IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA updates must-patch bug list for federal agencies

Latest collection includes bugs up to seven years old that are still exploited in the wild

Abstract image showing a padlock and broken glass superimposed over a US flag to symbolise national cyber security

The US domestic cyber security agency has added another 15 vulnerabilities to a list of must-patch bugs for federal agencies.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) added the bugs to its Catalog of Known Exploited Vulnerabilities. This list includes bugs that have been exploited in the wild and for which a patch is available.

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

This week's additions to the list include vulnerabilities dating back seven years, spanning products from Microsoft Office through to D-Link routers and Oracle WebLogic. It includes four bugs rated as critical under version 3 of the Common Vulnerability Scoring System (CVSS), which scores vulnerabilities based on their severity.

The four critical bugs include CVE 2020-0768, a remote code execution vulnerability in Microsoft SMBv3, which scored a maximum 10. Another bug in the Jenkins DevOps automation server, CVE-2018-100861, earned a 9.8.

The two other critical vulnerabilities lay in the Apache project's ActiveMQ message broker and Struts framework for developing Java EE applications.

The rest of the security flaws had a high severity classification, either under CVSS 3 or in some cases, for older bugs, under version 2.

All of the vulnerabilities had a patch deadline of August this year, aside from CVE-2021-36934, a privilege escalation vulnerability in Microsoft Windows Security Accounts Manager (SAM). CISA deemed this more urgent, with a patch deadline of Feb 24. This bug, disclosed publicly in July 2021, is rated as 7.8 (high severity) in CVSS 3. It allows attackers to use overly permissive access control lists (ACLs) on system files including the SAM database.

They can use this to run their own code with system-level privileges.

CISA created the Catalog of Known Exploited Vulnerabilities as part of November 2021's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. All civil federal agencies must patch these bugs, but the agency also recommends that other government agencies use the list to shore up their defences.

The agency has been busy adding bugs to the list. These 15 additions bring those added since Jan 10 to 56. There are 367 vulnerabilities in the catalog as of this week.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why Amazon is cutting staff from AWS
Cloud

Why Amazon is cutting staff from AWS

21 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story
Sponsored

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023