Original release date: October 12, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s October 2021 Security Update Summary and Deployment Information and apply the necessary updates.

Original release date: October 12, 2021

Apple has released a security update to address a vulnerability—CVE-2021-30883—in multiple products. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability has been detected in exploits in the wild.

CISA encourages users to review the Apple security page for iOS 15.0.2 and iPadOS 15.0.2 and apply the necessary updates as soon as possible.

Original release date: October 8, 2021

The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). A malicious cyber actor with network access can exploit this vulnerability to access sensitive information.

CISA encourages administrators and users to review NSA’s CSI sheet on Avoiding Dangers of Wildcard TLS Certificates and the ALPACA Technique for more information.

Original release date: October 7, 2021

In coordination with the Office of Management and Budget (OMB), the Federal Chief Information Security Officer Council (FCISO) Trusted Internet Connections (TIC) Subcommittee, and the General Services Administration, CISA has released Trusted Internet Connections 3.0 Remote User Use Case. The Remote User Use Case provides federal agencies with guidance on applying network and multi-boundary security for agencies that permit remote users on their networks. In accordance with OMB Memorandum M-19-26, this use case builds off TIC 3.0 Interim Telework Guidance originally released in Spring 2020.

The TIC 3.0 Remote User Use Case considers additional security patterns agencies may face with remote users and includes four new security capabilities:

• User Awareness and Training,
• Domain Name Monitoring,
• Application Container, and
• Remote Desktop Access.

In conjunction with the Remote User Use Case, CISA has also released Response to Comments on TIC 3.0 Remote User Use Case and the Pilot Process Handbook. These additional documents provide feedback on the Remote User Use Case and describes the process by which agencies should conduct TIC 3.0 pilots.

CISA encourages all federal government agencies and organizations to review the TIC 3.0 Remote User Use Case and visit the CISA TIC page for updates and additional information on the TIC program.

Original release date: October 6, 2021

The Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, CVE-2021-41773, has been exploited in the wild.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache HTTP Server 2.4.50 vulnerabilities page and apply the necessary update.