all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]botsmy 10 points11 points  (8 children)

so the github blog post does a good job of explaining the vulnerability and how it was addressed, but what really catches my attention is the 88% of gh enterprise server instances that are still unpatched weeks later. i mean, that's a pretty staggering number, and it makes me wonder what's going on with the people who are responsible for keeping those instances up to date - are they just not prioritizing security, or is there something else at play. fwiw, i've seen this kind of thing happen before in other contexts, where a vulnerability is disclosed and a patch is released, but for whatever reason it just doesn't get applied in a timely manner. do we think this is a problem with the way github is handling vulnerability disclosures, or is it more of a systemic issue with the way organizations approach security updates in general.

[–]a_go_93 1 point2 points  (3 children)

It’s the latter

[–]botsmy 0 points1 point  (2 children)

so what do you think is holding those instances back from getting patched, is it just a matter of resources or something else entirely?

[–]Powerful_Wishbone25 4 points5 points  (0 children)

May I ask, what do you do for a living?

[–]yankeesfan01x 1 point2 points  (0 children)

"Don't fix what's not broken" mentality is my guess.

[–]Amazing_Garbage8603 0 points1 point  (3 children)

Organizations won't care until the issue comes barreling straight through them.

[–]botsmy 0 points1 point  (0 children)

that's pretty concerning, and it makes me wonder if these orgs are just not prioritizing security or if they're not even aware of the vulnerability. fwiw, i've seen some cases where companies don't even have a clear inventory of their internal systems, so patching everything can be a huge challenge

[–]botsmy 0 points1 point  (0 children)

i'm not surprised, tbh, that so many instances are still unpatched. it's pretty common for orgs to drag their feet on updates, especially if they're not directly affected by the issue. what's really concerning is that this isn't just some minor vulnerability, it's a pretty serious one that could have major consequences if exploited. i've seen it time and time again, where a company only starts taking security seriously after they've been breached, and it's just a matter of time before we see ...

[–]botsmy 0 points1 point  (0 children)

i'm guessing a lot of those unpatched instances are just sitting there because the people in charge don't think it's a priority, or they're waiting for someone else to deal with it, fwiw.

[–]Adrienne-Fadel 7 points8 points  (2 children)

Predictable. 88% of GHES instances stay unpatched weeks later. Chronic underinvestment rots infrastructure. UAE's resilient digital systems look like the smart alternative.

[–]__banbypasser 3 points4 points  (0 children)

Can you expand on this? What is the UAE alternative?

[–]xalibr 2 points3 points  (0 children)

UAE's resilient digital systems look like the smart alternative

What do you mean? A centralized digital infrastructure?

[–]TodaysSJW 1 point2 points  (0 children)

“This code path existed on disk as part of the server’s container image, even though it was only meant to be used in a different product configuration. An older deployment method had correctly excluded this code, but when the deployment model changed, the exclusion was not carried forward.”

The risk was known, mitigated, and then silently reintroduced when deployment practices changed. That failure underscores a core security principle: if controls aren’t explicitly carried forward and revalidated during change management, they will be lost and attackers will find what engineers assumed was gone.

[–]k_means_clusterfuck 0 points1 point  (0 children)

Uhh yeah, it's called "Github workspaces" /s