Critical Ivanti Avalanche vulnerabilities addressed

Fixes have been issued by IT security firm Ivanti for more than 20 security vulnerabilities impacting its Avalanche enterprise mobile development management offering, 13 of which are critical buffer overflow bugs, reports SecurityWeek. Remote code execution and denial-of-service attacks could be conducted through the exploitation of the critical flaws, according to Ivanti. Ivanti also addressed eight high-severity bugs, which could be leveraged to facilitate server-side request forgery and DoS attacks, as well as authentication evasion and arbitrary file uploads, in addition to a medium-severity flaw that could be abused for SSRF attacks. Immediate patching has been urged for organizations using Avalanche version 6.3.1 and above, as well as older iterations. "Upon learning of the vulnerabilities, we immediately mobilized resources to fix the problem and have fixes available now for all impacted versions," said Ivanti. Such fixes come after the inclusion of 12 Ivanti product flaws in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities list this year.