US CISA added seventeen new actively exploited vulnerabilities to the ‘Known Exploited Vulnerabilities Catalog’.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

CVE NumberCVE TitleRequired Action Due DateCVE-2021-32648October CMS Improper Authentication2/1/2022CVE-2021-21315System Information Library for node.js Command Injection Vulnerability2/1/2022CVE-2021-21975Server Side Request Forgery in vRealize Operations Manager API Vulnerability2/1/2022CVE-2021-22991BIG-IP Traffic Microkernel Buffer Overflow Vulnerability2/1/2022CVE-2021-25296Nagios XI OS Command Injection Vulnerability2/1/2022CVE-2021-25297Nagios XI OS Command Injection Vulnerability2/1/2022CVE-2021-25298Nagios XI OS Command Injection Vulnerability2/1/2022CVE-2021-33766Microsoft Exchange Server Information Disclosure Vulnerability2/1/2022CVE-2021-40870Aviatrix Controller Unrestricted Upload of File Vulnerability2/1/2022CVE-2021-35247SolarWinds Serv-U Improper Input Validation Vulnerability02/04/2022CVE-2020-11978Apache Airflow Command Injection Vulnerability7/18/2022CVE-2020-13671Drupal Core Unrestricted Upload of File Vulnerability7/18/2022CVE-2020-13927Apache Airflow Experimental API Authentication Bypass Vulnerability7/18/2022CVE-2020-14864Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability7/18/2022CVE-2006-1547Apache Struts 1 ActionForm Denial of Service Vulnerability07/21/2022CVE-2012-0391Apache Struts 2 Improper Input Validation Vulnerability07/21/2022CVE-2018-8453Microsoft Windows Win32k Privilege Escalation Vulnerability07/21/2022One of the issues added this week is a vulnerability in the October CMS, tracked as CVE-2021-32648, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as CVE-2021-35247, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

The post US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.