CISA Advisories

AI Finds a Web-Killing Bug 💣 + Oracle's 2-Year-Old Exploit Is Back

Two threats making the rounds today deserve your attention — one is a newly discovered flaw hiding inside virtually every major web server on the planet, and the other is an old Oracle vulnerability that attackers are actively using right now.

💣 An AI Found a Hidden Flaw That Could Crash Most of the Web

Researchers just disclosed something called the "HTTP/2 Bomb" — a clever attack that can bring down some of the most widely used web server software in the world, including nginx, Apache, Microsoft IIS, and Cloudflare's infrastructure. What makes it nasty: a single attacker with a normal internet connection can force a target server to consume up to 32 gigabytes of memory in about 20 seconds, effectively crashing it.

Here's the wild part — this bug was discovered by OpenAI's Codex AI, not a human researcher. It works by chaining together two old, known techniques in a way nobody had connected before. The flaw exists because the official web standard gave ambiguous guidance, and five independent software teams all interpreted it the same wrong way.

If your business runs a website or API (and whose doesn't?), your hosting provider or IT team needs to patch this immediately. Updates are available for nginx (1.29.8+) and Apache (mod_http2 v2.0.41). For IIS and some others, disabling HTTP/2 may be the temporary fix.

Read more →

💥 A Two-Year-Old Oracle Flaw Is Being Actively Exploited — Right Now

The U.S. government's cybersecurity agency (CISA) just added a vulnerability in Oracle WebLogic Server to its list of actively exploited flaws, meaning real attackers are using it against real targets today. The bug (CVE-2024-21182) was actually patched back in July 2024 — but a huge number of organizations never applied the update.

This is a common and frustrating pattern: a patch exists, but companies move slowly, and attackers move fast. The vulnerability lets someone break into a WebLogic server without needing a password, giving them access to sensitive data. Federal agencies have been given a hard deadline to patch, and private companies should treat this with the same urgency.

If your organization uses Oracle WebLogic Server versions 12.2.1.4.0 or 14.1.1.0.0, patching this is a top priority — not a "get to it eventually" item.

Read more →

Stay ahead of threats like these with GOCO Security at gocosecurity.com.

Comments

Popular Posts