The Cybersecurity and Infrastructure Agency (CISA), a part of the Department of Homeland Security, added 17 vulnerabilities to its catalog. The Known Exploited Vulnerabilities Catalog lists bugs that are actively being exploited in attacks. The addition of new vulnerabilities brought the total number of security issues to 341.
Under November’s Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian agencies will have to identify and fix the said vulnerabilities in their systems. For instance, federal agencies will have to fix 10 of the updated 17 vulnerabilities within 10 days of their discovery, which was on the 25th of January 2022. These vulnerabilities have been found in the Microsoft Exchange Server, F5’s BIG-IP Traffic Management MMicrokernel, VMware’s VMware vRealize Operations Manager, and Nagios XI server. There is one in the SolarWinds product, Serv-U, that was needed to be fixed by February 4. The general norm for new vulnerabilities is to impose a two-week deadline. The older ones, ones with Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021, have a six-month patch deadline.
Here is a list of the seventeen new vulnerabilities that were added.
|CVE Number||CVE Title||Required Action Due Date|
|CVE-2021-32648||October CMS Improper Authentication||2/1/2022|
|CVE-2021-21315||System Information Library for node.js Command Injection Vulnerability||2/1/2022|
|CVE-2021-21975||Server Side Request Forgery in vRealize Operations Manager API Vulnerability||2/1/2022|
|CVE-2021-22991||BIG-IP Traffic Microkernel Buffer Overflow Vulnerability||2/1/2022|
|CVE-2021-25296||Nagios XI OS Command Injection Vulnerability||2/1/2022|
|CVE-2021-25297||Nagios XI OS Command Injection Vulnerability||2/1/2022|
|CVE-2021-25298||Nagios XI OS Command Injection Vulnerability||2/1/2022|
|CVE-2021-33766||Microsoft Exchange Server Information Disclosure Vulnerability||2/1/2022|
|CVE-2021-40870||Aviatrix Controller Unrestricted Upload of File Vulnerability||2/1/2022|
|CVE-2021-35247||SolarWinds Serv-U Improper Input Validation Vulnerability||02/04/2022|
|CVE-2020-11978||Apache Airflow Command Injection Vulnerability||7/18/2022|
|CVE-2020-13671||Drupal Core Unrestricted Upload of File Vulnerability||7/18/2022|
|CVE-2020-13927||Apache Airflow Experimental API Authentication Bypass Vulnerability||7/18/2022|
|CVE-2020-14864||Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability||7/18/2022|
|CVE-2006-1547||Apache Struts 1 ActionForm Denial of Service Vulnerability||07/21/2022|
|CVE-2012-0391||Apache Struts 2 Improper Input Validation Vulnerability||07/21/2022|
|CVE-2018-8453||Microsoft Windows Win32k Privilege Escalation Vulnerability||07/21/2022|
The vulnerabilities, if not fixed in time, can lead to serious repercussions. The October CMS Improper Authentication vulnerability was used to deface the Ukrainian government’s websites, somewhere in mid-January. CVE-2021-35247, a vulnerability in SolarWinds Serv-U software spotted by Microsoft was being used to propagate Log4j attacks.
The extreme to which these vulnerabilities can affect an individual or a group of people cannot be measured. To be safe, CISA strongly recommends all security professionals and admins review the the Known Exploited Vulnerabilities Catalog to patch any that might be within their environment.