Original release date: November 14, 2022

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.

Original release date: November 10, 2022

CISA has released twenty (20) Industrial Control Systems (ICS) advisories on November 10, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:

• ICSA-22-314-01 Siemens Parasolid
• ICSA-22-314-02 Siemens Missing Web Server Login Page of Industrial Controllers
• ICSA-22-314-03 Siemens SINEC Network Management System Logback Component
• ICSA-22-314-04 Siemens SINUMERIK ONE and SINUMERIK MC
• ICSA-22-314-05 Siemens RUGGEDCOM ROS
• ICSA-22-314-06 Siemens QMS Automotive
• ICSA-22-314-07 Omron NJNX-series Machine Automation Controllers
• ICSA-22-314-08 Omron NJNX-series
• ICSA-22-314-09 Siemens Teamcenter Visualization and JT2Go
• ICSA-22-314-10 Siemens SCALANCE W1750D
• ICSA-22-314-11 Siemens SICAM Q100
• ICSA-21-350-06 Siemens CAPITAL VSTAR (Update A)
• ICSA-22-286-15 Siemens SCALANCE X-200 and X-200IRT Families (Update A)
• ICSA-22-258-03 Siemens RUGGEDCOM ROS (Update A)
• ICSA-22-228-02 LS ELEC PLC and XG5000 (Update A)
• ICSA-22-298-06 Delta Electronic DIAEnergie (Update A)
• ICSA-22-258-04 Siemens Mendix SAML Module (Update A)
• ICSA-22-286-11 Siemens SCALANCE and RUGGEDCOM Products (Update A)
• ICSA-21-350-13 Siemens Questa and ModelSim (Update A)
• ICSA-22-069-01 Siemens RUGGEDCOM Devices (Update C)

Original release date: November 10, 2022

Today CISA published its guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.

As stated in Executive Assistant Director (EAD) Eric Goldstein’s blog post Transforming the Vulnerability Management Landscape, implementing a methodology, such as SSVC, is a critical step to advancing the vulnerability management ecosystem. Additionally, the blog details advances—including

CISA’s Known Exploited Vulnerabilities (KEV) catalog, Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX)—that, used in conjunction with SSVC, will reduce the window cyber threat actors have to exploit networks.

CISA encourages organizations to read EAD Goldstein’s blog post and to use the following resources on the SSVC webpage to strengthen their vulnerability management processes:

• CISA’s SSVC decision tree
• SSVC Guide on using SSVC and the SSVC decision tree
• SSVC Calculator for prioritizing vulnerability responses in an organization’s respective environment

Original release date: November 9, 2022

VMware has released security updates to address multiple vulnerabilities in VMware Workspace ONE Assist. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2022-0028 and apply the necessary updates and workarounds.