IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA updates must-patch bug list for federal agencies

Latest collection includes bugs up to seven years old that are still exploited in the wild

Abstract image showing a padlock and broken glass superimposed over a US flag to symbolise national cyber security

The US domestic cyber security agency has added another 15 vulnerabilities to a list of must-patch bugs for federal agencies.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) added the bugs to its Catalog of Known Exploited Vulnerabilities. This list includes bugs that have been exploited in the wild and for which a patch is available.

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

This week's additions to the list include vulnerabilities dating back seven years, spanning products from Microsoft Office through to D-Link routers and Oracle WebLogic. It includes four bugs rated as critical under version 3 of the Common Vulnerability Scoring System (CVSS), which scores vulnerabilities based on their severity.

The four critical bugs include CVE 2020-0768, a remote code execution vulnerability in Microsoft SMBv3, which scored a maximum 10. Another bug in the Jenkins DevOps automation server, CVE-2018-100861, earned a 9.8.

The two other critical vulnerabilities lay in the Apache project's ActiveMQ message broker and Struts framework for developing Java EE applications.

The rest of the security flaws had a high severity classification, either under CVSS 3 or in some cases, for older bugs, under version 2.

All of the vulnerabilities had a patch deadline of August this year, aside from CVE-2021-36934, a privilege escalation vulnerability in Microsoft Windows Security Accounts Manager (SAM). CISA deemed this more urgent, with a patch deadline of Feb 24. This bug, disclosed publicly in July 2021, is rated as 7.8 (high severity) in CVSS 3. It allows attackers to use overly permissive access control lists (ACLs) on system files including the SAM database.

They can use this to run their own code with system-level privileges.

CISA created the Catalog of Known Exploited Vulnerabilities as part of November 2021's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. All civil federal agencies must patch these bugs, but the agency also recommends that other government agencies use the list to shore up their defences.

The agency has been busy adding bugs to the list. These 15 additions bring those added since Jan 10 to 56. There are 367 vulnerabilities in the catalog as of this week.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022