This week, the Cybersecurity and Infrastructure Security Agency (CISA) added seventeen actively exploited vulnerabilities to the “Catalogue of Known Exploited Vulnerabilities”.
The “Catalog of Known Exploited Vulnerabilities” is a list of vulnerabilities that have been seen abused by threat actors during attacks and that are to be patched by Federal Civilian Executive Branch (FCEB) agencies.
“Binding Operational Directive (BOD) 22-01: Reduce Significant Risk of Known Exploited Vulnerabilities established the Catalog of Known Exploited Vulnerabilities as a living list of known CVEs that pose significant risk to the Federal enterprise,” CISA explains.
“BOD 22-01 requires FCEB agencies to patch identified vulnerabilities by the due date to protect FCEB networks from active threats. See BOD 22-01 Information Sheet for more information.”
The vulnerabilities listed in the catalog allow hackers to perform a variety of attacks, including stealing credentials, gaining access to networks, executing remote commands, downloading and executing malware, or theft of information from devices.
With the addition of these 17 vulnerabilities, the catalog now contains a total of 341 vulnerabilities and includes the date when agencies should apply security updates to resolve the bug.
The seventeen new vulnerabilities added this week are listed below, with CISA requiring 10 of them to be patched in the first week of February.
|CVE number||CVE Title||Required action due date|
|CVE-2021-32648||October CMS Incorrect Authentication||02/01/2022|
|CVE-2021-21315||System Information Library for node.js Command Injection Vulnerability||02/01/2022|
|CVE-2021-21975||Server-Side Request Forgery in vRealize Operations Manager API Vulnerability||02/01/2022|
|CVE-2021-22991||Microkernel Buffer Overflow Vulnerability in BIG-IP Traffic||02/01/2022|
|CVE-2021-25296||Nagios XI OS Command Injection Vulnerability||02/01/2022|
|CVE-2021-25297||Nagios XI OS Command Injection Vulnerability||02/01/2022|
|CVE-2021-25298||Nagios XI OS Command Injection Vulnerability||02/01/2022|
|CVE-2021-33766||Microsoft Exchange Server Information Disclosure Vulnerability||02/01/2022|
|CVE-2021-40870||Aviatrix Controller Unlimited File Vulnerability Download||02/01/2022|
|CVE-2021-35247||SolarWinds Serv-U Bad Input Validation Vulnerability||02/04/2022|
|CVE-2020-11978||Apache Airflow command injection vulnerability||07/18/2022|
|CVE-2020-13671||Drupal Core Unlimited File Download Vulnerability||07/18/2022|
|CVE-2020-13927||Apache Airflow Experimental API Authentication Bypass Vulnerability||07/18/2022|
|CVE-2020-14864||Path Traversal Vulnerability in Oracle Corporate Business Intelligence Enterprise Edition||07/18/2022|
|CVE-2006-1547||Denial of Service Vulnerability in Apache Struts 1 ActionForm||07/21/2022|
|CVE-2012-0391||Apache Struts 2 Bad Input Validation Vulnerability||07/21/2022|
|CVE-2018-8453||Privilege Escalation Vulnerability in Microsoft Windows Win32k||07/21/2022|
Of particular interest are the CVE-2021-32648 and CVE-2021-35247 vulnerabilities, which were revealed this week to be actively exploited in attacks.
The “October CMS Improper Authentication” vulnerability identified as CVE-2021-32648 is to be patched by February 1, 2022, due to its recent use to hack and deface Ukrainian government websites.
While Ukraine attributes the attacks to Russia, some security experts attribute the attacks to a Belarus-linked hacking group known as Ghostwriter.
The new “SolarWinds Serv-U Improper Input Validation” vulnerability identified as CVE-2021-35247 has been discovered by Microsoft to be exploited to propagate Log4j attacks to Windows domain controllers configured as LDAP servers.
Although attacks using the Serv-U vulnerability ultimately failed as Windows domain controllers were not vulnerable to Log4j exploits, CISA is asking agencies to fix the vulnerability by February 4, 2022.
It is strongly recommended that all security professionals and administrators review the catalog of known exploited vulnerabilities and patch any that are in their environment.