The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a list of nine vulnerabilities, including two patched zero-days affecting Google Chrome and Adobe Commerce/Magento Open Source. The CISA lists nine vulnerabilities, including two patched zero-days affecting Google Chrome and Adobe Commerce/Magento Open Source, and recommends that they be patched as soon as possible.
CISA has added nine new vulnerabilities to the Known Exploited Vulnerabilities Catalog based on evidence that attackers are actively using the listed vulnerabilities. These types of vulnerabilities are known as “Known Exploited Vulnerabilities”. These types of vulnerabilities are frequent attack vectors used by malicious cyber actors of all types and pose a significant risk to federal enterprises.
Chrome vulnerability (CVE-2022-0609) is a high severity use after free vulnerability that allows attackers to execute arbitrary code on computers running unpatched versions of Chrome 98.0.4758.102. The vulnerability could allow an attacker to execute arbitrary code or bypass the browser’s security sandbox.
Adobe also released an emergency update to Adobe Commerce and Magento Open Source to fix a critical flaw (CVE-2022- 24086).
Sansec, an e-commerce security company, warned that the Magento vulnerability is similar to a critical Magento Shoplift bug from 2015, which allows attackers to take over vulnerable Magento sites.
CISA has stated that all Federal Civilian Administrative Bodies (FCEBs) must deploy patches for these two security vulnerabilities by March 1, 2022.
Also, the full list of nine flaws added to CISA’s Known Exploited Vulnerabilities Catalog is a mix of old and new bugs from 2013 to 2022, as shown in the table below.
- CVE-2022-24086 Improper input validation in Adobe Commerce and Magento Open Source
- CVE-2022-0609 Google Chrome use after free
- CVE-2019-0752 Microsoft Internet Explorer Type Confusion
- CVE-2018-8174 Microsoft Windows VBScript Engine Out-of-Bounds Write
- CVE-2018-20250 WinRAR Absolute Path Traversal
- CVE-2018-15982 Use-After-Free in Adobe Flash Player
- CVE-2017-9841 PHPUnit Command Injection
- CVE-2014- 1761 Microsoft Word Memory Corruption
- CVE-2013-3906 Microsoft Graphics Component Memory Corruption
According to a binding operational directive (BOD 22-01) issued by CISA in November 2021, federal agencies are required to patch their systems for these actively exploited vulnerabilities.
These types of vulnerabilities are frequent attack vectors for malicious crafters of all types and pose a significant risk to federal enterprises.
While BOD 22-01 only applies to FCEB agencies, CISA urges all organizations to prioritize the timely remediation of these vulnerabilities as part of their vulnerability management and to reduce their exposure to cyber attacks
U.S. cybersecurity agencies have instructed their organizations to update their iPhones, Macs and iPads by February 25 due to the use of a remote code execution bug in Apple WebKit.
The FCEB is also requesting that agencies patch 15 other exploits, and that the Windows SeriousSAM privilege escalation bug, which allows an attacker to execute arbitrary code with SYSTEM privileges, be patched by February 24. We are requesting that a patch be applied by February 24.
Comments