CISA updates must-patch bug list for federal agencies

Abstract image showing a padlock and broken glass superimposed over a US flag to symbolise national cyber security

The US domestic cyber security agency has added another 15 vulnerabilities to a list of must-patch bugs for federal agencies.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) added the bugs to its Catalog of Known Exploited Vulnerabilities. This list includes bugs that have been exploited in the wild and for which a patch is available.


Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure


This week's additions to the list include vulnerabilities dating back seven years, spanning products from Microsoft Office through to D-Link routers and Oracle WebLogic. It includes four bugs rated as critical under version 3 of the Common Vulnerability Scoring System (CVSS), which scores vulnerabilities based on their severity.

The four critical bugs include CVE 2020-0768, a remote code execution vulnerability in Microsoft SMBv3, which scored a maximum 10. Another bug in the Jenkins DevOps automation server, CVE-2018-100861, earned a 9.8.

The two other critical vulnerabilities lay in the Apache project's ActiveMQ message broker and Struts framework for developing Java EE applications.

The rest of the security flaws had a high severity classification, either under CVSS 3 or in some cases, for older bugs, under version 2.

All of the vulnerabilities had a patch deadline of August this year, aside from CVE-2021-36934, a privilege escalation vulnerability in Microsoft Windows Security Accounts Manager (SAM). CISA deemed this more urgent, with a patch deadline of Feb 24. This bug, disclosed publicly in July 2021, is rated as 7.8 (high severity) in CVSS 3. It allows attackers to use overly permissive access control lists (ACLs) on system files including the SAM database.

They can use this to run their own code with system-level privileges.

CISA created the Catalog of Known Exploited Vulnerabilities as part of November 2021's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. All civil federal agencies must patch these bugs, but the agency also recommends that other government agencies use the list to shore up their defences.

The agency has been busy adding bugs to the list. These 15 additions bring those added since Jan 10 to 56. There are 367 vulnerabilities in the catalog as of this week.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.