Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by martyb on Friday January 12 2018, @02:44AM   Printer-friendly
from the update-early-and-often dept.

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

[...] For those familiar with the architecture of these products, the vulnerabilities may not be a surprise—EMC Avamar and the other applications use Apache Tomcat, which was patched multiple times last year to address critical security vulnerabilities. However, it's not clear whether these patches were incorporated into earlier updates of the EMC and VMware products or if any of the bugs just fixed in updates of the EMC/VMware products were Tomcat related.

Source: https://arstechnica.com/information-technology/2018/01/emc-vmware-security-bugs-throw-gasoline-on-cloud-security-fire/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Spam) by Anonymous Coward on Friday January 12 2018, @03:06AM (1 child)

    by Anonymous Coward on Friday January 12 2018, @03:06AM (#621237)

    Utilize like this! Utilize like this! Get rapenant, get rapenant! Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh, too good! It's a rancid, pinworm-infested feces fiesta!

    • (Score: 0) by Anonymous Coward on Friday January 12 2018, @03:41AM

      by Anonymous Coward on Friday January 12 2018, @03:41AM (#621244)

      Spam but not far from truth. Wonder how long the NSA sat on these before finding People to discover them. hope my tinfoil is just on tight. Hmm.... tomorrow's stories to confuse consumers.... rohingya? North Korea? follow the 11 pointed star. she knows De wae

  • (Score: 1, Insightful) by Anonymous Coward on Friday January 12 2018, @03:10AM (6 children)

    by Anonymous Coward on Friday January 12 2018, @03:10AM (#621238)

    Finally, there will be a real-world incentive for the study of computational correctness.

    Hang onto your RC Colas, boys; the world of computing is about to launch off its rickety hobbyist foundation up into the wider universe of hard-nosed engineering. Pack your bags for Britain, because that's where the revolution will begin; not only do the Brits have a history of interest in correctness, but the Americans are way too interested in slapdash git-'er-done, first-to-market coyboyism to sit down long enough to ponder these questions.

    • (Score: 4, Insightful) by Runaway1956 on Friday January 12 2018, @03:46AM (5 children)

      by Runaway1956 (2926) Subscriber Badge on Friday January 12 2018, @03:46AM (#621247) Journal

      Hard nosed engineering, the AC says. I could go for that. We have a myriad of people who work on computers, who make claims to being "engineers". And, so many of them are mere amateurs, dabbling around the edges of mathematics. Engineering? A real engineer designs something, then asks himself, "What could go wrong?" A real engineer is one of his own harshest critics.

      In this day and age of "good enough", at least half of our so-called engineers are unworthy of the name. Yeah, I know, the real engineers don't run things. They are under pressure from higher ups to produce something that will keep the revenue turning. Still - good enough is good enough? Come on people - to call yourself an engineer, you've got to be examining and re-examining your work, at all times, trying to find the flaws in your own work.

      Hard nosed engineering, is what the AC said. Hey, that would really be nice!! The common disclaimer that accompanies software says "We hope you'll like our work, but we make no guarantees of any kind, enjoy!" often accompanied by "Now pay us!". I'd rather see some kind of disclaimer that says, "We've tested this software according to (list of standards), and our work seems to have passed all of these tests for (speed, accuracy, VULNERABILITIES, compatibility and/or other applicable standards). We hope that our work meets your standards. If you encounter any problems, please contact us so that we might improve our software!"

      And, of course, all of that applies mostly to commercial work. Profit is always the driving force. Gotta get something out the door that will sell, damn the consequences. Yeah, open source has had it's problems as well, but those problems usually result from honest mistakes. In the case of closed source, none of us can tell which were mistakes, and which were stupid compromises, or which were decisions driven by profit/greed.

      --
      On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
      • (Score: 0) by Anonymous Coward on Friday January 12 2018, @05:02AM

        by Anonymous Coward on Friday January 12 2018, @05:02AM (#621262)

        This other guy is simply repeating the main point.

      • (Score: 4, Insightful) by c0lo on Friday January 12 2018, @09:10AM (1 child)

        by c0lo (156) on Friday January 12 2018, @09:10AM (#621315)

        An just-git-'er-done engineer designs something, then asks himself, "What could go wrong?". A real engineer asks "What can go wrong?" first and designs accordingly

        FTFY

        • (Score: 2) by Runaway1956 on Friday January 12 2018, @03:18PM

          by Runaway1956 (2926) Subscriber Badge on Friday January 12 2018, @03:18PM (#621398) Journal

          Good fix. I thank you, and the mod point reflects that! :^)

          --
          On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
      • (Score: 2) by darkfeline on Friday January 12 2018, @08:02PM (1 child)

        by darkfeline (1030) on Friday January 12 2018, @08:02PM (#621525) Homepage

        "Hard nosed" engineering isn't immune to poor management practices (Volkswagen, anyone?). The problem is corporate/industry demand. The industry demands speed, new UI designs, and marketability over features and correctness. You can't shoot the engineer/messenger for that. If you want to fix the problem, you don't fix the engineers (or "engineers"), you fix the industry (perhaps with regulation *gasp*).

        • (Score: 2) by Runaway1956 on Friday January 12 2018, @11:12PM

          by Runaway1956 (2926) Subscriber Badge on Friday January 12 2018, @11:12PM (#621601) Journal

          What Volkswagen did was not "engineering", but "fraud". And, the engineers actively participated in the fraud. I've posted before, that I hate the idea of sacrificing engineers to protect the management. But, I hate the idea of protecting anyone just as much. Doesn't matter how high or how low you are on the totem pole, if you're knowingly, and actively, working to defraud the public, the government, or whoever, you should not have any protections.

          --
          On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
  • (Score: 2, Insightful) by Anonymous Coward on Friday January 12 2018, @03:28AM (3 children)

    by Anonymous Coward on Friday January 12 2018, @03:28AM (#621240)

    Ars may like sensational headlines, but I could do without metaphors about gasoline on fires. Aren't we old enough here to recognize that something is important from a straight forward description?

    aside -- if you have never tried throwing gasoline on a fire, I suggest you watch idiots do it on YouTube instead. It can easily flash back and light the can that you are using to throw from. Since it's explosive over a fairly wide range of concentrations in air, it can even explode in the container after a rapid flash back. https://en.wikipedia.org/wiki/Flammability_limit#Examples [wikipedia.org]

    • (Score: 2) by c0lo on Friday January 12 2018, @09:16AM (1 child)

      by c0lo (156) on Friday January 12 2018, @09:16AM (#621317)

      Well, freeze it first.
      I'm sure you'll find plenty of YouTube videos about listing gasoline frozen in liquid nitrogen.

      • (Score: 1, Informative) by Anonymous Coward on Friday January 12 2018, @01:21PM

        by Anonymous Coward on Friday January 12 2018, @01:21PM (#621354)

        18,400 video hits...

        This one is kind of cool, drops of liquid N2 self-propel on the surface of gasoline,
        https://www.youtube.com/watch?v=UTbZDWa94ow [youtube.com]

        And drops of gasoline also move (but slower) on the surface of LN2. This guy goes further and lights off the frozen gasoline...with his open gasoline container less than a meter away,
        https://www.youtube.com/watch?v=TNjOaAIz_ZY [youtube.com]

    • (Score: 0) by Anonymous Coward on Friday January 12 2018, @01:14PM

      by Anonymous Coward on Friday January 12 2018, @01:14PM (#621352)
(1)