Google Releases Security Updates for Chrome

Original release date: December 14, 2021

Google has released Chrome version 96.0.4664.110 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.  

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products

Original release date: December 14, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228

Original release date: December 13, 2021

CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

In response, CISA has created a webpage, Apache Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the webpage and the GitHub repository.

CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog

Original release date: December 10, 2021

CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

 

CVE Number

CVE Title

Remediation Due Date

CVE-2021-44228

Apache Log4j Remote Code Execution Vulnerability

12/24/2021

CVE-2021-44515

Zoho Corp. Desktop Central Authentication Bypass Vulnerability

12/24/2021

CVE-2021-44168

Fortinet FortiOS Arbitrary File Download

12/24/2021

CVE-2021-35394

Realtek Jungle SDK Remote Code Execution Vulnerability

12/24/2021

CVE-2020-8816

Pi-Hole AdminLTE Remote Code Execution Vulnerability

6/10/2022

CVE-2020-17463

Fuel CMS SQL Injection Vulnerability

6/10/2022

CVE-2019-7238

Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability

6/10/2022

CVE-2019-13272

Linux Kernel Improper Privilege Management Vulnerability

6/10/2022

CVE-2019-10758

MongoDB mongo-express Remote Code Execution Vulnerability

6/10/2022

CVE-2019-0193

Apache Solr DataImportHandler Code Injection Vulnerability

6/10/2022

CVE-2017-17562

Embedthis GoAhead Remote Code Execution Vulnerability

6/10/2022

CVE-2017-12149

Red Hat Jboss Application Server Remote Code Execution Vulnerability

6/10/2022

CVE-2010-1871

Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability

6/10/2022

 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria

This product is provided subject to this Notification and this Privacy & Use policy.

Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

Original release date: December 10, 2021

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Security Advisory for Hillrom Welch Allyn Cardiology Products

Original release date: December 10, 2021

CISA has released an Industrial Controls Systems Medical Advisory (ICSMA) detailing a vulnerability in multiple Hillrom Welch Allyn cardiology products. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages technicians and administrators to review ICSMA-21-343-01: Hillrom Welch Allyn Cardio Products for more information and apply the necessary mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities

Original release date: December 9, 2021

Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Cisco Advisory cisco-sa-apache-httpd-2.4.49-VWL69sWQ and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Guidance on Protecting Organization-Run Social Media Accounts

Original release date: December 9, 2021

CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accounts—including accounts used by federal agencies—could spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram. 

CISA encourages social media account administrators to implement the protection measures described in CEG: Social Media Account Protection:

  • Establish and maintain a social media policy
  • Implement credential management
  • Enforce multi-factor authentication (MFA)
  • Manage account privacy settings
  • Use trusted devices
  • Vet third-party vendors
  • Maintain situational awareness of cybersecurity threats
  • Establish an incident response plan

Note: although CISA created the CEG primarily for federal agencies, the guidance is applicable to all organizations.

This product is provided subject to this Notification and this Privacy & Use policy.

SonicWall Releases Security Advisory for SMA 100 Series Appliances

Original release date: December 8, 2021

SonicWall has released a security advisory to address vulnerabilities affecting SonicWall Secure Mobile Access (SMA) 100 series appliances. A remote attacker could exploit these vulnerabilities to take control of an affected system. SMA 100 series appliances provide an organization’s employees with remote access to internal resources. Note: although there are currently no reports of these vulnerabilities being exploited in the wild, in July 2021, CISA warned of threat actors actively targeting a known, previously patched, vulnerability in SonicWall SMA 100 series appliances.

CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary firmware updates as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Original release date: December 8, 2021

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the Mozilla security advisories for Firefox 95, Firefox ESR 91.4.0, and Thunderbird 91.4.0 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.