CVE-2022-3602 AND CVE-2022-3786
Nov 4, 2022
On Nov. 1, 2022, OpenSSL released OpenSSL 3.0.7, which patches the high-severity vulnerability CVE-2022-3786. Exploitation of the vulnerability results in a crash (denial of service) and can also lead to remote code execution. For a few days prior to Nov. 1, a number of security news outlets and security researchers warned about the potential high impact of the vulnerability to OpenSSLv3, whose details had not yet been publicly released. Upon learning about the potentially high impact of the vulnerability, Contrast Labs took immediate steps to investigate our susceptibility. After a thorough internal investigation, it was determined that Contrast is not susceptible to CVE-2022-3786 and CVE-2022-3602 at this time. The Contrast team continues to actively monitor the situation regarding the OpenSSL vulnerability.For additional inquiries, please contact support@contrastsecurity.com.
DHS Warning - Imminent National Cyberthreats
Contrast Labs has been monitoring the new CVE, Apache Commons Text interpolation CVE-2022-42889. While there was some initial concern from the industry that it is at the caliber of log4shell, the reality is that it is not nearly as widespread or exploitable. The class/method involved in this vulnerability is rarely used and a quick GitHub search shows very few open source programs using the vulnerable method. From what we’ve seen so far, this CVE seems more like a developer adding a backdoor, more than anything. I’m not as concerned that this will amount to much, as it's not like log4j where an application is gathering user controlled input and logging it, which could result in exploiting the log4shell vulnerability. - David Lindner, CISO at Contrast.
.jpg?width=120&name=spring4shell-logo-(1).jpg){kind=logo}
Spring4Shell
Zero-Day Vulnerability
On March 29, 2022, a Chinese cybersecurity research firm leaked an attack that could impact most enterprise Java applications, globally.
Heightened
Cyber Risk
Contrast Security Works with Global Businesses to Strengthen Security Controls and Increase Transparency Amidst Heightened Cyber Risk ...
Cyber Incident Reporting For Critical Infrastructure Act of 2022
Share on Email Cyber Incident Reporting For Critical Infrastructure Act of 2022On March 15, 2022...
Log4J Vulnerability
Resource Center
Log4j is a programming library (ie. pre-written code) that appears in millions of computer applications globally. It is free, open-source, and has been widely-used since 2001.
DHS Warning - Imminent National Cyberthreats
Due to the ongoing degradation in Ukrainian and Russian relations, today, intelligence agencies from major NATO member nations have issued a warning against imminent...
2021 AppSec Observability Report
A "Can't Miss" report based on real-world data from thousands of applications that highlights vulnerability and attack trends, security debt, benchmarks on the vulnerability escape rate, and much more.
March - April 2021: Contrast Labs' Application Security Intelligence Report
This report is based on aggregate vulnerability and attack telemetry for custom code from customers whose applications are covered by Contrast Assess and Contrast Protect
July - August 2020: Contrast Labs' Application Security Intelligence Report
This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.
March - April 2020: Contrast Labs' Application Security Intelligence Report
This report leverages aggregate data collected by Contrast Assess and Contrast Protect for insights around both application vulnerabilities and targeted attacks.
January - February 2020: Contrast Labs' Application Security Intelligence Report
This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.
May - June 2021: Contrast Labs' Application Security Intelligence Report
This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.
Contrast Protect
Always-on application and API protection from targeted attacks with no code changes required.
Contrast SCA
Automatically catalogue your third-party software risk across the software lifecycle - from build, to test, through production.
Contrast Assess
Flag underlying vulnerabilities in applications before it becomes a disclosed CVE or major incident - all without having to launch a single scan.
Contrast Scan
Code analysis that’s tailor-made for modern CI pipelines that delivers 10x faster scans, and actionable findings to ensure rapid fixes.