CISA Adds 17 Vulnerabilities to Exploited Bug Catalog
| Contact Us | |
| Free Demo | |
| Chat | |
The Cybersecurity and Infrastructure Security Agency (CISA) added 17 vulnerabilities to its list of bugs actively being exploited in attacks. Federal agencies need to fix 10 of them by next week.
By this time next week, select federal agencies will need to have fixes for 10 different vulnerabilities, ready to go.
The Cybersecurity and Infrastructure Security Agency (CISA) – part of the Department of Homeland Security - added 17 vulnerabilities to its Known Exploited Vulnerabilities Catalog last week, bringing the total number of security issues to 341.
The catalog, viewable here, breaks down all of the vulnerabilities CISA knows is being exploited. Under November's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian agencies are required to identify and fix the vulnerabilities in their systems, many by a certain date.
17 vulnerabilities were added to the catalog last week and while some of them technically don't need to be addressed until this summer - seven have a due date in July - nine of them need to be fixed by next Tuesday, February 1, including vulnerabilities in Microsoft Exchange Server, F5's BIG-IP Traffic Management Microkernel, VMware's VMware vRealize Operations Manager, and Nagios XI server. A tenth vulnerability in a SolarWinds product, Serv-U, needs to be fixed by February 4.
The full list of bugs can be found below:
| CVE Number | CVE Title | Required Action Due Date |
| CVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 |
| CVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 |
| CVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 |
| CVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 |
| CVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 |
| CVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 |
| CVE-2021-35247 | SolarWinds Serv-U Improper Input Validation Vulnerability | 2/4/2022 |
| CVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 |
| CVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 |
| CVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 |
| CVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 |
| CVE-2006-1547 | Apache Struts 1 ActionForm Denial of Service Vulnerability | 07/21/2022 |
| CVE-2012-0391 | Apache Struts 2 Improper Input Validation Vulnerability | 07/21/2022 |
| CVE-2018-8453 | Microsoft Windows Win32k Privilege Escalation Vulnerability | 07/21/2022 |
The two-week deadline is the norm for new vulnerabilities; older vulnerabilities, those with Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021, have a six-month patch deadline.
Some of the vulnerabilities have popped up in headlines over the past few weeks, including the October CMS Improper Authentication vulnerability, which was used to deface Ukrainian government websites two weeks ago and CVE-2021-35247, a vulnerability in SolarWinds Serv-U software that was spotted being used to propagate Log4j attacks. Microsoft’s Jonathan Bar Or uncovered the vulnerability, an input validation vulnerability and mentioned it in an updated Log4j blog last week; shortly after SolarWinds fixed it, updating Serv-U to version 15.3.
Some of the other vulnerabilities added to the catalog are proof that some issues just never go away. The Apache Struts 2 vulnerability, from 2012, celebrates its 10th birthday this year; another vulnerability, in Struts 1 is even older. It dates back to 2006. Still, the vulnerabilities were added to the list for a reason, attackers are still finding ways to use them to chip away at organizations that haven’t patched them yet.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.