CISA updates must-patch bug list for federal agencies
Latest collection includes bugs up to seven years old that are still exploited in the wild
The US domestic cyber security agency has added another 15 vulnerabilities to a list of must-patch bugs for federal agencies.
The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) added the bugs to its Catalog of Known Exploited Vulnerabilities. This list includes bugs that have been exploited in the wild and for which a patch is available.
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructureFree Download
This week's additions to the list include vulnerabilities dating back seven years, spanning products from Microsoft Office through to D-Link routers and Oracle WebLogic. It includes four bugs rated as critical under version 3 of the Common Vulnerability Scoring System (CVSS), which scores vulnerabilities based on their severity.
The four critical bugs include CVE 2020-0768, a remote code execution vulnerability in Microsoft SMBv3, which scored a maximum 10. Another bug in the Jenkins DevOps automation server, CVE-2018-100861, earned a 9.8.
The two other critical vulnerabilities lay in the Apache project's ActiveMQ message broker and Struts framework for developing Java EE applications.
The rest of the security flaws had a high severity classification, either under CVSS 3 or in some cases, for older bugs, under version 2.
All of the vulnerabilities had a patch deadline of August this year, aside from CVE-2021-36934, a privilege escalation vulnerability in Microsoft Windows Security Accounts Manager (SAM). CISA deemed this more urgent, with a patch deadline of Feb 24. This bug, disclosed publicly in July 2021, is rated as 7.8 (high severity) in CVSS 3. It allows attackers to use overly permissive access control lists (ACLs) on system files including the SAM database.
They can use this to run their own code with system-level privileges.
CISA created the Catalog of Known Exploited Vulnerabilities as part of November 2021's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. All civil federal agencies must patch these bugs, but the agency also recommends that other government agencies use the list to shore up their defences.
The agency has been busy adding bugs to the list. These 15 additions bring those added since Jan 10 to 56. There are 367 vulnerabilities in the catalog as of this week.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download