Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-May-2026 20:09:49 JST Kevin Beaumont

   There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.

   A thread on a few of them.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-May-2026 20:11:27 JST Kevin Beaumont

     in reply to

     CVE-2026-34486 - Tomcat

     - Only exploitable if a certain feature is used, if it's endpoint is reachable and if port 4000. It's pretty niche.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-May-2026 20:16:33 JST Kevin Beaumont

     in reply to

     CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)

     It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.

     The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-May-2026 20:24:39 JST Kevin Beaumont

     in reply to

     I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.

   • Embed this notice
     FC (fatalisticcritic@cyberplace.social)'s status on Thursday, 14-May-2026 20:27:38 JST FC

     in reply to

     @GossiTheDog and that's why I'm here. Thanx for keeping us calm.

   • Embed this notice
     Andrew Golding (huronbikes@cyberplace.social)'s status on Thursday, 14-May-2026 20:53:49 JST Andrew Golding

     in reply to

     @GossiTheDog this particular defect-leading-to-vulnerability according to F5 can be mitigated by using named parameters instead of numbered in the rewrite regex replace expressions.

     I don't think the conditions are to terribly unusual as this is the sort of thing that would be done if one wanted to, say, wrap an older HTTP API with semantics that use path parameters.

     The defect also impacts the NginX Kubernetes Ingress Controller.

   • Embed this notice
     Andreas (epd5qrxx@mastodon.online)'s status on Thursday, 14-May-2026 20:57:13 JST Andreas

     in reply to

     @GossiTheDog

     > Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte. In this post, we discuss the exploitation technique assuming ASLR has already been bypassed.

     Based on that ASLR is "just" a nuisance and not an actual show stopper 🤔

     https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-May-2026 19:05:51 JST Kevin Beaumont

     in reply to

     Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.

     The way the PoC exploit works is they spawn nginx like this:

     > exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf

     Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.

     So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.

   • Embed this notice
     Fellows (fellows@cyberplace.social)'s status on Friday, 15-May-2026 21:24:35 JST Fellows

     in reply to

     @GossiTheDog plus, don’t they need to know exactly which rewrite url to request from the server that would actually trip the vuln?