CVE-2019-14865

A flaw was found in the grub2-set-bootflag utility of grub2. A local attacker could run this utility under resource pressure (for example by setting RLIMIT), causing grub2 configuration files to be truncated and leaving the system unbootable on subsequent reboots.
Source: NIST
CVE-2019-14865

CVE-2019-19375

In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
Source: NIST
CVE-2019-19375

CVE-2019-19376

In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)
Source: NIST
CVE-2019-19376

Missed Security Targets Start to Trouble Senior Execs

Missed Security Targets Start to Trouble Senior Execs

Companies that fail to set their IT security teams targets that directly correlate with overall business performance are causing problems for their CEOs, according to new research from Thycotic.



The privileged access management solutions provider surveyed more than 100 UK IT security decision-makers, with 61% admitting that there are implications for the CEO if security teams are unable to meet targets set to them.



With regards to the types of consequences they can face, the respondents noted facing a hard time from shareholders (44%), longer hours spent at work (40%) and even more serious implications such as penalties including lost bonus payments (37%) and threats to job security (35%).



Of particular note though, Thycotic’s research discovered that, when asked to describe what success looks like to them, IT security teams felt that being valued by the company (45%) was of more importance than achieving targets set by the board (42%). That suggests that CEOs risk repercussions if they set targets that do not effectively inspire IT and security professionals in their work.



Joseph Carson, chief security scientist and advisory CISO at Thycotic said: “The data breach at TalkTalk ushered in a new era where CEOs can and will be held accountable for IT security failures that occur on their watch. Today, when cybersecurity teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity and bonus reductions.”



To minimize the risks, he added, CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance.



“A good example is to appoint an IT security professional with good communication skills in charge of cross-departmental co-operation. This has the dual advantage of putting IT security on a more proactive footing and increasing the chances of spotting/remediating digital risks early before they can escalate and cause trouble at board level.”


Source: Infosecurity
Missed Security Targets Start to Trouble Senior Execs