Chrome sandbox escape at 9.6, a VPN auth bypass at 9.3, and Apache httpd going down easy

A denial-of-service bug in Apache HTTP Server's mod_http2 module lets a remote attacker knock your web server offline by sending crafted HTTP/2 requests. No authentication is needed. If you expose httpd with HTTP/2 enabled, you're in the blast radius.

Included because

unauthenticated; internet-facing; common product; CVSS 7.5 DoS

Affected estate

Apache httpd 2.4.67-1 on Azure Linux 3.0, and potentially other distros shipping a vulnerable httpd version with mod_http2 loaded.

How to check

Run `httpd -v` to check the version and `httpd -M | grep http2` to confirm mod_http2 is loaded.

Action

Update httpd to the fixed version. If patching isn't possible right now, comment out `LoadModule http2_module` in your httpd config and restart.

Urgency

Patch within 24 hours

Why it matters

An unauthenticated remote DoS against your web server can take down customer-facing services with no warning.

Source

NVD

An authentication bypass in Remote Access and Mobile Access VPN using the deprecated IKEv1 key exchange lets an unauthenticated remote attacker establish a full VPN session without a valid password. That means anyone on the internet can tunnel into your network if the affected VPN endpoint is reachable. This is about as bad as VPN bugs get.

Included because

unauthenticated; internet-facing; authentication bypass; CVSS 9.3; VPN is a primary perimeter control

Affected estate

VPN gateways with Remote Access or Mobile Access blades using IKEv1 key exchange enabled.

How to check

In SmartConsole (or equivalent management UI), verify whether IKEv1 is enabled on your VPN gateway's IPsec VPN settings. Check for any Remote Access or Mobile Access blade configurations using IKEv1.

Action

Apply the vendor's security hotfix. If unavailable, disable IKEv1 and enforce IKEv2 only. Review VPN session logs for unauthorized connections.

Urgency

Patch immediately

Why it matters

An unauthenticated attacker can bypass VPN login entirely and get network access, no password required.

Source

NVD

A type confusion bug in the USCiLab Cereal C++ serialization library lets an attacker corrupt shared pointer types during deserialization. If your application deserializes untrusted Cereal archives, an attacker could crash it or potentially execute code. Exploitation requires the app to process attacker-controlled serialized data, which narrows the risk.

Included because

CVSS 7.3; type confusion in serialization library; specific affected package on Azure Linux

Affected estate

Azure Linux 3.0 with cereal 1.3.2-1, or any system with C++ applications linked against Cereal 1.3.2 or earlier.

How to check

Run `rpm -q cereal` on Azure Linux. For source builds, check the version in `cereal/version.hpp` or your build dependency manifest.

Action

Update cereal to the patched version when released. Audit whether any deployed applications deserialize data from untrusted inputs using Cereal.

Urgency

Monitor and patch

Why it matters

Type confusion during deserialization can lead to crashes or code execution, but only if your apps process untrusted serialized data.

Source

NVD

A sandbox escape in Google Chrome caused by insufficient input validation in the browser UI. An attacker can exploit this by luring a user to a crafted web page, potentially breaking out of Chrome's sandbox and running code on the underlying system. No special privileges needed, just a click.

Included because

CVSS 9.6; sandbox escape; no auth required; user interaction is just visiting a page; ubiquitous product

Affected estate

All endpoints running Google Chrome or Chromium-based browsers below version 149.0.7827.103.

How to check

Open `chrome://version` in the browser. For fleet visibility, query your endpoint management tool or browser admin console for Chrome versions below 149.0.7827.103.

Action

Push Chrome 149.0.7827.103 or later to all managed endpoints. Restart browsers to complete the update.

Urgency

Patch immediately

Why it matters

A sandbox escape means an attacker who gets code execution inside Chrome can break out and own the endpoint, turning a browser tab into full system compromise.

Source

NVD