17 Vulnerabilities Added to the List of Bugs Exploited in Attacks

February 22, 2022

The Cybersecurity and Infrastructure Agency (CISA), a part of the Department of Homeland Security, added 17 vulnerabilities to its catalog. The Known Exploited Vulnerabilities Catalog lists bugs that are actively being exploited in attacks. The addition of new vulnerabilities brought the total number of security issues to 341.

Under November’s Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian agencies will have to identify and fix the said vulnerabilities in their systems.

For instance, federal agencies will have to fix 10 of the updated 17 vulnerabilities within 10 days of their discovery, which was on the 25th of January 2022. These vulnerabilities have been found in the Microsoft Exchange Server, F5’s BIG-IP Traffic Management MMicrokernel, VMware’s VMware vRealize Operations Manager, and Nagios XI server. There is one in the SolarWinds product, Serv-U, that was needed to be fixed by February 4. The general norm for new vulnerabilities is to impose a two-week deadline. The older ones, ones with Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021, have a six-month patch deadline.

Here is a list of the seventeen new vulnerabilities that were added.

CVE Number CVE Title Required Action Due Date
CVE-2021-32648 October CMS Improper Authentication 2/1/2022
CVE-2021-21315 System Information Library for node.js Command Injection Vulnerability 2/1/2022
CVE-2021-21975 Server Side Request Forgery in vRealize Operations Manager API Vulnerability 2/1/2022
CVE-2021-22991 BIG-IP Traffic Microkernel Buffer Overflow Vulnerability 2/1/2022
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-33766 Microsoft Exchange Server Information Disclosure Vulnerability 2/1/2022
CVE-2021-40870 Aviatrix Controller Unrestricted Upload of File Vulnerability 2/1/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 02/04/2022
CVE-2020-11978 Apache Airflow Command Injection Vulnerability 7/18/2022
CVE-2020-13671 Drupal Core Unrestricted Upload of File Vulnerability 7/18/2022
CVE-2020-13927 Apache Airflow Experimental API Authentication Bypass Vulnerability 7/18/2022
CVE-2020-14864 Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability 7/18/2022
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022

The vulnerabilities, if not fixed in time, can lead to serious repercussions. The October CMS Improper Authentication vulnerability was used to deface the Ukrainian government’s websites, somewhere in mid-January. CVE-2021-35247, a vulnerability in SolarWinds Serv-U software spotted by Microsoft was being used to propagate Log4j attacks.

The extreme to which these vulnerabilities can affect an individual or a group of people cannot be measured. To be safe, CISA strongly recommends all security professionals and admins review the the Known Exploited Vulnerabilities Catalog  to patch any that might be within their environment.

Leave a comment

Your email address will not be published. Required fields are marked *