabilities. See the customer action required section for more details.

> _Note: These vulnerabilities were identified, fixed, and communicated to customers (via email) in Aug 2021. The CVE IDs have been assigned on 16 May 2022._

**Impact**

Successful exploitation of these vulnerabilities could lead to Privilege escalation, command injection, arbitrary NodeJS code injection and unauthorized modification of data.

**Affected products(s), version(s) and resolution**

    

**Product**

**CVE ID**

**Platform**

**Affected Versions**

**Fixed/updated version**

inSync Client

 

CVE-2021-36665

Windows

All versions before v7.0.0

v7.0.0 and above

macOS

All versions before v7.0.0

v7.0.0 and above

CVE-2021-36666

CVE-2021-36667

macOS

All versions before v7.0.0

v7.0.0  and above

CVE-2021-36668

Windows 

v7.0.0 and earlier versions

v7.0.1-r110201 and above

macOS 

v7.0.0 and earlier versions

v7.0.1-r110206 and above

Linux  
(Ubuntu only)

Linux: v5.9.2

v5.9.3 and above.

**Customer action required**

Upgrade the inSync Client to the latest installation version, which addresses all the CVE’s mentioned above:

**Windows**:                v7.0.1-r110201 and above

**Mac:**                            v7.0.1-r110206 and above

**Linux (Ubuntu):**    v5.9.3 and above.

Download the latest inSync Client here.  
For upgrade instructions, see Upgrade the inSync Client.  
Customers are advised to contact Support for technical assistance.

**Vulnerabilities**

**CVE-2021-36665 - Insecure deserialization leading to arbitrary code execution**

Insecure deserialization vulnerability in the inSyncUpgrade could allow an attacker with user-level privileges to execute arbitrary code and escalate privileges to root by supplying an upgrade package with a malicious signature.

**CVE-2021-36666 - Code Injection via arbitrary dynamic library loading**

Code injection vulnerability in Mac Client could allow an attacker with user-level privileges on the system to load random libraries and escalate privileges to root via DYLD\_INSERT\_LIBRARIES  environment variable.

**CVE-2021-36667 - OS Command Injection Vulnerability in local HTTP server** 

OS command injection vulnerability in Mac Client's local HTTP server could allow an attacker with user-level privileges on the device to execute arbitrary OS commands as a non-root user. 

**CVE-2021-36668 - URL Injection in inSync Client**

URL Injection vulnerability in inSync Electron UI could allow a local, authenticated attacker to execute arbitrary NodeJS code by manipulating a port number parameter. 

**Vulnerability details, CVSS Scoring and Metrics:**

     

**Vulnerability**

**CVE ID**

**CVSSv3  
Base Score**

**CVSSv3.1 Vector**

**Severity**

**Platform**

Insecure deserialization leading to arbitrary code execution

CVE-2021-36665

7.5

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

High

Windows, macOS

Code Injection via arbitrary dynamic library loading

CVE-2021-36666

7.5

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

High

macOS

OS Command Injection Vulnerability in local HTTP server 

CVE-2021-36667

4.4

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Medium

macOS

URL Injection vulnerability in inSync App

CVE-2021-36668

5.3

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Medium

Windows, macOS, Linux (Ubuntu)

**Acknowledgments**

Druva would like to thank Mr. Oliver Grubin (info@olvrgrbn.com) for taking the effort to report these vulnerabilities by participating in coordinated and responsible disclosure.

**References**

*   Release Notes for inSync Client v7.0.0 
    
*   Release Notes for inSync Client v7.1.0  
    
*   Druva utilizes the Common Vulnerability Scoring System (CVSS) base score and metrics by the **National Institute of Standards and Technology** in the National Vulnerability Database. For more information on CVSS and score calculation system, see Common Vulnerability Scoring System: Specification Document.

CVE-2021-36665: Security Advisory for inSync Client 7.0.1 and before

Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.

CVE-2022-30750

Whether data's in motion, at rest, or in use, confidential computing makes moving workloads to the public cloud safer, and can enhance data security in other deployments.

It's a question every enterprise faces: How comfortable do we feel moving sensitive data to the cloud, bearing in mind the associated security and privacy risks?

Though global cloud adoption is expanding rapidly, security and privacy remain top concerns. For example, the Cloud Security Alliance survey last year showed security and privacy to be the leading worry for 58% of 1,900 professionals involved in cloud deployments.

That is why inside many companies, tension continues to simmer between development shops that see the scalable, flexible public cloud as an ideal innovation engine and security gatekeepers whose risk intolerance has earned them a reputation as the Department of No.

But what if organizations could have greater assurance that their data is protected from hackers and other prying eyes? What if reluctance about moving sensitive data to the cloud was alleviated?

Such is the promise of an emerging shift in data security: confidential computing.

Confidential computing not only reassures enterprises about the safety of moving more of their workloads to the public cloud, it also can enhance data security in any type of deployment and offer a host of business benefits.

An explanation of what confidential computing is must start with a description of the three stages of the data life cycle.

**Data in Motion**

When users send data, it is encrypted while transmitting across networks. Whether the user is someone in a company sending data to the cloud or a consumer sharing their credit card information with an online retailer, that's true. Standardized encryption technologies such as TLS protect the data during its journey.

**Data at Rest**

This is the designation for passive data that is not being computed on and is sitting in storage — records in databases, files on hard disks, etc. Organizations use disk encryption and other security technologies to safeguard data at rest.

**Data in Use**

This is where data is computed-on in some way. To do that, data must first be moved from the hard disk into system memory — aka RAM — and become unencrypted. At this stage, data becomes vulnerable to compromise due to a potential vulnerability within the millions lines of code that comprise the cloud provider’s system software operating system, hypervisor, firmware, or a cloud administrator. This is a large attack surface, and this is what consumers who move their confidential data from an on-premises setup to a public cloud worry about.

Confidential computing is an extra layer of security that extends encryption protection to data during runtime. It achieves this by running workloads in isolated hardware-encrypted environments, or trusted execution environments, that prevent unauthorized access or modification of applications and data while in use.

This eases a set of potential security threats in moving data to the cloud, such as a hypervisor vulnerability allowing other virtual machines to leak private data, or a rogue cloud provider employee with access to a company's physical machine backdooring a workflow.

There's a lot of industry buzz about confidential computing for a few reasons. The first is obvious: The rising number of cyberattacks is spurring a need for better data security.

Second, technologies that enable confidential computing, such as security features in operating systems and on CPUs, have achieved industrial strength, as with AMD-SEV and Intel SGX.

Third, the major public cloud providers, in particular Google Cloud Platform and Microsoft Azure, have been beefing up their confidential computing capabilities.

A note on that third point: Though much of the discussion about confidential computing has centered on its usefulness in securing sensitive data as it moves to the public cloud, its advantages are equally compelling and relevant for protecting data in use in many more environments, namely edge and on-premises deployments.

The space keeps heating up. For example, in May, AMD announced new confidential computing virtual machines for Google Cloud.

Confidential computing also has the support of a project community at the Linux Foundation, with commitments from nearly 40 member organizations and contributions from several open source projects.

Confidential computing has significant real-world benefits. Take financial services, for example. In that industry, business processes such as anti-money laundering and fraud detection require financial institutions to share data with external parties.

With confidential computing, they can process data from multiple sources without exposing customers' personal data. They can run analytics on the combined data sets to, say, detect the movement of money by one user among multiple banks, without introducing security and privacy problems.

By unlocking data computing scenarios that weren't possible before, confidential computing should be an important security and privacy advance for years to come.

Tag

#mac