Skip to main content

CISA Adds 17 Vulnerabilities to Exploited Bug Catalog

by Chris Brook on Tuesday January 25, 2022

Contact Us
Free Demo

The Cybersecurity and Infrastructure Security Agency (CISA) added 17 vulnerabilities to its list of bugs actively being exploited in attacks. Federal agencies need to fix 10 of them by next week.

By this time next week, select federal agencies will need to have fixes for 10 different vulnerabilities, ready to go.

The Cybersecurity and Infrastructure Security Agency (CISA) – part of the Department of Homeland Security - added 17 vulnerabilities to its Known Exploited Vulnerabilities Catalog last week, bringing the total number of security issues to 341.

The catalog, viewable here, breaks down all of the vulnerabilities CISA knows is being exploited. Under November's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian agencies are required to identify and fix the vulnerabilities in their systems, many by a certain date.

17 vulnerabilities were added to the catalog last week and while some of them technically don't need to be addressed until this summer - seven have a due date in July - nine of them need to be fixed by next Tuesday, February 1, including vulnerabilities in Microsoft Exchange Server, F5's BIG-IP Traffic Management Microkernel, VMware's VMware vRealize Operations Manager, and Nagios XI server. A tenth vulnerability in a SolarWinds product, Serv-U, needs to be fixed by February 4.

The full list of bugs can be found below:

CVE Number CVE Title Required Action Due Date
CVE-2021-32648 October CMS Improper Authentication 2/1/2022
CVE-2021-21315 System Information Library for node.js Command Injection Vulnerability 2/1/2022
CVE-2021-21975 Server Side Request Forgery in vRealize Operations Manager API Vulnerability 2/1/2022
CVE-2021-22991 BIG-IP Traffic Microkernel Buffer Overflow Vulnerability 2/1/2022
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability 2/1/2022
CVE-2021-33766 Microsoft Exchange Server Information Disclosure Vulnerability 2/1/2022
CVE-2021-40870 Aviatrix Controller Unrestricted Upload of File Vulnerability 2/1/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 2/4/2022
CVE-2020-11978 Apache Airflow Command Injection Vulnerability 7/18/2022
CVE-2020-13671 Drupal Core Unrestricted Upload of File Vulnerability 7/18/2022
CVE-2020-13927 Apache Airflow Experimental API Authentication Bypass Vulnerability 7/18/2022
CVE-2020-14864 Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability 7/18/2022
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022

The two-week deadline is the norm for new vulnerabilities; older vulnerabilities, those with Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021, have a six-month patch deadline.

Some of the vulnerabilities have popped up in headlines over the past few weeks, including the October CMS Improper Authentication vulnerability, which was used to deface Ukrainian government websites two weeks ago and CVE-2021-35247, a vulnerability in SolarWinds Serv-U software that was spotted being used to propagate Log4j attacks. Microsoft’s Jonathan Bar Or uncovered the vulnerability, an input validation vulnerability and mentioned it in an updated Log4j blog last week; shortly after SolarWinds fixed it, updating Serv-U to version 15.3.

Some of the other vulnerabilities added to the catalog are proof that some issues just never go away. The Apache Struts 2 vulnerability, from 2012, celebrates its 10th birthday this year; another vulnerability, in Struts 1 is even older. It dates back to 2006. Still, the vulnerabilities were added to the list for a reason, attackers are still finding ways to use them to chip away at organizations that haven’t patched them yet.

Tags:  Vulnerabilities Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.